Merge pull request #10 from ansible-lockdown/devel

uk-bolly · web-flow · commit bb1b6e331fad · 2024-04-30T16:35:11.000+01:00
V1R1 release - April24
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -8,7 +8,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.5.0
+  rev: v4.6.0
   hooks:
   # Safety
   - id: detect-aws-credentials
@@ -36,12 +36,12 @@ repos:
   - id: detect-secrets
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.18.0
+  rev: v8.18.2
   hooks:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v6.21.1
+  rev: v24.2.2
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -60,6 +60,6 @@ repos:
     - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.32.0  # or higher tag
+  rev: v1.35.1  # or higher tag
   hooks:
   - id: yamllint
diff --git a/tasks/Cat2/RHEL-09-21xxxx.yml b/tasks/Cat2/RHEL-09-21xxxx.yml
@@ -808,6 +808,7 @@
 - name: "MEDIUM | RHEL-09-213115 | PATCH | The kdump service on RHEL 9 must be disabled."
   when:
     - rhel_09_213115
+    - "'kexec-tools' in ansible_facts.packages"
   tags:
     - RHEL-09-213115
     - CAT2
diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml
@@ -195,16 +195,18 @@
     - name: "MEDIUM | RHEL-09-251040 | PATCH | RHEL 9 network interfaces must not be in promiscuous mode."
       when:
         - not rhel9stig_disruption_high
-        - item not in rhel9stig_promisc_if
+        - item in rhel9stig_promisc_if
       ansible.builtin.debug:
         msg: "Warning!! You have interfaces set to promicious mode no in the exception list"
+      loop: "{{ ansible_facts.interfaces }}"
 
     - name: "MEDIUM | RHEL-09-251040 | PATCH | RHEL 9 network interfaces must not be in promiscuous mode."
       when:
         - not rhel9stig_disruption_high
-        - item not in rhel9stig_promisc_if
-      ansible.builtin.import_tasks:
+        - item in rhel9stig_promisc_if
+      ansible.builtin.include_tasks:
         file: warning_facts.yml
+      loop: "{{ ansible_facts.interfaces }}"
 
 - name: "MEDIUM | RHEL-09-251045 | PATCH | RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler."
   when:
diff --git a/tasks/Cat2/RHEL-09-65xxxx.yml b/tasks/Cat2/RHEL-09-65xxxx.yml
@@ -177,7 +177,7 @@
 
     - name: "MEDIUM | RHEL-09-652025 | PATCH | RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation."
       when:
-        - rhel9stig_rsyslog_conf.matched > 0
+        - rhel9stig_rsyslog_conf.matched > 1
       ansible.builtin.lineinfile:
         backrefs: true
         line: '#\1\2\3'
@@ -635,7 +635,8 @@
         msg:
           - "WARNING!! Below is the path and size of the partition for the audit logs."
           - "Please make sure there is enough disk space for 1 week of logs"
-          - "Path: {{ rhel9stig_audit_conf.logfile }}"
+          - "Munt: {{ rhel9stig_audit_log_filesystem }}"
+          - "Logfile: {{ discovered_auditd_logfile.stdout }}"
           - "Disk Space remaining: {{ audit_filesystem_space_left }}MB"
 
     - name: "MEDIUM | RHEL-09-653030 | WARN | RHEL 9 must allocate audit record storage capacity to store at least one week's worth of audit records."
@@ -850,7 +851,7 @@
     - auditd
   ansible.builtin.file:
     owner: root
-    path: "{{ rhel9stig_audit_log_filesystem }}"
+    path: "{{ discovered_auditd_logfile.stdout }}"
 
 - name: "MEDIUM | RHEL-09-653090 | PATCH | RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log."
   when:
@@ -869,18 +870,9 @@
     - NIST800-53R4_AU-9
     - NIST800-53R4_SI-11
     - auditd
-  block:
-    - name: "MEDIUM | RHEL-09-653090 | PATCH | RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log."
-      ansible.builtin.file:
-        mode: '0600'
-        path: "{{ rhel9stig_audit_conf.logfile }}"
-
-    - name: "MEDIUM | RHEL-09-653090 | PATCH | RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log."
-      ansible.builtin.file:
-        mode: '0440'
-        path: "{{ item }}"
-      with_fileglob:
-        - "{{ rhel9stig_audit_conf.logfile }}*"
+  ansible.builtin.file:
+    mode: go-rwx
+    path: "{{ discovered_auditd_logfile.stdout }}"
 
 - name: "MEDIUM | RHEL-09-653095 | PATCH | RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records."
   when:
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -158,6 +158,17 @@
     - SRG-OS-000475-GPOS-00220
     - auditd
 
+- name: "PRELIM | Discover auditd_logfile_path"
+  when:
+    - rhel_09_653085 or
+      rhel_09_653085 or
+      rhel_09_653090
+  tags:
+    - always
+  ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'
+  changed_when: false
+  register: discovered_auditd_logfile
+
 # - name: "PRELIM | Audit conf and rules files | list files"
 #   ansible.builtin.find:
 #     path: /etc/audit
