- name: "NOTSCORED | 4.1.1.1 | PATCH | Ensure audit log storage size is configured" lineinfile: dest: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = 10" state: present when: - rhel7cis_rule_4_1_1_1|bool notify: restart auditd tags: - level2 - auditd - patch - rule_4.1.1.1 - name: "SCORED | 4.1.1.2 | PATCH | Ensure system is disabled when audit logs are full" lineinfile: dest: /etc/audit/auditd.conf regexp: "^admin_space_left_action" line: "admin_space_left_action = {{ rhel7cis_auditd['admin_space_left_action'] }}" state: present when: - rhel7cis_rule_4_1_1_2|bool notify: restart auditd tags: - level2 - auditd - patch - rule_4.1.1.2 - name: "SCORED | 4.1.1.2 | PATCH | Ensure email on non-admin audit space alert" lineinfile: dest: /etc/audit/auditd.conf regexp: "^space_left_action" line: "space_left_action = email" state: present when: - rhel7cis_rule_4_1_1_2|bool notify: restart auditd tags: - level2 - auditd - patch - rule_4.1.1.2 - name: "SCORED | 4.1.1.3 | PATCH | Ensure audit logs are not automatically deleted" lineinfile: dest: /etc/audit/auditd.conf regexp: "^max_log_file_action" line: "max_log_file_action = {{ rhel7cis_auditd['max_log_file_action'] }}" state: present when: - rhel7cis_rule_4_1_1_3|bool notify: restart auditd tags: - level2 - auditd - patch - rule_4.1.1.3 - name: "SCORED | 4.1.2 | PATCH | Ensure auditd service is enabled" service: name: auditd state: started enabled: yes when: - not rhel7cis_skip_for_travis - rhel7cis_rule_4_1_2|bool - ansible_connection != 'docker' tags: - level2 - auditd - patch - rule_4.1.2 - name: "SCORED | 4.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" replace: dest: /etc/default/grub regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(?- set -o pipefail && for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done register: priv_procs changed_when: no check_mode: no when: - rhel7cis_rule_4_1_12|bool tags: - level2 - auditd - patch - rule_4.1.12 - name: "SCORED | 4.1.12 | PATCH | Ensure use of privileged commands is collected" template: src: audit/rhel7cis_rule_4_1_12.rules.j2 dest: /etc/audit/rules.d/rhel7cis_rule_4_1_12.rules owner: root group: root mode: 0600 notify: restart auditd when: - rhel7cis_rule_4_1_12|bool tags: - level2 - auditd - patch - rule_4.1.12 - name: "SCORED | 4.1.13 | PATCH | Ensure successful file system mounts are collected" template: src: audit/rhel7cis_rule_4_1_13.rules.j2 dest: /etc/audit/rules.d/rhel7cis_rule_4_1_13.rules owner: root group: root mode: 0600 when: - rhel7cis_rule_4_1_13|bool notify: restart auditd tags: - level2 - auditd - patch - rule_4.1.13 - name: "SCORED | 4.1.14 | PATCH | Ensure file deletion events by users are collected" template: src: audit/rhel7cis_rule_4_1_14.rules.j2 dest: /etc/audit/rules.d/rhel7cis_rule_4_1_14.rules owner: root group: root mode: 0600 when: - rhel7cis_rule_4_1_14|bool notify: restart auditd tags: - level2 - auditd - patch - rule_4.1.14 - name: "SCORED | 4.1.15 | PATCH | Ensure changes to system administration scope (sudoers) is collected" template: src: audit/rhel7cis_rule_4_1_15.rules.j2 dest: /etc/audit/rules.d/rhel7cis_rule_4_1_15.rules owner: root group: root mode: 0600 when: - rhel7cis_rule_4_1_15|bool notify: restart auditd tags: - level2 - auditd - patch - rule_4.1.15 - name: "SCORED | 4.1.16 | PATCH | Ensure system administrator actions (sudolog) are collected" template: src: audit/rhel7cis_rule_4_1_16.rules.j2 dest: /etc/audit/rules.d/rhel7cis_rule_4_1_16.rules owner: root group: root mode: 0600 when: - rhel7cis_rule_4_1_16|bool notify: restart auditd tags: - level2 - auditd - patch - rule_4.1.16 - name: "SCORED | 4.1.17 | PATCH | Ensure kernel module loading and unloading is collected" template: src: audit/rhel7cis_rule_4_1_17.rules.j2 dest: /etc/audit/rules.d/rhel7cis_rule_4_1_17.rules owner: root group: root mode: 0600 