fix(auditd): paramaterize all auditd config s with auditd_ prefix and…

… add debugging
dbmurphy · Jan 11, 2024 · 4795ef9 · 4795ef9
1 parent b2575a9
commit 4795ef9
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 25 deletions.
diff --git a/roles/cis_security/defaults/main.yml b/roles/cis_security/defaults/main.yml
@@ -51,10 +51,18 @@ graphical_interface: false # Whether to disable the GDM greeter service. The ser
 # Rsyslog service
 log_host: false # Linux: Whether this machine will host rsyslog messages for other machines
 log_port: 514 # Linux: Port to listen to RSYSLOG messages on (if log_host is true)
-log_file_size: 8 # Linux: log file size. RHEL default is 8MB, control has no default
+
+auditd_max_log_file_size: 8 # Linux: log file size. RHEL default is 8MB, control has no default
+auditd_num_logs: 5 # Linux: number of logs to keep. RHEL default is 5, control has no default
+auditd_max_log_file_action: keep_logs # Linux: action to take when auditd log file is full. RHEL default is keep_logs
+auditd_space_left_disk_size: "75%" # Linux: RHEL default is 75%
+auditd_space_left_action: syslog # Linux: RHEL default is syslog
+auditd_admin_left_disk_size: "50%" # Linux: RHEL default is 50%
+auditd_admin_space_left_action: rotate # Linux: RHEL default is rotate
+auditd_action_mail_acct: root # Linux: RHEL default is root
+
 # rsyslog_file:                  # Linux: Uncomment to copy file listed to /etc/rsyslog.d
-space_left_disk_size: 10000
-max_log_file_action: keep_logs
+
 
 # network security settings
 tcpwrappers: false # Linux: Configure tcpwrappers controls. RHEL 7 control only

diff --git a/roles/cis_security/tasks/type-files/redhat-7-type.yml b/roles/cis_security/tasks/type-files/redhat-7-type.yml
@@ -1608,12 +1608,13 @@
         regexp: "{{ item.find }}"
         replace: "{{ item.replace }}"
       loop:
-        - {find: '^max_log_file\s+=\s+[^{{ log_file_size }}]', replace: 'max_log_file = {{ log_file_size }}'} # 4.1.1.1
-        - {find: '^max_log_file_action\s+=\s+((?!{{ max_log_file_action }}).)*$', replace: 'max_log_file_action = {{ max_log_file_action }}'} # 4.1.1.2
-        - {find: '^space_left_action\s+=\s+((?!email).)*$', replace: 'space_left_action = email'} # 4.1.1.2
-        - {find: '^action_mail_acct\s+=\s+((?!root).)*$', replace: 'action_mail_acct = root'} # 4.1.1.2
-        - {find: '^admin_space_left\s+=\s+\d+$', replace: 'admin_space_left = {{ space_left_disk_size }}'} #
-        - {find: '^admin_space_left_action\s+=\s+((?!suspend).)*$', replace: 'admin_space_left_action = suspend'} # 4.1.1.2
+        - { find: "^max_log_file\\s+=\\s+[^{{ auditd_max_log_file_size }}]", replace: "max_log_file = {{ auditd_max_log_file_size }}" } # 4.1.2.1
+        - { find: "^num_logs\\s+=\\s+[^{{ auditd_num_logs }}]", replace: "max_log_file = {{ auditd_num_logs }}" } # 4.1.2.1
+        - { find: "^max_log_file_action\\s+=\\s+((?!{{ auditd_max_log_file_action }}).)*$", replace: "max_log_file_action = {{ auditd_max_log_file_action }}" } # 4.1.2.2
+        - { find: "^space_left_action\\s+=\\s+((?!{{ auditd_space_left_action }}).)*$", replace: "space_left_action = {{ auditd_space_left_action }}" } # 4.1.2.2
+        - { find: "^action_mail_acct\\s+=\\s+((?!{{ auditd_action_mail_acct }}).)*$", replace: "action_mail_acct = {{ auditd_action_mail_acct }}" } # 4.1.2.2
+        - { find: "^admin_space_left\\s+=\\s+((?!{{ auditd_admin_left_disk_size }}).)*$", replace: "admin_space_left = {{ auditd_admin_left_disk_size }}"} # 4.1.2.2
+        - { find: "^admin_space_left_action\\s+=\\s+((?!{{ auditd_admin_space_left_action }}).)*$", replace: "admin_space_left_action = {{ auditd_admin_space_left_action }}" } # 4.1.2.2
       notify: Restart auditd
       tags:
         - 4.1.2.1
@@ -1628,9 +1629,9 @@
         - 4.1.2.2
         - 4.1.2.3
 
-    - name: 4.1.2.[1-2] - Print AutidD config
+    - name: 4.1.2.[1-2] - Print AuditD config
       ansible.builtin.debug:
-        msg: "{{ auditd_conf.stdout }}"
+        msg: "{{ auditd_conf.stdout | string }}"
       tags:
         - 4.1.2.1
         - 4.1.2.2

diff --git a/roles/cis_security/tasks/type-files/redhat-8-type.yml b/roles/cis_security/tasks/type-files/redhat-8-type.yml
@@ -1584,18 +1584,35 @@
         regexp: "{{ item.find }}"
         replace: "{{ item.replace }}"
       loop:
-        - { find: "^max_log_file\\s+=\\s+[^{{ log_file_size }}]", replace: "max_log_file = {{ log_file_size }}" } # 4.1.2.1
-        - { find: "^max_log_file_action\\s+=\\s+((?!{{ max_log_file_action }}).)*$", replace: "max_log_file_action = {{ max_log_file_action }}" } # 4.1.2.2
-        - { find: "^space_left_action\\s+=\\s+((?!email).)*$", replace: space_left_action = email } # 4.1.2.2
-        - { find: "^action_mail_acct\\s+=\\s+((?!root).)*$", replace: action_mail_acct = root } # 4.1.2.2
-        - { find: "^admin_space_left\\s+=\\s+\\d+$", replace: "admin_space_left = {{ space_left_disk_size }}"} #
-        - { find: "^admin_space_left_action\\s+=\\s+((?!suspend).)*$", replace: admin_space_left_action = suspend } # 4.1.2.2
+        - { find: "^max_log_file\\s+=\\s+[^{{ auditd_max_log_file_size }}]", replace: "max_log_file = {{ auditd_max_log_file_size }}" } # 4.1.2.1
+        - { find: "^num_logs\\s+=\\s+[^{{ auditd_num_logs }}]", replace: "max_log_file = {{ auditd_num_logs }}" } # 4.1.2.1
+        - { find: "^max_log_file_action\\s+=\\s+((?!{{ auditd_max_log_file_action }}).)*$", replace: "max_log_file_action = {{ auditd_max_log_file_action }}" } # 4.1.2.2
+        - { find: "^space_left_action\\s+=\\s+((?!{{ auditd_space_left_action }}).)*$", replace: "space_left_action = {{ auditd_space_left_action }}" } # 4.1.2.2
+        - { find: "^action_mail_acct\\s+=\\s+((?!{{ auditd_action_mail_acct }}).)*$", replace: "action_mail_acct = {{ auditd_action_mail_acct }}" } # 4.1.2.2
+        - { find: "^admin_space_left\\s+=\\s+((?!{{ auditd_admin_left_disk_size }}).)*$", replace: "admin_space_left = {{ auditd_admin_left_disk_size }}"} # 4.1.2.2
+        - { find: "^admin_space_left_action\\s+=\\s+((?!{{ auditd_admin_space_left_action }}).)*$", replace: "admin_space_left_action = {{ auditd_admin_space_left_action }}" } # 4.1.2.2
       notify: Restart auditd
       tags:
         - 4.1.2.1
         - 4.1.2.2
         - 4.1.2.3
 
