Skip to content

Commit

Permalink
Only run hardening if /var/log/audit exists (dev-sec#550)
Browse files Browse the repository at this point in the history 
* Only run harding if /var/log/audit exists

Signed-off-by: GitHub <noreply@github.com>

* Update roles/os_hardening/tasks/minimize_access.yml

* add more conditionals to when auditd show be hardened

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add more tests to the os-hardening vm tests

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* Revert "add more tests to the os-hardening vm tests"

This reverts commit c05fe8b.

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
  • Loading branch information
@mego22 @rndmh3ro
3 people authored Jul 15, 2022
1 parent 20eebd2 commit 1256ce0
Showing 1 changed file with 13 additions and 1 deletion.
14 changes: 13 additions & 1 deletion roles/os_hardening/tasks/minimize_access.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,11 @@
group: 'root'
mode: '{{ os_mnt_var_log_dir_mode }}'

- name: Check if /var/log/audit exists
stat:
path: /var/log/audit
register: var_log_audit_exists

- name: Mount /var/log/audit with hardened options
mount:
path: /var/log/audit
Expand All @@ -216,14 +221,21 @@
opts: '{{ os_mnt_var_log_audit_options }}'
state: present
register: varlogauditmount
when: os_mnt_var_log_audit_enabled | bool
when:
- os_mnt_var_log_audit_enabled | bool
- var_log_audit_exists.stat.exists | bool
- os_auditd_enabled | bool

- name: Harden permissions for /var/log/audit directory
file:
dest: /var/log/audit
owner: 'root'
group: 'root'
mode: '{{ os_mnt_var_log_audit_dir_mode }}'
when:
- os_mnt_var_log_audit_enabled | bool
- var_log_audit_exists.stat.exists | bool
- os_auditd_enabled | bool

- name: Mount /var/tmp with hardened options
mount:
Expand Down

0 comments on commit 1256ce0

Please sign in to comment.