updated auditd file logic

Signed-off-by: Mark Bolwell <[email protected]>
ansible-lockdown · Apr 29, 2024 · ef767bd · ef767bd
1 parent 64fdbe9
commit ef767bd
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 37 deletions.
diff --git a/tasks/Cat2/RHEL-09-65xxxx.yml b/tasks/Cat2/RHEL-09-65xxxx.yml
@@ -635,7 +635,8 @@
         msg:
           - "WARNING!! Below is the path and size of the partition for the audit logs."
           - "Please make sure there is enough disk space for 1 week of logs"
-          - "Path: {{ rhel9stig_audit_conf.logfile }}"
+          - "Mount: {{ rhel9stig_audit_log_filesystem }}"
+          - "Logfile: {{ discovered_auditd_logfile.stdout }}"
           - "Disk Space remaining: {{ audit_filesystem_space_left }}MB"
 
     - name: "MEDIUM | RHEL-09-653030 | WARN | RHEL 9 must allocate audit record storage capacity to store at least one week's worth of audit records."
@@ -850,7 +851,7 @@
     - auditd
   ansible.builtin.file:
     owner: root
-    path: "{{ rhel9stig_audit_log_filesystem }}"
+    path: "{{ discovered_auditd_logfile.stdout }}"
 
 - name: "MEDIUM | RHEL-09-653090 | PATCH | RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log."
   when:
@@ -869,18 +870,9 @@
     - NIST800-53R4_AU-9
     - NIST800-53R4_SI-11
     - auditd
-  block:
-    - name: "MEDIUM | RHEL-09-653090 | PATCH | RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log."
-      ansible.builtin.file:
-        mode: '0600'
-        path: "{{ rhel9stig_audit_conf.logfile }}"
-
-    - name: "MEDIUM | RHEL-09-653090 | PATCH | RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log."
-      ansible.builtin.file:
-        mode: '0440'
-        path: "{{ item }}"
-      with_fileglob:
-        - "{{ rhel9stig_audit_conf.logfile }}*"
+  ansible.builtin.file:
+    mode: go-rwx
+    path: "{{ discovered_auditd_logfile.stdout }}"
 
 - name: "MEDIUM | RHEL-09-653095 | PATCH | RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records."
   when:

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -177,29 +177,16 @@
     - SRG-OS-000475-GPOS-00220
     - auditd
 
-# - name: "PRELIM | Audit conf and rules files | list files"
-#   ansible.builtin.find:
-#     path: /etc/audit
-#     file_type: file
-#     recurse: true
-#     patterns: '*.conf,*.rules'
-#   register: auditd_conf_files
-#   when:
-#       - rhel9_09_653105
-#   tags:
-#       - cat2
-#       - auditd
-#       - RHEL-09-653105
-
-# - name: "PRELIM | Configure cron"
-#   ansible.builtin.package:
-#       name: cronie
-#       state: present
-#   become: true
-#   when:
-#       - '"cronie" not in ansible_facts.packages'
-#   tags:
-#       - cron
+- name: "PRELIM | Discover auditd_logfile_path"
+  when:
+    - rhel_09_653085 or
+      rhel_09_653085 or
+      rhel_09_653090
+  tags:
+    - always
+  ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'
+  changed_when: false
+  register: discovered_auditd_logfile
 
 # Added to ensure ssh drop in file exists if not default /etc/ssh/sshd_config
 - name: PRELIM | SSH