openstack/ansible-hardening
Code Issues Proposed changes
Files
439cd3d776998f601daa80a737ab9e5380d1ab73
ansible-hardening/tasks/rhel7stig/auditd.yml
Major Hayden 439cd3d776 Enable/start auditd [+Docs] 
This patch adds a task to start auditd and ensure it starts at boot-up.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I16e4788268ef862e7cfb5bce4fbc43808be3e9c6
2016-12-06 15:43:12 +00:00

149 lines
3.6 KiB
YAML
Raw Blame History

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Verify that auditd.conf exists
stat:
path: /etc/audit/auditd.conf
register: auditd_conf
check_mode: no
tags:
- always
- name: RHEL-07-030330 - The operating system must off-load audit records onto a different system or media from the system being audited
lineinfile:
dest: /etc/audisp/audisp-remote.conf
regexp: "^(#)?remote_server"
line: "remote_server = {{ security_audisp_remote_server }}"
when:
- security_audisp_remote_server is defined
- auditd_conf.stat.exists
notify:
- restart auditd
tags:
- medium
- auditd
- RHEL-07-030330
- name: RHEL-07-030331 - The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited
lineinfile:
dest: /etc/audisp/audisp-remote.conf
regexp: "^(#)?enable_krb5"
line: "enable_krb5 = yes"
when:
- security_audisp_enable_krb5 is defined
- auditd_conf.stat.exists
notify:
- restart auditd
tags:
- medium
- auditd
- RHEL-07-030331
- name: Get valid system architectures for audit rules
set_fact:
auditd_architectures: "{{ (ansible_architecture == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}"
check_mode: no
tags:
- always
- name: Remove old RHEL 6 audit rules file
file:
path: /etc/audit/rules.d/osas-auditd.rules
state: absent
when:
- auditd_conf.stat.exists
notify:
- generate auditd rules
tags:
- always
- name: Deploy rules for auditd based on STIG requirements
template:
src: osas-auditd-rhel7.j2
dest: /etc/audit/rules.d/osas-auditd-rhel7.rules
when:
- auditd_conf.stat.exists
notify:
- generate auditd rules
tags:
- auditd
- RHEL-07-030525
- RHEL-07-030513
- RHEL-07-030443
- RHEL-07-030390
- RHEL-07-030380
- RHEL-07-030420
- RHEL-07-030561
- RHEL-07-030671
- RHEL-07-030391
- RHEL-07-030392
- RHEL-07-030381
- RHEL-07-030383
- RHEL-07-030404
- RHEL-07-030401
- RHEL-07-030425
- RHEL-07-030670
- RHEL-07-030512
- RHEL-07-030382
- RHEL-07-030405
- RHEL-07-030402
- RHEL-07-030530
- RHEL-07-030524
- RHEL-07-030421
- RHEL-07-030422
- RHEL-07-030423
- RHEL-07-030630
- RHEL-07-030510
- RHEL-07-030540
- RHEL-07-030541
- RHEL-07-030560
- RHEL-07-030403
- RHEL-07-030750
- RHEL-07-030751
- RHEL-07-030444
- RHEL-07-030752
- RHEL-07-030441
- RHEL-07-030442
- RHEL-07-030400
- RHEL-07-030550
- RHEL-07-030521
- RHEL-07-030522
- RHEL-07-030526
- RHEL-07-030424
- RHEL-07-030531
- RHEL-07-030511
- RHEL-07-030753
- RHEL-07-030754
- RHEL-07-030514
- RHEL-07-030490
- RHEL-07-030523
- RHEL-07-030672
- RHEL-07-030673
- RHEL-07-030674
- RHEL-07-030710
- RHEL-07-030090
- name: Ensure auditd is running and enabled at boot time
service:
name: auditd
state: started
enabled: yes
when:
- auditd_conf.stat.exists
tags:
- high
- auditd
- RHEL-07-030010
View Git Blame Copy Permalink