--- - name: "6.1.2.1.1 | PATCH | Ensure systemd-journal-remote is installed" when: - ubtu24cis_rule_6_1_2_1_1 - not ubtu24cis_system_is_log_server tags: - level1-server - level1-workstation - patch - journald - rule_6.1.2.1.1 - NIST800-53R5_AU-2 - NIST800-53R5_AU-7 - NIST800-53R5_AU-12 ansible.builtin.package: name: systemd-journal-remote state: present - name: "6.1.2.1.2 | PATCH | Ensure systemd-journal-upload authentication is configured" when: - ubtu24cis_rule_6_1_2_1_2 - not ubtu24cis_system_is_log_server tags: - level1-server - level1-workstation - patch - journald - rule_6.1.2.1.2 - NIST800-53R5_AU-2 - NIST800-53R5_AU-12 notify: Restart journald ansible.builtin.lineinfile: path: /etc/systemd/journal-upload.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" loop: - { regexp: 'URL=', line: 'URL={{ ubtu24cis_remote_log_server }}'} - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ ubtu24cis_journal_upload_serverkeyfile }}'} - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ ubtu24cis_journal_servercertificatefile }}'} - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ ubtu24cis_journal_trustedcertificatefile }}'} - name: "6.1.2.1.3 | PATCH | Ensure systemd-journal-upload is enabled and active" when: - not ubtu24cis_system_is_log_server - ubtu24cis_rule_6_1_2_1_3 tags: - level1-server - level1-workstation - patch - journald - rule_6.1.2.1.3 - NIST800-53R5_AU-2 - NIST800-53R5_AU-12 ansible.builtin.systemd: name: systemd-journal-upload masked: false enabled: true - name: "6.1.2.1.4 | PATCH | Ensure systemd-journal-remote service is not in use" when: - not ubtu24cis_system_is_log_server - ubtu24cis_rule_6_1_2_1_4 tags: - level1-server - level1-workstation - patch - journald - rule_6.1.2.1.4 - NIST800-53R5_AU-2 - NIST800-53R5_AU-7 - NIST800-53R5_AU-12 ansible.builtin.systemd: name: "{{ item }}" state: stopped enabled: false masked: true loop: - systemd-journal-remote.socket - systemd-journal-remote.service - name: "6.1.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled" when: - ubtu24cis_rule_6_1_2_2 tags: - level1-server - level2-workstation - patch - journald - rule_6.1.2.2 notify: Restart journald block: - name: "6.1.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | Add file" ansible.builtin.template: src: etc/systemd/journald.conf.d/forwardtosyslog.conf.j2 dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf owner: root group: root mode: 'g-wx,o-rwx' - name: "6.1.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf regexp: ^(\s*ForwardToSyslog) replace: '#\1' - name: "6.1.2.3 | PATCH | Ensure journald Compress is configured" when: - ubtu24cis_rule_6_1_2_3 tags: - level1-server - level1-workstation - patch - journald - rule_6.1.2.3 notify: Restart journald block: - name: "6.1.2.3 | PATCH | Ensure journald Compress is configured | Add file" ansible.builtin.template: src: etc/systemd/journald.conf.d/storage.conf.j2 # Added to the same file as 6.2.1.5 dest: /etc/systemd/journald.conf.d/storage.conf owner: root group: root mode: 'g-wx,o-rwx' - name: "6.1.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf regexp: (?i)^(\s*compress=) replace: '#\1' - name: "6.1.2.4 | PATCH | Ensure journald Storage is configured" when: - ubtu24cis_rule_6_1_2_4 tags: - level1-server - level1-workstation - patch - journald - rule_6.1.2.4 notify: Restart journald block: - name: "6.1.2.4 | PATCH | Ensure journald Storage is configured | Add file" ansible.builtin.template: src: etc/systemd/journald.conf.d/storage.conf.j2 dest: /etc/systemd/journald.conf.d/storage.conf owner: root group: root mode: 'g-wx,o-rwx' - name: "6.1.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf regexp: (?i)^(\s*storage=) replace: '#\1'