Address issues in 4.1.1.2 and 4.1.1.3 including idempotent status (#188)

* Fixed issues with 4.1.1.2 and 4.1.1.3 Now handle multiple kernels and are idempotent Signed-off-by: John Foster <[email protected]> * Fixed issues with 4.1.1.2 and 4.1.1.3 Now handle multiple kernels and are idempotent Removed debug messages Signed-off-by: John Foster <[email protected]> --------- Signed-off-by: John Foster <[email protected]>
ansible-lockdown · Mar 14, 2024 · 6eeae19 · 6eeae19
1 parent 7d7b613
commit 6eeae19
Showing 1 changed file with 24 additions and 6 deletions.
diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml
@@ -25,7 +25,7 @@
 - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
   block:
       - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby existence of current value"
-        ansible.builtin.shell: grubby --info=ALL | grep args | grep -o -E "audit=([[:digit:]])+" | grep -o -E "([[:digit:]])+"
+        ansible.builtin.shell: grubby --info=ALL | grep args | sed -n 's/.*audit=\([[:alnum:]]\+\).*/\1/p'
         changed_when: false
         failed_when: false
         check_mode: false
@@ -34,7 +34,9 @@
       - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby update, if needed"
         ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1"
         when:
-            - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux is not defined or rhel9cis_4_1_1_2_grubby_curr_value_audit_linux | int != 1
+            - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout == '' or
+              '0' in rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout or
+              'off' in rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout|lower
   when:
       - rhel9cis_rule_4_1_1_2
   tags:
@@ -48,16 +50,32 @@
 - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient"
   block:
       - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby existence of current value"
-        ansible.builtin.shell: grubby --info=ALL | grep args | grep -o -E "audit_backlog_limit=([[:digit:]])+" | grep -o -E "([[:digit:]])+"
+        ansible.builtin.shell:
+            cmd: 'grubby --info=ALL | grep args | grep -o -E "audit_backlog_limit=([[:digit:]])+" | grep -o -E "([[:digit:]])+"'
         changed_when: false
         failed_when: false
         check_mode: false
         register: rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux
 
-      - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update, if needed"
-        ansible.builtin.shell: grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"
+      - name: "4.1.1.3 | AUDIT | Check to see if limits are set"
+        ansible.builtin.set_fact:
+            rhel9cis_4_1_1_3_reset_backlog_limits: true
         when:
-            - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux is not defined or rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout | int < rhel9cis_audit_back_log_limit
+            - rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux is not defined or
+              rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux.stdout_lines == []
+
+      - name: "4.1.1.3 | AUDIT | Check to see if any limits are too low"
+        ansible.builtin.set_fact:
+            rhel9cis_4_1_1_3_reset_backlog_limits: true
+        when:
+            - (item | int < rhel9cis_audit_back_log_limit)
+        loop: "{{ rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux.stdout_lines }}"
+
+      - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied"
+        ansible.builtin.shell:
+            cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'
+        when:
+            - rhel9cis_4_1_1_3_reset_backlog_limits is defined
   when:
       - rhel9cis_rule_4_1_1_3
   tags: