--- # Copyright 2015, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: V-38631/38632 - The operating system must produce audit records (install auditd) apt: name: auditd state: present cache_valid_time: 3600 update_cache: yes tags: - auditd - cat2 - V-38632 - V-38631 - name: V-38631/38632 - The operating system must produce audit records (start auditd) service: name: auditd state: started enabled: true tags: - auditd - cat2 - V-38632 - V-38631 - name: V-38633 - The system must set a maximum audit log file size lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?max_log_file =" line: "max_log_file = {{ max_log_file }}" notify: - restart auditd tags: - auditd - cat2 - V-38633 - name: V-38634 - The system must rotate audit log files that reach the max file size lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?max_log_file_action =" line: "max_log_file_action = {{ max_log_file_action }}" notify: - restart auditd tags: - auditd - cat2 - V-38634 - name: V-38636 - The system must retain enough rotated audit logs to cover the required log retention period. lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?num_logs =" line: "num_logs = {{ num_logs }}" notify: - restart auditd tags: - auditd - cat2 - V-38636 - name: Ensure debsums package is installed (for V-38637) apt: name: debsums state: present tags: - auditd - cat2 - V-38637 # The debsums command returns 0 if the files haven't been altered but it # returns 2 otherwise. We also will check to see if auditd has been installed # and fail if it's not installed. - name: Checking auditd package contents for alterations with debsums (for V-38637) shell: debsums auditd -c register: v38637_result changed_when: False failed_when: "'not installed' in v38637_result.stdout" tags: - auditd - cat2 - V-38637 - name: V-38637 - Contents of auditd package must be verified fail: msg: "FAILED: Could not verify that files from auditd package are unaltered" when: v38637_result.rc == 2 tags: - auditd - cat2 - V-38637 - name: V-38445 - Audit log files must be group-owned by root file: dest: /var/log/audit/ group: root recurse: true tags: - auditd - cat2 - V-38445 - name: V-38464 - The audit system must take action for disk errors lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?disk_error_action" line: "disk_error_action = {{ disk_error_action }}" notify: - restart auditd tags: - auditd - cat2 - V-38464 - name: V-38468 - The audit system must take action when the disk is full lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?disk_full_action" line: "disk_full_action = {{ disk_full_action }}" notify: - restart auditd tags: - auditd - cat2 - V-38468 - name: V-38678 - Lower limit of available disk space when auditd triggers space_left_action lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?space_left" line: "space_left = {{ space_left }}" notify: - restart auditd tags: - auditd - cat2 - V-38678 - name: V-38470 - The audit system must take action when the disk is almost full lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?space_left_action" line: "space_left_action = {{ space_left_action }}" notify: - restart auditd tags: - auditd - cat2 - V-38470 - name: V-38680 - Audit system must send email notifications when storage capacity is low lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?action_mail_acct" line: "action_mail_acct = {{ action_mail_acct }}" notify: - restart auditd tags: - auditd - cat2 - V-38680 - name: V-38495 - Audit log files must be owned by root file: dest: /var/log/audit/ owner: root recurse: true tags: - auditd - cat2 - V-38495 # TODO: Ansible 2.0 offers the find module and that will allow this task to # avoid using the shell module to get a list of logs. This task should be # adjusted to use the find module when Ansible 2.0 is fully released. - name: Get a list of audit logs in the auditd directory (for V-38498) shell: ls /var/log/audit/ register: v38498_result changed_when: false tags: - auditd - cat2 - V-38498 # Ubuntu 14.04 sets these to 0400 by default, so we will stick with that since # it exceeds the STIG's requirements. - name: V-38498 - Audit log files must have mode 0640 or less file: dest: "/var/log/audit/{{ item }}" mode: 0400 with_items: v38498_result.stdout_lines tags: - auditd - cat2 - V-38498 - name: Auditd rules (includes several STIGs) template: src: osas-auditd.j2 dest: /etc/audit/rules.d/osas-auditd.rules notify: - generate auditd rules tags: - auditd - cat3 - name: V-38471 - Forward auditd records to syslog lineinfile: dest: /etc/audisp/plugins.d/syslog.conf regexp: "^(#)?active" line: "active = yes" state: present notify: - restart auditd tags: - auditd - cat3 - V-38471 - name: V-54381 - The audit system must switch to single user mode when disk space is low lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?admin_space_left_action" line: "admin_space_left_action = {{ admin_space_left_action }}" notify: - restart auditd tags: - auditd - cat2 - V-54381