--- - name: | "6.2.4.1 | PATCH | Ensure audit log files mode is configured" "6.2.4.2 | PATCH | Ensure audit log files owner is configured" "6.2.4.3 | PATCH | Ensure audit log files group owner is configured" when: - ubtu24cis_rule_6_2_4_1 or ubtu24cis_rule_6_2_4_2 or ubtu24cis_rule_6_2_4_3 tags: - level1-server - level1-workstation - patch - auditd - rule_6.2.4.1 - rule_6.2.4.2 - rule_6.2.4.3 - NIST800-53R5_AU-3 ansible.builtin.file: path: "{{ prelim_auditd_logfile.stdout }}" owner: root group: root mode: 'u-x,g-wx,o-rwx' - name: "6.2.4.4 | PATCH | Ensure the audit log file directory mode is configured" when: - ubtu24cis_rule_6_2_4_4 tags: - level1-server - level1-workstation - patch - auditd - rule_6.2.4.4 - NIST800-53R5_AU-3 block: - name: "6.2.4.4 | AUDIT | Ensure the audit log file directory mode is configured | get current permissions" ansible.builtin.stat: path: "{{ prelim_auditd_logfile.stdout | dirname }}" register: auditlog_dir - name: "6.2.4.4 | PATCH | Ensure the audit log file directory mode is configured | set permissions" ansible.builtin.file: path: "{{ auditlog_dir.stat.path }}" state: directory mode: 'g-w,o-rwx' - name: "6.2.4.5 | PATCH | Ensure audit configuration files mode is configured" when: - ubtu24cis_rule_6_2_4_5 tags: - level1-server - level1-workstation - patch - auditd - rule_6.2.4.5 - NIST800-53R5_AU-3 ansible.builtin.file: path: "{{ item.path }}" mode: 'u-x,g-wx,o-rwx' loop: "{{ prelim_auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" - name: "6.2.4.6 | PATCH | Ensure audit configuration files owner is configured" when: - ubtu24cis_rule_6_2_4_6 tags: - level1-server - level1-workstation - patch - auditd - rule_6.2.4.6 - NIST800-53R5_AU-3 ansible.builtin.file: path: "{{ item.path }}" owner: root loop: "{{ prelim_auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" - name: "6.2.4.7 | PATCH | Ensure audit configuration files group owner is configured" when: - ubtu24cis_rule_6_2_4_7 tags: - level1-server - level1-workstation - patch - auditd - rule_6.2.4.7 - NIST800-53R5_AU-3 ansible.builtin.file: path: "{{ item.path }}" group: root loop: "{{ prelim_auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" - name: "6.2.4.8 | PATCH | Ensure audit tools mode is configured" when: - ubtu24cis_rule_6_2_4_8 tags: - level1-server - level1-workstation - patch - auditd - rule_6.2.4.8 - NIST800-53R5_AU-3 block: - name: "6.2.4.8 | AUDIT | Ensure audit tools mode is configured | get current mode" ansible.builtin.stat: path: "{{ item }}" register: "audit_bins" loop: - /sbin/auditctl - /sbin/aureport - /sbin/ausearch - /sbin/autrace - /sbin/auditd - /sbin/augenrules - name: "6.2.4.8 | PATCH | Ensure audit tools mode is configured | set if required" when: not item.stat.mode is match('07(0|5)0') ansible.builtin.file: path: "{{ item.item }}" mode: '0750' loop: "{{ audit_bins.results }}" loop_control: label: "{{ item.item }}" - name: "6.2.4.9 | PATCH | Ensure audit tools owner is configured" when: - ubtu24cis_rule_6_2_4_9 tags: - level1-server - level1-workstation - patch - auditd - rule_6.2.4.9 - NIST800-53R5_AU-3 ansible.builtin.file: path: "{{ item }}" owner: root group: root loop: - /sbin/auditctl - /sbin/aureport - /sbin/ausearch - /sbin/autrace - /sbin/auditd - /sbin/augenrules - name: "6.2.4.10 | PATCH | Ensure audit tools group owner is configured" when: - ubtu24cis_rule_6_2_4_10 tags: - level1-server - level1-workstation - patch - auditd - rule_6.2.4.10 - NIST800-53R5_AU-3 ansible.builtin.file: path: "{{ item }}" group: root loop: - /sbin/auditctl - /sbin/aureport - /sbin/ausearch - /sbin/autrace - /sbin/auditd - /sbin/augenrules