diff --git a/tasks/main.yml b/tasks/main.yml index ff4ba8a..e3283b1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -22777,10 +22777,513 @@ - medium_severity - no_reboot_needed -- name: Set rsyslog logfile configuration facts - set_fact: +- name: Ensure Log Files Are Owned By Appropriate Group - Set rsyslog logfile configuration facts + ansible.builtin.set_fact: + rsyslog_etc_config: /etc/rsyslog.conf + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83834-2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - Get IncludeConfig directive + ansible.builtin.shell: 'set -o pipefail + + grep -e ''$IncludeConfig'' {{ rsyslog_etc_config }} | cut -d '' '' -f 2 || true + + ' + register: rsyslog_old_inc + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83834-2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - Get include files directives + ansible.builtin.shell: 'set -o pipefail + + awk ''/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}'' {{ + rsyslog_etc_config }} || true + + ' + register: rsyslog_new_inc + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83834-2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - Aggregate rsyslog includes + ansible.builtin.set_fact: + include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}' + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83834-2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - List all config files + ansible.builtin.find: + paths: '{{ item | dirname }}' + patterns: '{{ item | basename }}' + hidden: false + follow: true + loop: '{{ include_config_output | list + [rsyslog_etc_config] }}' + register: rsyslog_config_files + failed_when: false + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83834-2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - Extract log files old format + ansible.builtin.shell: 'set -o pipefail + + grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} |awk ''{print $NF}''|sed -e ''s/^-//'' + || true + + ' + loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' + register: log_files_old + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83834-2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - Extract log files new format + ansible.builtin.shell: 'set -o pipefail + + grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep + -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true + + ' + loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' + register: log_files_new + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83834-2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - Sum all log files found + ansible.builtin.set_fact: + log_files: '{{ log_files_new.results|map(attribute=''stdout_lines'')|list|flatten|unique + log_files_old.results|map(attribute=''stdout_lines'')|list|flatten|unique }}' + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83834-2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group -Setup log files attribute + ansible.builtin.file: + path: '{{ item }}' + group: 0 + state: file + loop: '{{ log_files | list | flatten | unique }}' + failed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83834-2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate User - Set rsyslog logfile configuration facts + ansible.builtin.set_fact: + rsyslog_etc_config: /etc/rsyslog.conf + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83946-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - Get IncludeConfig directive + ansible.builtin.shell: 'set -o pipefail + + grep -e ''$IncludeConfig'' {{ rsyslog_etc_config }} | cut -d '' '' -f 2 || true + + ' + register: rsyslog_old_inc + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83946-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - Get include files directives + ansible.builtin.shell: 'set -o pipefail + + awk ''/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}'' {{ + rsyslog_etc_config }} || true + + ' + register: rsyslog_new_inc + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83946-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - Aggregate rsyslog includes + ansible.builtin.set_fact: + include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}' + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83946-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - List all config files + ansible.builtin.find: + paths: '{{ item | dirname }}' + patterns: '{{ item | basename }}' + hidden: false + follow: true + loop: '{{ include_config_output | list + [rsyslog_etc_config] }}' + register: rsyslog_config_files + failed_when: false + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83946-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - Extract log files old format + ansible.builtin.shell: 'set -o pipefail + + grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} |awk ''{print $NF}''|sed -e ''s/^-//'' + || true + + ' + loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' + register: log_files_old + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83946-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - Extract log files new format + ansible.builtin.shell: 'set -o pipefail + + grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep + -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true + + ' + loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' + register: log_files_new + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83946-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - Sum all log files found + ansible.builtin.set_fact: + log_files: '{{ log_files_new.results|map(attribute=''stdout_lines'')|list|flatten|unique + log_files_old.results|map(attribute=''stdout_lines'')|list|flatten|unique }}' + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83946-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User -Setup log files attribute + ansible.builtin.file: + path: '{{ item }}' + owner: 0 + state: file + loop: '{{ log_files | list | flatten | unique }}' + failed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83946-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure System Log Files Have Correct Permissions - Set rsyslog logfile configuration facts + ansible.builtin.set_fact: rsyslog_etc_config: /etc/rsyslog.conf - desired_perm_mode: '600' when: - configure_strategy | bool - low_complexity | bool @@ -22802,8 +23305,8 @@ - no_reboot_needed - rsyslog_files_permissions -- name: Get IncludeConfig directive - shell: 'set -o pipefail +- name: Ensure System Log Files Have Correct Permissions - Get IncludeConfig directive + ansible.builtin.shell: 'set -o pipefail grep -e ''$IncludeConfig'' {{ rsyslog_etc_config }} | cut -d '' '' -f 2 || true @@ -22831,10 +23334,11 @@ - no_reboot_needed - rsyslog_files_permissions -- name: Get include files directives - shell: 'set -o pipefail +- name: Ensure System Log Files Have Correct Permissions - Get include files directives + ansible.builtin.shell: 'set -o pipefail - grep -oP ''^\s*include\s*\(\s*file.*'' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true + awk ''/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}'' {{ + rsyslog_etc_config }} || true ' register: rsyslog_new_inc @@ -22860,14 +23364,9 @@ - no_reboot_needed - rsyslog_files_permissions -- name: Expand glob expressions - shell: 'set -o pipefail - - eval printf ''%s\\n'' {{ item }} - - ' - register: include_config_output - loop: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}' +- name: Ensure System Log Files Have Correct Permissions - Aggregate rsyslog includes + ansible.builtin.set_fact: + include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}' when: - configure_strategy | bool - low_complexity | bool @@ -22889,9 +23388,13 @@ - no_reboot_needed - rsyslog_files_permissions -- name: List all config files - shell: find {{ item }} -not -path "*/.*" -type f - loop: '{{ include_config_output.results|map(attribute=''stdout_lines'')|list|flatten }}' +- name: Ensure System Log Files Have Correct Permissions - List all config files + ansible.builtin.find: + paths: '{{ item | dirname }}' + patterns: '{{ item | basename }}' + hidden: false + follow: true + loop: '{{ include_config_output | list + [rsyslog_etc_config] }}' register: rsyslog_config_files failed_when: false changed_when: false @@ -22916,14 +23419,15 @@ - no_reboot_needed - rsyslog_files_permissions -- name: Extract log files - shell: 'set -o pipefail +- name: Ensure System Log Files Have Correct Permissions - Extract log files old format + ansible.builtin.shell: 'set -o pipefail - grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item }} |awk ''{print $NF}''|sed -e ''s/^-//'' || true + grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} |awk ''{print $NF}''|sed -e ''s/^-//'' + || true ' - loop: '{{ rsyslog_config_files.results|map(attribute=''stdout_lines'')|list|flatten|unique + [ rsyslog_etc_config ] }}' - register: log_files + loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' + register: log_files_old changed_when: false when: - configure_strategy | bool @@ -22946,12 +23450,68 @@ - no_reboot_needed - rsyslog_files_permissions -- name: Setup log files permissions - ignore_errors: true - file: +- name: Ensure System Log Files Have Correct Permissions - Extract log files new format + ansible.builtin.shell: 'set -o pipefail + + grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep + -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true + + ' + loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' + register: log_files_new + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_permissions | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83689-0 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_permissions + +- name: Ensure System Log Files Have Correct Permissions - Sum all log files found + ansible.builtin.set_fact: + log_files: '{{ log_files_new.results|map(attribute=''stdout_lines'')|list|flatten|unique + log_files_old.results|map(attribute=''stdout_lines'')|list|flatten|unique }}' + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_permissions | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83689-0 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_permissions + +- name: Ensure System Log Files Have Correct Permissions -Setup log files attribute + ansible.builtin.file: path: '{{ item }}' - mode: '{{ desired_perm_mode }}' - loop: '{{ log_files.results|map(attribute=''stdout_lines'')|list|flatten|unique }}' + mode: 384 + state: file + loop: '{{ log_files | list | flatten | unique }}' + failed_when: false when: - configure_strategy | bool - low_complexity | bool @@ -23518,6 +24078,25 @@ - medium_severity - no_reboot_needed +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-84217-9 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_chronyd_enabled + when: + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - service_chronyd_enabled | bool + - name: Enable service chronyd block: - name: Gather the package facts @@ -23539,6 +24118,7 @@ - no_reboot_needed | bool - service_chronyd_enabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"chrony" in ansible_facts.packages' tags: - CCE-84217-9 - enable_strategy