From 1256ce06657ccd8dad891058b85d5fd777791adc Mon Sep 17 00:00:00 2001 From: David James Date: Fri, 15 Jul 2022 05:41:01 -0400 Subject: [PATCH] Only run hardening if /var/log/audit exists (#550) * Only run harding if /var/log/audit exists Signed-off-by: GitHub * Update roles/os_hardening/tasks/minimize_access.yml * add more conditionals to when auditd show be hardened Signed-off-by: Sebastian Gumprich * add more tests to the os-hardening vm tests Signed-off-by: Sebastian Gumprich * Revert "add more tests to the os-hardening vm tests" This reverts commit c05fe8b5205b02fce0ec22f0acbe636c256c55ae. Signed-off-by: Sebastian Gumprich Co-authored-by: Sebastian Gumprich Co-authored-by: Sebastian Gumprich --- roles/os_hardening/tasks/minimize_access.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/roles/os_hardening/tasks/minimize_access.yml b/roles/os_hardening/tasks/minimize_access.yml index 0280778b..b1280f32 100644 --- a/roles/os_hardening/tasks/minimize_access.yml +++ b/roles/os_hardening/tasks/minimize_access.yml @@ -208,6 +208,11 @@ group: 'root' mode: '{{ os_mnt_var_log_dir_mode }}' +- name: Check if /var/log/audit exists + stat: + path: /var/log/audit + register: var_log_audit_exists + - name: Mount /var/log/audit with hardened options mount: path: /var/log/audit @@ -216,7 +221,10 @@ opts: '{{ os_mnt_var_log_audit_options }}' state: present register: varlogauditmount - when: os_mnt_var_log_audit_enabled | bool + when: + - os_mnt_var_log_audit_enabled | bool + - var_log_audit_exists.stat.exists | bool + - os_auditd_enabled | bool - name: Harden permissions for /var/log/audit directory file: @@ -224,6 +232,10 @@ owner: 'root' group: 'root' mode: '{{ os_mnt_var_log_audit_dir_mode }}' + when: + - os_mnt_var_log_audit_enabled | bool + - var_log_audit_exists.stat.exists | bool + - os_auditd_enabled | bool - name: Mount /var/tmp with hardened options mount: