197 lines
7.6 KiB
YAML
197 lines
7.6 KiB
YAML
---
|
|
|
|
- name: "6.1.3.1 | PATCH | Ensure rsyslog is installed"
|
|
when:
|
|
- ubtu24cis_rule_6_1_3_1
|
|
- "'rsyslog' not in ansible_facts.packages"
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- automated
|
|
- patch
|
|
- rule_6.1.3.1
|
|
- NIST800-53R5_AU-2
|
|
- NIST800-53R5_AU-3
|
|
- NIST800-53R5_AU-12
|
|
- rsyslog
|
|
- apt
|
|
ansible.builtin.package:
|
|
name: rsyslog
|
|
state: present
|
|
|
|
- name: "6.1.3.2 | PATCH | Ensure rsyslog service is enabled"
|
|
when: ubtu24cis_rule_6_1_3_2
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- automated
|
|
- patch
|
|
- rule_6.1.3.2
|
|
- NIST800-53R5_AU-2
|
|
- NIST800-53R5_AU-7
|
|
- NIST800-53R5_AU-12
|
|
- rsyslog
|
|
ansible.builtin.systemd:
|
|
name: rsyslog
|
|
enabled: true
|
|
|
|
- name: "6.1.3.3 | PATCH | Ensure journald is configured to send logs to rsyslog"
|
|
when: ubtu24cis_rule_6_1_3_3
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- manual
|
|
- patch
|
|
- journald
|
|
- rule_6.1.3.3
|
|
- NIST800-53R5_AC-3
|
|
- NIST800-53R5_AU-2
|
|
- NIST800-53R5_AU-4
|
|
- NIST800-53R5_AU-12
|
|
- NIST800-53R5_MP-2
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/systemd/journald.conf
|
|
regexp: ^ForwardToSyslog=
|
|
line: ForwardToSyslog=yes
|
|
notify: Restart syslog service
|
|
|
|
- name: "6.1.3.4 | PATCH | Ensure rsyslog log file creation mode is configured"
|
|
when: ubtu24cis_rule_6_1_3_4
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- automated
|
|
- patch
|
|
- rule_6.1.3.4
|
|
- NIST800-53R5_AC-3
|
|
- NIST800-53R5_AC-6
|
|
- NIST800-53R5_MP-2
|
|
- rsyslog
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/rsyslog.conf
|
|
regexp: '^\$FileCreateMode|^#\$FileCreateMode'
|
|
line: '$FileCreateMode 0640'
|
|
notify: Restart syslog service
|
|
|
|
- name: "6.1.3.5 | PATCH | Ensure logging is configured"
|
|
when: ubtu24cis_rule_6_1_3_5
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- manual
|
|
- patch
|
|
- rule_6.1.3.5
|
|
- NIST800-53R5_AU-2
|
|
- NIST800-53R5_AU-7
|
|
- NIST800-53R5_AU-12
|
|
- rsyslog
|
|
vars:
|
|
warn_control_id: '6.1.3.5'
|
|
block:
|
|
- name: "6.1.3.5 | AUDIT | Ensure logging is configured | Find configuration file"
|
|
ansible.builtin.shell: grep -r "*.emerg" /etc/* | cut -f1 -d":"
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: discovered_rsyslog_config_path
|
|
|
|
- name: "6.1.3.5 | AUDIT | Ensure logging is configured | Gather rsyslog current config"
|
|
ansible.builtin.command: "cat {{ discovered_rsyslog_config_path.stdout }}"
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: discovered_rsyslog_config
|
|
|
|
- name: "6.1.3.5 | AUDIT | Ensure logging is configured | Message out config"
|
|
when: not ubtu24cis_rsyslog_ansible_managed
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "Warning!! Below is the current logging configurations for rsyslog, please review"
|
|
- "{{ discovered_rsyslog_config.stdout_lines }}"
|
|
|
|
- name: "6.1.3.5 | PATCH | Ensure logging is configured | Set warning count"
|
|
when: not ubtu24cis_rsyslog_ansible_managed
|
|
ansible.builtin.import_tasks:
|
|
file: warning_facts.yml
|
|
|
|
- name: "6.1.3.5 | PATCH | Ensure logging is configured | Automated rsyslog configuration"
|
|
when: ubtu24cis_rsyslog_ansible_managed
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ discovered_rsyslog_config_path.stdout }}"
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
insertafter: "{{ item.insertafter }}"
|
|
with_items:
|
|
- { regexp: '^\*.emerg', line: '*.emerg :omusrmsg:*', insertafter: '^# Emergencies are sent to everybody logged in' }
|
|
- { regexp: '^auth,authpriv.\*', line: 'auth,authpriv.* /var/log/secure', insertafter: '^# First some standard log files. Log by facility' }
|
|
- { regexp: '^mail.\*|^#mail.\*', line: 'mail.* -/var/log/mail', insertafter: '^# First some standard log files' }
|
|
- { regexp: '^cron.\*|^#cron.\*', line: 'cron.* /var/log/cron', insertafter: '^# First some standard log files' }
|
|
- { regexp: '^mail.info|^#mail.info', line: 'mail.info -/var/log/mail.info', insertafter: '^# Logging for the mail system' }
|
|
- { regexp: '^mail.warn|^#mail.warn', line: 'mail.warning -/var/log/mail.warn', insertafter: '^# Logging for the mail system.' }
|
|
- { regexp: '^mail.err|^#mail.err', line: 'mail.err /var/log/mail.err', insertafter: '^# Logging for the mail system.' }
|
|
- { regexp: '^\*.=warning;\*.=err|^#\*.=warning;\*.=err', line: '*.=warning;*.=err -/var/log/warn', insertafter: '^# First some standard log files' }
|
|
- { regexp: '^\*.crit|^#\*.crit', line: '*.crit /var/log/warn', insertafter: '^# First some standard log files' }
|
|
- { regexp: '^\*.\*;mail.none;news.none|^#\*.\*;mail.none;news.none', line: '*.*;mail.none;news.none -/var/log/messages', insertafter: '^# First some standard log files' }
|
|
- { regexp: '^local0,local1.\*|^#local0,local1.\*', line: 'local0,local1.* -/var/log/localmessages', insertafter: '^# First some standard log files' }
|
|
- { regexp: '^local2,local3.\*|^#local2,local3.\*', line: 'local2,local3.* -/var/log/localmessages', insertafter: '^# First some standard log files' }
|
|
- { regexp: '^local4,local5.\*|^#local4,local5.\*', line: 'local4,local5.* -/var/log/localmessages', insertafter: '^# First some standard log files' }
|
|
- { regexp: '^local6,local7.\*|^#local6,local7.\*', line: 'local6,local7.* -/var/log/localmessages', insertafter: '^# First some standard log files' }
|
|
loop_control:
|
|
label: "{{ item.line }}"
|
|
notify: Restart syslog service
|
|
|
|
- name: "6.1.3.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host"
|
|
when:
|
|
- ubtu24cis_rule_6_1_3_6
|
|
- not ubtu24cis_system_is_log_server
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- automated
|
|
- patch
|
|
- rule_6.1.3.6
|
|
- NIST800-53R5_AU-6
|
|
- rsyslog
|
|
ansible.builtin.blockinfile:
|
|
path: /etc/rsyslog.conf
|
|
block: |
|
|
##Enable sending of logs over TCP add the following line:
|
|
*.* @@{{ ubtu24cis_remote_log_server }}
|
|
insertafter: EOF
|
|
|
|
- name: "6.1.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client"
|
|
when: ubtu24cis_rule_6_1_3_7
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- manual
|
|
- patch
|
|
- rule_6.1.3.7
|
|
- NIST800-53R5_AU-2
|
|
- NIST800-53R5_AU-7
|
|
- NIST800-53R5_AU-12
|
|
- NIST800-53R5_CM-6
|
|
- rsyslog
|
|
block:
|
|
- name: "6.1.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When not a log host"
|
|
when: not ubtu24cis_system_is_log_server
|
|
ansible.builtin.replace:
|
|
path: /etc/rsyslog.conf
|
|
regexp: '({{ item }})'
|
|
replace: '#\1'
|
|
with_items:
|
|
- '^(\$ModLoad|module(load="imtcp"))'
|
|
- '^(\$(InputTCP|InputRELP|UDP)ServerRun|input(type="imtcp" port=".*"))'
|
|
notify: Restart syslog service
|
|
|
|
- name: "6.1.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When a log server"
|
|
when: ubtu24cis_system_is_log_server
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/rsyslog.conf
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
with_items:
|
|
- { regexp: '^\$ModLoad|^#\$ModLoad', line: '$ModLoad imtcp' }
|
|
- { regexp: '^\$InputTCPServerRun|^#\$InputTCPServerRun', line: '$InputTCPServerRun 514' }
|
|
notify: Restart syslog service
|