when: - rhel7cis_rule_4_1_17|bool notify: restart auditd tags: - level2 - auditd - patch - rule_4.1.17 - name: "SCORED | 4.1.18 | PATCH | Ensure the audit configuration is immutable" template: src: audit/rhel7cis_rule_4_1_18.rules.j2 dest: /etc/audit/rules.d/rhel7cis_rule_4_1_18.rules owner: root group: root mode: 0600 when: - rhel7cis_rule_4_1_18|bool notify: restart auditd tags: - level2 - auditd - patch - rule_4.1.18 - name: "SCORED | 4.2.3 | PATCH | Ensure rsyslog or syslog-ng is installed" yum: name: "{{ rhel7cis_syslog }}" state: present when: - rhel7cis_rule_4_2_3|bool tags: - level1 - level2 - patch - rule_4.2.3 - name: "SCORED | 4.2.1.1 | PATCH | Ensure rsyslog Service is enabled" command: /bin/true changed_when: no when: - rhel7cis_rule_4_2_1_1|bool tags: - level1 - level2 - patch - rule_4.2.1.1 - notimplemented - name: "NOTSCORED | 4.2.1.2 | PATCH | Ensure logging is configured" command: /bin/true changed_when: no when: - rhel7cis_rule_4_2_1_2|bool tags: - level1 - level2 - patch - rule_4.2.1.2 - notimplemented - name: "SCORED | 4.2.1.3 | PATCH | Ensure rsyslog default file permissions configured" lineinfile: dest: /etc/rsyslog.conf regexp: '^\$FileCreateMode' line: '$FileCreateMode 0640' when: - rhel7cis_rule_4_2_1_3|bool tags: - level1 - level2 - patch - rule_4.2.1.3 - name: "SCORED | 4.2.1.4 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" command: /bin/true changed_when: no when: - rhel7cis_rule_4_2_1_4|bool tags: - level1 - level2 - patch - rule_4.2.1.4 - notimplemented - name: "NOTSCORED | 4.2.1.5 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts." command: /bin/true changed_when: no when: - rhel7cis_rule_4_2_1_5|bool tags: - level1 - level2 - patch - rule_4.2.1.5 - notimplemented - name: "NOTSCORED | 4.2.1.5 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts." command: /bin/true changed_when: no when: - rhel7cis_rule_4_2_1_5|bool tags: - level1 - level2 - patch - rule_4.2.1.5 - notimplemented - name: "SCORED | 4.2.2.1 | PATCH | Ensure syslog-ng service is enabled" command: /bin/true changed_when: no when: - rhel7cis_rule_4_2_2_1|bool tags: - level1 - level2 - patch - rule_4.2.2.1 - notimplemented - name: "NOTSCORED | 4.2.2.2 | PATCH | Ensure logging is configured" command: /bin/true changed_when: no when: - rhel7cis_rule_4_2_2_2|bool tags: - level1 - level2 - patch - rule_4.2.2.2 - notimplemented - name: "SCORED | 4.2.2.3 | PATCH | Ensure syslog-ng default file permissions configured" command: /bin/true changed_when: no when: - rhel7cis_rule_4_2_2_3|bool tags: - level1 - level2 - patch - rule_4.2.2.3 - notimplemented - name: "NOTSCORED | 4.2.2.4 | PATCH | Ensure syslog-ng is configured to send logs to a remote log host" command: /bin/true changed_when: no when: - rhel7cis_rule_4_2_2_4|bool tags: - level1 - level2 - patch - rule_4.2.2.4 - notimplemented - name: "NOTSCORED | 4.2.2.5 | PATCH | Ensure remote syslog-ng messages are only accepted on designated log hosts" command: /bin/true changed_when: no when: - rhel7cis_rule_4_2_2_5|bool tags: - level1 - level2 - patch - rule_4.2.2.5 - notimplemented - name: "SCORED | 4.2.4 | PATCH | Ensure permissions on all logfiles are configured" command: find /var/log -type f -exec chmod g-wx,o-rwx {} + changed_when: no failed_when: no when: - rhel7cis_rule_4_2_4|bool tags: - level1 - level2 - patch - rule_4.2.4 - name: "NOTSCORED | 4.3 | PATCH | Ensure logrotate is configured" find: paths: /etc/logrotate.d/ register: log_rotates tags: - level1 - level2 - patch - rule_4.3 - name: "NOTSCORED | 4.3 | PATCH | Ensure logrotate is configured" replace: path: "{{ item.path }}" regexp: '^(\s*)(daily|weekly|monthly|yearly)$' replace: "\\1{{ rhel7cis_logrotate }}" with_items: - "{{ log_rotates.files }}" - { path: "/etc/logrotate.conf" } when: - rhel7cis_rule_4_3|bool tags: - level1 - level2 - patch - rule_4.3