--- # Copyright 2016, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: Verify that auditd.conf exists stat: path: /etc/audit/auditd.conf register: auditd_conf check_mode: no tags: - always - name: Verify that audisp-remote.conf exists stat: path: /etc/audisp/audisp-remote.conf register: audisp_remote_conf check_mode: no tags: - always - name: V-72083 - The operating system must off-load audit records onto a different system or media from the system being audited lineinfile: dest: /etc/audisp/audisp-remote.conf regexp: "^(#)?remote_server" line: "remote_server = {{ security_audisp_remote_server }}" when: - security_audisp_remote_server is defined - audisp_remote_conf.stat.exists notify: - restart auditd tags: - medium - auditd - V-72083 - name: V-72085 - The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited lineinfile: dest: /etc/audisp/audisp-remote.conf regexp: "^(#)?enable_krb5" line: "enable_krb5 = yes" when: - security_audisp_enable_krb5 is defined - audisp_remote_conf.stat.exists notify: - restart auditd tags: - medium - auditd - V-72085 - name: Get valid system architectures for audit rules set_fact: auditd_architectures: "{{ (ansible_architecture == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}" check_mode: no tags: - always - name: Remove system default audit.rules file file: path: /etc/audit/rules.d/audit.rules state: absent when: - auditd_conf.stat.exists notify: - generate auditd rules tags: - always - name: Remove old RHEL 6 audit rules file file: path: /etc/audit/rules.d/osas-auditd.rules state: absent when: - auditd_conf.stat.exists notify: - generate auditd rules tags: - always - name: Deploy rules for auditd based on STIG requirements template: src: osas-auditd-rhel7.j2 dest: /etc/audit/rules.d/osas-auditd-rhel7.rules when: - auditd_conf.stat.exists notify: - generate auditd rules tags: - auditd - V-72167 - V-72155 - V-72139 - V-72105 - V-72097 - V-72123 - V-72183 - V-72189 - V-72107 - V-72109 - V-72099 - V-72103 - V-72119 - V-72113 - V-72133 - V-72187 - V-72153 - V-72101 - V-72121 - V-72115 - V-72171 - V-72165 - V-72125 - V-72127 - V-72129 - V-72185 - V-72149 - V-72175 - V-72177 - V-72117 - V-72199 - V-72201 - V-72141 - V-72203 - V-72135 - V-72137 - V-72111 - V-72179 - V-72159 - V-72161 - V-72169 - V-72131 - V-72173 - V-72151 - V-72205 - V-72207 - V-72157 - V-72143 - V-72163 - V-72191 - V-72193 - V-72195 - V-72197 - V-72081 - name: Adjust auditd/audispd configurations lineinfile: dest: "{{ item.config }}" regexp: '^#?{{ item.parameter }}\s*=' line: "{{ item.parameter }} = {{ item.value }}" with_items: "{{ auditd_config }}" when: - auditd_conf.stat.exists - audisp_remote_conf.stat.exists notify: - restart auditd tags: - high - auditd - V-72087 - V-72089 - V-72091 - V-72093 - name: Ensure auditd is running and enabled at boot time service: name: auditd state: started enabled: yes when: - auditd_conf.stat.exists tags: - high - auditd - V-72079