openstack
/
ansible-hardening
Code Issues Proposed changes
ansible-hardening/tasks/rhel7stig/auditd.yml

186 lines
4.0 KiB
YAML
Raw Blame History

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Verify that auditd.conf exists
stat:
path: /etc/audit/auditd.conf
register: auditd_conf
check_mode: no
tags:
- always
- name: Verify that audisp-remote.conf exists
stat:
path: /etc/audisp/audisp-remote.conf
register: audisp_remote_conf
check_mode: no
tags:
- always
- name: V-72083 - The operating system must off-load audit records onto a different system or media from the system being audited
lineinfile:
dest: /etc/audisp/audisp-remote.conf
regexp: "^(#)?remote_server"
line: "remote_server = {{ security_audisp_remote_server }}"
when:
- security_audisp_remote_server is defined
- audisp_remote_conf.stat.exists
notify:
- restart auditd
tags:
- medium
- auditd
- V-72083
- name: V-72085 - The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited
lineinfile:
dest: /etc/audisp/audisp-remote.conf
regexp: "^(#)?enable_krb5"
line: "enable_krb5 = yes"
when:
- security_audisp_enable_krb5 is defined
- audisp_remote_conf.stat.exists
notify:
- restart auditd
tags:
- medium
- auditd
- V-72085
- name: Get valid system architectures for audit rules
set_fact:
auditd_architectures: "{{ (ansible_architecture == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}"
check_mode: no
tags:
- always
- name: Remove system default audit.rules file
file:
path: /etc/audit/rules.d/audit.rules
state: absent
when:
- auditd_conf.stat.exists
notify:
- generate auditd rules
tags:
- always
- name: Remove old RHEL 6 audit rules file
file:
path: /etc/audit/rules.d/osas-auditd.rules
state: absent
when:
- auditd_conf.stat.exists
notify:
- generate auditd rules
tags:
- always
- name: Deploy rules for auditd based on STIG requirements
template:
src: osas-auditd-rhel7.j2
dest: /etc/audit/rules.d/osas-auditd-rhel7.rules
when:
- auditd_conf.stat.exists
notify:
- generate auditd rules
tags:
- auditd
- V-72167
- V-72155
- V-72139
- V-72105
- V-72097
- V-72123
- V-72183
- V-72189
- V-72107
- V-72109
- V-72099
- V-72103
- V-72119
- V-72113
- V-72133
- V-72187
- V-72153
- V-72101
- V-72121
- V-72115
- V-72171
- V-72165
- V-72125
- V-72127
- V-72129
- V-72185
- V-72149
- V-72175
- V-72177
- V-72117
- V-72199
- V-72201
- V-72141
- V-72203
- V-72135
- V-72137
- V-72111
- V-72179
- V-72159
- V-72161
- V-72169
- V-72131
- V-72173
- V-72151
- V-72205
- V-72207
- V-72157
- V-72143
- V-72163
- V-72191
- V-72193
- V-72195
- V-72197
- V-72081
- name: Adjust auditd/audispd configurations
lineinfile:
dest: "{{ item.config }}"
regexp: '^#?{{ item.parameter }}\s*='
line: "{{ item.parameter }} = {{ item.value }}"
with_items: "{{ auditd_config }}"
when:
- auditd_conf.stat.exists
- audisp_remote_conf.stat.exists
notify:
- restart auditd
tags:
- high
- auditd
- V-72087
- V-72089
- V-72091
- V-72093
- name: Ensure auditd is running and enabled at boot time
service:
name: auditd
state: started
enabled: yes
when:
- auditd_conf.stat.exists
tags:
- high
- auditd
- V-72079
View Git Blame Copy Permalink