Merge pull request #243 from ansible-lockdown/issue_90

Issue 38 and 90
ansible-lockdown · Sep 17, 2024 · 28ee41e · 28ee41e
2 parents 5fff87f + e7bc0c7
commit 28ee41e
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml
@@ -23,7 +23,7 @@
             "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
         ansible.builtin.file:
             path: "{{ audit_discovered_logfile.stdout }}"
-            mode: "{% if auditd_logfile.stat.mode > '0640' %}0640{% endif %}"
+            mode: 'u-x,g-wx,o-rwx'
             owner: root
             group: root
   when:

diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml
@@ -14,6 +14,8 @@
         ansible.builtin.file:
             path: "{{ item.path }}"
             mode: '0640'
+        failed_when: logfiles_perms_update.state not in '[ file, absent ]'
+        register: logfiles_perms_update
         loop: "{{ logfiles.files }}"
         loop_control:
             label: "{{ item.path }}"

diff --git a/vars/audit.yml b/vars/audit.yml
@@ -26,8 +26,9 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma
 
 ### Audit binary settings ###
 audit_bin_version:
-    release: v0.4.4
-    AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5'
+    release: v0.4.8
+    AMD64_checksum: 'sha256:85d00b7bba5f175bec95de7dfe1f71f8f25204914aad4c6f03c8457868eb6e2f'
+    ARM64_checksum: 'sha256:bca8c898bfd35b94c51455ece6193c95e2cd7b2b183ac2047b2d76291e73e47d'
 audit_bin_path: /usr/local/bin/
 audit_bin: "{{ audit_bin_path }}goss"
 audit_format: json