/home/zuul/src/opendev.org/openstack/ansible-hardening/tasks/rhel7stig/auditd.yml
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Verify that auditd.conf exists
  stat:
    path: /etc/audit/auditd.conf
  register: auditd_conf
  check_mode: no
  tags:
    - always

- name: Verify that audisp-remote.conf exists
  stat:
    path: /etc/audisp/audisp-remote.conf
  register: audisp_remote_conf
  check_mode: no
  tags:
    - always

- name: V-72083 - The operating system must off-load audit records onto a different system or media from the system being audited
  lineinfile:
    dest: /etc/audisp/audisp-remote.conf
    regexp: "^(#)?remote_server"
    line: "remote_server = {{ security_audisp_remote_server }}"
  when:
    - security_audisp_remote_server is defined
    - audisp_remote_conf.stat.exists
  notify:
    - restart auditd
  tags:
    - medium
    - auditd
    - V-72083

- name: V-72085 - The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited
  lineinfile:
    dest: /etc/audisp/audisp-remote.conf
    regexp: "^(#)?enable_krb5"
    line: "enable_krb5 = yes"
  when:
    - security_audisp_enable_krb5 is defined
    - audisp_remote_conf.stat.exists
  notify:
    - restart auditd
  tags:
    - medium
    - auditd
    - V-72085

- name: Get valid system architectures for audit rules
  set_fact:
    auditd_architectures: "{{ (ansible_architecture == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}"
  check_mode: no
  tags:
    - always

- name: Remove system default audit.rules file
  file:
    path: /etc/audit/rules.d/audit.rules
    state: absent
  when:
    - auditd_conf.stat.exists
  notify:
    - generate auditd rules
  tags:
    - always

- name: Remove old RHEL 6 audit rules file
  file:
    path: /etc/audit/rules.d/osas-auditd.rules
    state: absent
  when:
    - auditd_conf.stat.exists
  notify:
    - generate auditd rules
  tags:
    - always

- name: Deploy rules for auditd based on STIG requirements
  template:
    src: osas-auditd-rhel7.j2
    dest: /etc/audit/rules.d/osas-auditd-rhel7.rules
  when:
    - auditd_conf.stat.exists
  notify:
    - generate auditd rules
  tags:
    - auditd
    - V-72167
    - V-72155
    - V-72139
    - V-72105
    - V-72097
    - V-72123
    - V-72183
    - V-72189
    - V-72107
    - V-72109
    - V-72099
    - V-72103
    - V-72119
    - V-72113
    - V-72133
    - V-72187
    - V-72153
    - V-72101
    - V-72121
    - V-72115
    - V-72171
    - V-72165
    - V-72125
    - V-72127
    - V-72129
    - V-72185
    - V-72149
    - V-72175
    - V-72177
    - V-72117
    - V-72199
    - V-72201
    - V-72141
    - V-72203
    - V-72135
    - V-72137
    - V-72111
    - V-72179
    - V-72159
    - V-72161
    - V-72169
    - V-72131
    - V-72173
    - V-72151
    - V-72205
    - V-72207
    - V-72157
    - V-72143
    - V-72163
    - V-72191
    - V-72193
    - V-72195
    - V-72197
    - V-72081

- name: Adjust auditd/audispd configurations
  lineinfile:
    dest: "{{ item.config }}"
    regexp: '^#?{{ item.parameter }}\s*='
    line: "{{ item.parameter }} = {{ item.value }}"
  with_items: "{{ auditd_config }}"
  when:
    - auditd_conf.stat.exists
    - audisp_remote_conf.stat.exists
  notify:
    - restart auditd
  tags:
    - high
    - auditd
    - V-72087
    - V-72089
    - V-72091
    - V-72093

- name: Ensure auditd is running and enabled at boot time
  service:
    name: auditd
    state: started
    enabled: yes
  when:
    - auditd_conf.stat.exists
  tags:
    - high
    - auditd
    - V-72079