openstack/ansible-hardening
Code Issues Proposed changes
c7b8af29d4
ansible-hardening/tasks/auditd.yml
Jesse Pretorius 58ac7a8a7a Enable role testing and make structure ansible-galaxy compatible 
This patch adds the bits needed to implement automated syntax/lint
role testing. It also moves the role into the base repository so
that the role becomes fully compatible with ansible-galaxy to
improve the role's consumability.

Change-Id: Ia79cd5dedbbe50dfdf46688830a989ff0897832a
2015-10-09 11:47:23 +00:00

153 lines
3.5 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38631/38632 - The operating system must produce audit records (install auditd)
apt:
name: auditd
state: latest
cache_valid_time: 3600
update_cache: yes
tags:
- auditd
- cat2
- V-38632
- V-38631
- name: V-38631/38632 - The operating system must produce audit records (start auditd)
service:
name: auditd
state: started
enabled: true
tags:
- auditd
- cat2
- V-38632
- V-38631
- name: V-38633 - The system must set a maximum audit log file size
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?max_log_file ="
line: "max_log_file = {{ max_log_file }}"
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38633
- name: V-38634 - The system must rotate audit log files that reach the max file size
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?max_log_file_action ="
line: "max_log_file_action = {{ max_log_file_action }}"
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38634
- name: V-38636 - The system must retain enough rotated audit logs to cover the required log retention period.
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?num_logs ="
line: "num_logs = {{ num_logs }}"
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38636
- name: V-38445 - Audit log files must be group-owned by root
file:
dest: /var/log/audit/
group: root
recurse: true
tags:
- auditd
- cat2
- V-38445
- name: V-38464 - The audit system must take action for disk errors
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?disk_error_action"
line: "disk_error_action = {{ disk_error_action }}"
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38464
- name: V-38468 - The audit system must take action when the disk is full
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?disk_full_action"
line: "disk_full_action = {{ disk_full_action }}"
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38468
- name: V-38470 - The audit system must take action when the disk is almost full
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^(#)?space_left_action"
line: "space_left_action = {{ space_left_action }}"
notify:
- restart auditd
tags:
- auditd
- cat2
- V-38470
- name: V-38495 - Audit log files must be owned by root
file:
dest: /var/log/audit/
owner: root
recurse: true
tags:
- auditd
- cat2
- V-38495
- name: Auditd rules (includes several STIGs)
template:
src: osas-auditd.j2
dest: /etc/audit/rules.d/osas-auditd.rules
notify:
- generate auditd rules
tags:
- auditd
- cat3
- name: V-38471 - Forward auditd records to syslog
lineinfile:
dest: /etc/audisp/plugins.d/syslog.conf
regexp: "^(#)?active"
line: "active = yes"
state: present
notify:
- restart auditd
tags:
- auditd
- cat3
- V-38471
View Git Blame Copy Permalink