colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
UBUNTU24-CIS/tasks/section_6/cis_6.2.1.x.yml

111 lines
3.7 KiB
YAML
Raw Permalink Blame History

---
- name: "6.2.1.1 | PATCH | Ensure auditd packages are installed"
when:
- ubtu24cis_rule_6_2_1_1
- "'auditd' not in ansible_facts.packages or
'audisd-plugins' not in ansible_facts.packages"
tags:
- level2-server
- level2-workstation
- patch
- rule_6.2.1.1
- NIST800-53R5_AU-2
- NIST800-53R5_AU-3
- NIST800-53R5_AU-12
- NIST800-53R5_SI-5
- auditd
ansible.builtin.package:
name: ['auditd', 'audispd-plugins']
state: present
- name: "6.2.1.2 | PATCH | Ensure auditd service is enabled and active"
when: ubtu24cis_rule_6_2_1_2
tags:
- level2-server
- level2-workstation
- patch
- rule_6.2.1.2
- NIST800-53R5_AU-2
- NIST800-53R5_AU-3
- NIST800-53R5_AU-12
- auditd
ansible.builtin.service:
name: auditd
state: started
enabled: true
masked: false
- name: "6.2.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
when: ubtu24cis_rule_6_2_1_3
tags:
- level2-server
- level2-workstation
- patch
- rule_6.2.1.3
- NIST800-53R5_AU-2
- NIST800-53R5_AU-3
- NIST800-53R5_AU-12
- auditd
block:
- name: "6.2.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX"
ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"'
changed_when: false
failed_when: false
check_mode: false
register: discovered_grub_cmdline_settings
- name: "6.2.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist"
when: "'audit=' not in discovered_grub_cmdline_settings.stdout"
ansible.builtin.lineinfile:
path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX='
line: 'GRUB_CMDLINE_LINUX="{{ discovered_grub_cmdline_settings.stdout }} audit=1"'
notify: Grub update
- name: "6.2.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Update setting if exists"
when: "'audit=' in discovered_grub_cmdline_settings.stdout"
ansible.builtin.replace:
dest: /etc/default/grub
regexp: 'audit=([0-9]+)'
replace: 'audit=1'
after: '^GRUB_CMDLINE_LINUX="'
before: '"'
notify: Grub update
- name: "6.2.1.4 | PATCH | Ensure audit_backlog_limit is sufficient"
when: ubtu24cis_rule_6_2_1_4
tags:
- level2-server
- level2-workstation
- patch
- rule_6.2.1.4
- NIST800-53R5_AU-2
- NIST800-53R5_AU-3
- NIST800-53R5_AU-12
- auditd
block:
- name: "6.2.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Get current GRUB_CMDLINE_LINUX"
ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"'
changed_when: false
failed_when: false
check_mode: false
register: discovered_audit_backlog_grub_cmdline_settings
- name: "6.2.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist"
when: "'audit_backlog_limit=' not in discovered_audit_backlog_grub_cmdline_settings.stdout"
ansible.builtin.lineinfile:
path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX='
line: 'GRUB_CMDLINE_LINUX="{{ discovered_audit_backlog_grub_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu24cis_audit_back_log_limit }}"'
notify: Grub update
- name: "6.2.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Update setting if exists"
ansible.builtin.replace:
dest: /etc/default/grub
regexp: 'audit_backlog_limit=([0-9]+)'
replace: 'audit_backlog_limit={{ ubtu24cis_audit_back_log_limit }}'
after: '^GRUB_CMDLINE_LINUX="'
before: '"'
notify: Grub update
Reference in New Issue View Git Blame Copy Permalink