+    - name: 4.1.2.[1-2] - Get AuditD config
+      ansible.builtin.shell: cat /etc/audit/auditd.conf
+      register: auditd_conf
+      tags:
+        - 4.1.2.1
+        - 4.1.2.2
+        - 4.1.2.3
+
+    - name: 4.1.2.[1-2] - Print AuditD config
+      ansible.builtin.debug:
+        msg: "{{ auditd_conf.stdout | string }}"
+      tags:
+        - 4.1.2.1
+        - 4.1.2.2
+        - 4.1.2.3
+
     # For the next several checks, each one is in their own file, so we are using
     #  the copy module to place each file independently and then motifying
     #  a restart of auditd if anything changes.

diff --git a/roles/cis_security/tasks/type-files/ubuntu-18-type.yml b/roles/cis_security/tasks/type-files/ubuntu-18-type.yml
@@ -1565,12 +1565,13 @@
         regexp: "{{ item.find }}"
         replace: "{{ item.replace }}"
       loop:
-        - { find: "^max_log_file\\s+=\\s+[^{{ log_file_size }}]", replace: "max_log_file = {{ log_file_size }}" } # 4.1.2.1
-        - { find: "^max_log_file_action\\s+=\\s+((?!{{ max_log_file_action }}).)*$", replace: "max_log_file_action = {{ max_log_file_action }}" } # 4.1.2.2
-        - { find: "^space_left_action\\s+=\\s+((?!email).)*$", replace: space_left_action = email } # 4.1.2.2
-        - { find: "^action_mail_acct\\s+=\\s+((?!root).)*$", replace: action_mail_acct = root } # 4.1.2.2
-        - { find: "^admin_space_left\\s+=\\s+\\d+$", replace: "admin_space_left = {{ space_left_disk_size }}"} #
-        - { find: "^admin_space_left_action\\s+=\\s+((?!suspend).)*$", replace: admin_space_left_action = suspend } # 4.1.2.2
+        - { find: "^max_log_file\\s+=\\s+[^{{ auditd_max_log_file_size }}]", replace: "max_log_file = {{ auditd_max_log_file_size }}" } # 4.1.2.1
+        - { find: "^num_logs\\s+=\\s+[^{{ auditd_num_logs }}]", replace: "max_log_file = {{ auditd_num_logs }}" } # 4.1.2.1
+        - { find: "^max_log_file_action\\s+=\\s+((?!{{ auditd_max_log_file_action }}).)*$", replace: "max_log_file_action = {{ auditd_max_log_file_action }}" } # 4.1.2.2
+        - { find: "^space_left_action\\s+=\\s+((?!{{ auditd_space_left_action }}).)*$", replace: "space_left_action = {{ auditd_space_left_action }}" } # 4.1.2.2
+        - { find: "^action_mail_acct\\s+=\\s+((?!{{ auditd_action_mail_acct }}).)*$", replace: "action_mail_acct = {{ auditd_action_mail_acct }}" } # 4.1.2.2
+        - { find: "^admin_space_left\\s+=\\s+((?!{{ auditd_admin_left_disk_size }}).)*$", replace: "admin_space_left = {{ auditd_admin_left_disk_size }}"} # 4.1.2.2
+        - { find: "^admin_space_left_action\\s+=\\s+((?!{{ auditd_admin_space_left_action }}).)*$", replace: "admin_space_left_action = {{ auditd_admin_space_left_action }}" } # 4.1.2.2
       tags:
         - 4.1.2.1
         - 4.1.2.2
@@ -1584,9 +1585,9 @@
         - 4.1.2.2
         - 4.1.2.3
 
-    - name: 4.1.2.[1-2] - Print AutidD config
+    - name: 4.1.2.[1-2] - Print AuditD config
       ansible.builtin.debug:
-        msg: "{{ auditd_conf.stdout }}"
+        msg: "{{ auditd_conf.stdout | string }}"
       tags:
         - 4.1.2.1
         - 4.1.2.2