updated some logic on auditd files and dirs

Signed-off-by: Mark Bolwell <[email protected]>
ansible-lockdown · Apr 19, 2024 · 764605b · 764605b
1 parent eb795cf
commit 764605b
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 14 deletions.
diff --git a/tasks/Cat2/RHEL-09-65xxxx.yml b/tasks/Cat2/RHEL-09-65xxxx.yml
@@ -635,7 +635,8 @@
         msg:
           - "WARNING!! Below is the path and size of the partition for the audit logs."
           - "Please make sure there is enough disk space for 1 week of logs"
-          - "Path: {{ rhel9stig_audit_conf.logfile }}"
+          - "Munt: {{ rhel9stig_audit_log_filesystem }}"
+          - "Logfile: {{ discovered_auditd_logfile.stdout }}"
           - "Disk Space remaining: {{ audit_filesystem_space_left }}MB"
 
     - name: "MEDIUM | RHEL-09-653030 | WARN | RHEL 9 must allocate audit record storage capacity to store at least one week's worth of audit records."
@@ -850,7 +851,7 @@
     - auditd
   ansible.builtin.file:
     owner: root
-    path: "{{ rhel9stig_audit_log_filesystem }}"
+    path: "{{ discovered_auditd_logfile.stdout }}"
 
 - name: "MEDIUM | RHEL-09-653090 | PATCH | RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log."
   when:
@@ -869,18 +870,9 @@
     - NIST800-53R4_AU-9
     - NIST800-53R4_SI-11
     - auditd
-  block:
-    - name: "MEDIUM | RHEL-09-653090 | PATCH | RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log."
-      ansible.builtin.file:
-        mode: '0600'
-        path: "{{ rhel9stig_audit_conf.logfile }}"
-
-    - name: "MEDIUM | RHEL-09-653090 | PATCH | RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log."
-      ansible.builtin.file:
-        mode: '0440'
-        path: "{{ item }}"
-      with_fileglob:
-        - "{{ rhel9stig_audit_conf.logfile }}*"
+  ansible.builtin.file:
+    mode: go-rwx
+    path: "{{ discovered_auditd_logfile.stdout }}"
 
 - name: "MEDIUM | RHEL-09-653095 | PATCH | RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records."
   when:

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -158,6 +158,17 @@
     - SRG-OS-000475-GPOS-00220
     - auditd
 
+- name: "PRELIM | Discover auditd_logfile_path"
+  when:
+    - rhel_09_653085 or
+      rhel_09_653085 or
+      rhel_09_653090
+  tags:
+    - always
+  ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'
+  changed_when: false
+  register: discovered_auditd_logfile
+
 # - name: "PRELIM | Audit conf and rules files | list files"
 #   ansible.builtin.find:
 #     path: /etc/audit