From b5e594c8085d593f943996f3e28c4cf0a53ad544 Mon Sep 17 00:00:00 2001 From: ComplianceAsCode development team Date: Thu, 4 May 2023 10:46:14 -0400 Subject: [PATCH] Updated tasks/main.yml --- tasks/main.yml | 653 ++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 618 insertions(+), 35 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index e1ec3bb..a8fa3b4 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -189,12 +189,9 @@ - restrict_strategy | bool - sudo_add_requiretty | bool -- name: Ensure use_pty is enabled in /etc/sudoers - lineinfile: - path: /etc/sudoers - regexp: ^[\s]*Defaults.*\buse_pty\b.*$ - line: Defaults use_pty - validate: /usr/sbin/visudo -cf %s +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-83538-9 - PCI-DSS-Req-10.2.1.5 @@ -212,6 +209,30 @@ - restrict_strategy | bool - sudo_add_use_pty | bool +- name: Ensure use_pty is enabled in /etc/sudoers + lineinfile: + path: /etc/sudoers + regexp: ^[\s]*Defaults.*\buse_pty\b.*$ + line: Defaults use_pty + validate: /usr/sbin/visudo -cf %s + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sudo_add_use_pty | bool + - '"sudo" in ansible_facts.packages' + tags: + - CCE-83538-9 + - PCI-DSS-Req-10.2.1.5 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudo_add_use_pty + - name: Find /etc/sudoers.d/ files find: paths: @@ -6011,10 +6032,513 @@ - no_reboot_needed - service_rsyslog_enabled -- name: Set rsyslog logfile configuration facts - set_fact: +- name: Ensure Log Files Are Owned By Appropriate Group - Set rsyslog logfile configuration facts + ansible.builtin.set_fact: + rsyslog_etc_config: /etc/rsyslog.conf + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83834-2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - Get IncludeConfig directive + ansible.builtin.shell: 'set -o pipefail + + grep -e ''$IncludeConfig'' {{ rsyslog_etc_config }} | cut -d '' '' -f 2 || true + + ' + register: rsyslog_old_inc + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83834-2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - Get include files directives + ansible.builtin.shell: 'set -o pipefail + + awk ''/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}'' {{ + rsyslog_etc_config }} || true + + ' + register: rsyslog_new_inc + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83834-2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - Aggregate rsyslog includes + ansible.builtin.set_fact: + include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}' + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83834-2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - List all config files + ansible.builtin.find: + paths: '{{ item | dirname }}' + patterns: '{{ item | basename }}' + hidden: false + follow: true + loop: '{{ include_config_output | list + [rsyslog_etc_config] }}' + register: rsyslog_config_files + failed_when: false + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83834-2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - Extract log files old format + ansible.builtin.shell: 'set -o pipefail + + grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} |awk ''{print $NF}''|sed -e ''s/^-//'' + || true + + ' + loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' + register: log_files_old + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83834-2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - Extract log files new format + ansible.builtin.shell: 'set -o pipefail + + grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep + -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true + + ' + loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' + register: log_files_new + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83834-2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - Sum all log files found + ansible.builtin.set_fact: + log_files: '{{ log_files_new.results|map(attribute=''stdout_lines'')|list|flatten|unique + log_files_old.results|map(attribute=''stdout_lines'')|list|flatten|unique }}' + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83834-2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group -Setup log files attribute + ansible.builtin.file: + path: '{{ item }}' + group: 0 + state: file + loop: '{{ log_files | list | flatten | unique }}' + failed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83834-2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate User - Set rsyslog logfile configuration facts + ansible.builtin.set_fact: + rsyslog_etc_config: /etc/rsyslog.conf + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83946-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - Get IncludeConfig directive + ansible.builtin.shell: 'set -o pipefail + + grep -e ''$IncludeConfig'' {{ rsyslog_etc_config }} | cut -d '' '' -f 2 || true + + ' + register: rsyslog_old_inc + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83946-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - Get include files directives + ansible.builtin.shell: 'set -o pipefail + + awk ''/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}'' {{ + rsyslog_etc_config }} || true + + ' + register: rsyslog_new_inc + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83946-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - Aggregate rsyslog includes + ansible.builtin.set_fact: + include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}' + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83946-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - List all config files + ansible.builtin.find: + paths: '{{ item | dirname }}' + patterns: '{{ item | basename }}' + hidden: false + follow: true + loop: '{{ include_config_output | list + [rsyslog_etc_config] }}' + register: rsyslog_config_files + failed_when: false + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83946-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - Extract log files old format + ansible.builtin.shell: 'set -o pipefail + + grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} |awk ''{print $NF}''|sed -e ''s/^-//'' + || true + + ' + loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' + register: log_files_old + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83946-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - Extract log files new format + ansible.builtin.shell: 'set -o pipefail + + grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep + -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true + + ' + loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' + register: log_files_new + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83946-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - Sum all log files found + ansible.builtin.set_fact: + log_files: '{{ log_files_new.results|map(attribute=''stdout_lines'')|list|flatten|unique + log_files_old.results|map(attribute=''stdout_lines'')|list|flatten|unique }}' + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83946-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User -Setup log files attribute + ansible.builtin.file: + path: '{{ item }}' + owner: 0 + state: file + loop: '{{ log_files | list | flatten | unique }}' + failed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83946-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure System Log Files Have Correct Permissions - Set rsyslog logfile configuration facts + ansible.builtin.set_fact: rsyslog_etc_config: /etc/rsyslog.conf - desired_perm_mode: '600' when: - configure_strategy | bool - low_complexity | bool @@ -6036,8 +6560,8 @@ - no_reboot_needed - rsyslog_files_permissions -- name: Get IncludeConfig directive - shell: 'set -o pipefail +- name: Ensure System Log Files Have Correct Permissions - Get IncludeConfig directive + ansible.builtin.shell: 'set -o pipefail grep -e ''$IncludeConfig'' {{ rsyslog_etc_config }} | cut -d '' '' -f 2 || true @@ -6065,10 +6589,11 @@ - no_reboot_needed - rsyslog_files_permissions -- name: Get include files directives - shell: 'set -o pipefail +- name: Ensure System Log Files Have Correct Permissions - Get include files directives + ansible.builtin.shell: 'set -o pipefail - grep -oP ''^\s*include\s*\(\s*file.*'' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true + awk ''/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}'' {{ + rsyslog_etc_config }} || true ' register: rsyslog_new_inc @@ -6094,14 +6619,9 @@ - no_reboot_needed - rsyslog_files_permissions -- name: Expand glob expressions - shell: 'set -o pipefail - - eval printf ''%s\\n'' {{ item }} - - ' - register: include_config_output - loop: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}' +- name: Ensure System Log Files Have Correct Permissions - Aggregate rsyslog includes + ansible.builtin.set_fact: + include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}' when: - configure_strategy | bool - low_complexity | bool @@ -6123,9 +6643,13 @@ - no_reboot_needed - rsyslog_files_permissions -- name: List all config files - shell: find {{ item }} -not -path "*/.*" -type f - loop: '{{ include_config_output.results|map(attribute=''stdout_lines'')|list|flatten }}' +- name: Ensure System Log Files Have Correct Permissions - List all config files + ansible.builtin.find: + paths: '{{ item | dirname }}' + patterns: '{{ item | basename }}' + hidden: false + follow: true + loop: '{{ include_config_output | list + [rsyslog_etc_config] }}' register: rsyslog_config_files failed_when: false changed_when: false @@ -6150,14 +6674,15 @@ - no_reboot_needed - rsyslog_files_permissions -- name: Extract log files - shell: 'set -o pipefail +- name: Ensure System Log Files Have Correct Permissions - Extract log files old format + ansible.builtin.shell: 'set -o pipefail - grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item }} |awk ''{print $NF}''|sed -e ''s/^-//'' || true + grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} |awk ''{print $NF}''|sed -e ''s/^-//'' + || true ' - loop: '{{ rsyslog_config_files.results|map(attribute=''stdout_lines'')|list|flatten|unique + [ rsyslog_etc_config ] }}' - register: log_files + loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' + register: log_files_old changed_when: false when: - configure_strategy | bool @@ -6180,12 +6705,68 @@ - no_reboot_needed - rsyslog_files_permissions -- name: Setup log files permissions - ignore_errors: true - file: +- name: Ensure System Log Files Have Correct Permissions - Extract log files new format + ansible.builtin.shell: 'set -o pipefail + + grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep + -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true + + ' + loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' + register: log_files_new + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_permissions | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83689-0 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_permissions + +- name: Ensure System Log Files Have Correct Permissions - Sum all log files found + ansible.builtin.set_fact: + log_files: '{{ log_files_new.results|map(attribute=''stdout_lines'')|list|flatten|unique + log_files_old.results|map(attribute=''stdout_lines'')|list|flatten|unique }}' + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_permissions | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83689-0 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_permissions + +- name: Ensure System Log Files Have Correct Permissions -Setup log files attribute + ansible.builtin.file: path: '{{ item }}' - mode: '{{ desired_perm_mode }}' - loop: '{{ log_files.results|map(attribute=''stdout_lines'')|list|flatten|unique }}' + mode: 384 + state: file + loop: '{{ log_files | list | flatten | unique }}' + failed_when: false when: - configure_strategy | bool - low_complexity | bool @@ -12549,6 +13130,7 @@ - no_reboot_needed | bool - sebool_polyinstantiation_enabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( lookup("env", "container") == "bwrap-osbuild" ) tags: - CCE-84083-5 - enable_strategy @@ -12571,6 +13153,7 @@ - no_reboot_needed | bool - sebool_polyinstantiation_enabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( lookup("env", "container") == "bwrap-osbuild" ) tags: - CCE-84083-5 - enable_strategy