File: ansible.template

package info (click to toggle)
scap-security-guide 0.1.76-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 110,644 kB
  • sloc: xml: 241,883; sh: 73,777; python: 32,527; makefile: 27
file content (71 lines) | stat: -rw-r--r-- 2,578 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_almalinux
# reboot = true
# strategy = restrict
# complexity = low
# disruption = low

#
# What architecture are we on?
#
- name: Set architecture for audit {{{ ATTR }}} tasks
  set_fact:
    audit_arch: "b64"
  when:
  - ansible_architecture == "aarch64" or
    ansible_architecture == "ppc64" or
    ansible_architecture == "ppc64le" or
    ansible_architecture == "s390x" or
    ansible_architecture == "x86_64"

#
# Inserts/replaces the rule in /etc/audit/rules.d
#
- name: Search /etc/audit/rules.d for other system call audit rules
  find:
    paths: "/etc/audit/rules.d"
    recurse: no
    contains: "-F key=perm_mod$"
    patterns: "*.rules"
  register: find_{{{ ATTR }}}

- name: If existing system call ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule
  set_fact:
    all_files:
      - /etc/audit/rules.d/privileged.rules
  when: find_{{{ ATTR }}}.matched is defined and find_{{{ ATTR }}}.matched == 0

- name: Use matched file as the recipient for the rule
  set_fact:
    all_files:
      - "{{ find_{{{ ATTR }}}.files | map(attribute='path') | list | first }}"
  when: find_{{{ ATTR }}}.matched is defined and find_{{{ ATTR }}}.matched > 0

- name: Inserts/replaces the {{{ ATTR }}} rule in rules.d when on 32bit
  lineinfile:
    path: "{{ all_files[0] }}"
    line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=4294967295 -F key=perm_mod"
    create: yes

- name: Inserts/replaces the {{{ ATTR }}} rule in rules.d when on 64bit
  lineinfile:
    path: "{{ all_files[0] }}"
    line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=4294967295 -F key=perm_mod"
    create: yes
  when: audit_arch is defined and audit_arch == 'b64'
#
# Inserts/replaces the rule in /etc/audit/audit.rules
#
- name: Inserts/replaces the {{{ ATTR }}} rule in /etc/audit/rules.d/audit.rules when on 32bit
  lineinfile:
    line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=4294967295 -F key=perm_mod"
    state: present
    dest: /etc/audit/rules.d/audit.rules
    create: yes

- name: Inserts/replaces the {{{ ATTR }}} rule in /etc/audit/rules.d/audit.rules when on 64bit
  lineinfile:
    line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=4294967295 -F key=perm_mod"
    state: present
    dest: /etc/audit/rules.d/audit.rules
    create: yes
  when: audit_arch is defined and audit_arch == 'b64'