Merge pull request #251 from ansible-lockdown/Oct_24

Final updates for v1.0.0
ansible-lockdown · Nov 5, 2024 · 719efaf · 719efaf
2 parents 0d3ffcd + 048d197
commit 719efaf
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 21 deletions.
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -138,35 +138,32 @@
       - always
 
 - name: "PRELIM | PATCH | Ensure auditd is installed"
-  block:
-      - name: "PRELIM | PATCH | Ensure auditd is installed"
-        ansible.builtin.package:
-            name: ['auditd', 'audispd-plugins']
-            state: present
-        when:
-            - "'auditd' not in ansible_facts.packages or
-              'auditd-plugins' not in ansible_facts.packages"
-
-      - name: "PRELIM | AUDIT | Audit conf and rules files | list files"
-        ansible.builtin.find:
-            path: /etc/audit/
-            file_type: file
-            recurse: true
-            patterns: '*.conf,*.rules'
-        register: auditd_conf_files
-
+  ansible.builtin.package:
+      name: ['auditd', 'audispd-plugins']
+      state: present
   when:
-      - ubtu22cis_rule_4_1_1_1 or
-        ubtu22cis_rule_4_1_4_5 or
-        ubtu22cis_rule_4_1_4_6 or
-        ubtu22cis_rule_4_1_4_7
+      - "'auditd' not in ansible_facts.packages or
+        'auditd-plugins' not in ansible_facts.packages"
+      - ubtu22cis_rule_4_1_1_1
   tags:
       - level2-server
       - level2-workstation
       - patch
       - auditd
       - always
 
+- name: "PRELIM | AUDIT | Audit conf and rules files | list files"
+  ansible.builtin.find:
+      path: /etc/audit/
+      file_type: file
+      recurse: true
+      patterns: '*.conf,*.rules'
+  register: auditd_conf_files
+  tags:
+      - patch
+      - auditd
+      - always
+
 - name: "PRELIM | AUDIT | Check if auditd is immutable before changes"
   ansible.builtin.shell: auditctl -l | grep -c '-e 2'
   changed_when: false

diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml
@@ -21,6 +21,8 @@
       owner: root
       group: root
       mode: '0644'
+  failed_when: discovered_file_exists.state not in '[ file, absent ]'
+  register: discovered_file_exists
   when:
       - ubtu22cis_rule_6_1_2
   tags: