From e124b39a808d6f4eed27b9e41365b24a262dc086 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Wed, 7 Oct 2015 09:08:03 -0500
Subject: [PATCH] V-38498: Audit log file permissions

Ubuntu's default (0400) is more strict than the STIG requirement (0640).
(Noted in docs)

Change-Id: I198cd6b4d5eac181e22f11c452247d6abacc2d85
---
 doc/source/developer-notes/V-38498.rst |  7 +++++++
 tasks/auditd.yml                       | 24 ++++++++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 doc/source/developer-notes/V-38498.rst

diff --git a/doc/source/developer-notes/V-38498.rst b/doc/source/developer-notes/V-38498.rst
new file mode 100644
index 00000000..db983422
--- /dev/null
+++ b/doc/source/developer-notes/V-38498.rst
@@ -0,0 +1,7 @@
+Ubuntu 14.04 sets logs in ``/var/log/audit`` to mode ``0400`` by default,
+which makes sense because only the root user should be able to view the
+logs. No users should ever be adjusting or editing the audit logs.
+
+The STIG requirement states that log files must have mode ``0640`` or less.
+The Ansible tasks in this role will set the mode to ``0400`` to match
+Ubuntu's default.
diff --git a/tasks/auditd.yml b/tasks/auditd.yml
index c1fe2859..a29cd3dd 100644
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@@ -128,6 +128,30 @@
     - cat2
     - V-38495
 
+# TODO: Ansible 2.0 offers the find module and that will allow this task to
+# avoid using the shell module to get a list of logs. This task should be
+# adjusted to use the find module when Ansible 2.0 is fully released.
+- name: Get a list of audit logs in the auditd directory (for V-38498)
+  shell: ls /var/log/audit/
+  register: v38498_result
+  changed_when: false
+  tags:
+    - auditd
+    - cat2
+    - V-38498
+
+# Ubuntu 14.04 sets these to 0400 by default, so we will stick with that since
+# it exceeds the STIG's requirements.
+- name: V-38498 - Audit log files must have mode 0640 or less
+  file:
+    dest: "/var/log/audit/{{ item }}"
+    mode: 0400
+  with_items: v38498_result.stdout_lines
+  tags:
+    - auditd
+    - cat2
+    - V-38498
+
 - name: Auditd rules (includes several STIGs)
   template:
     src: osas-auditd.j2