Audit: Enable logins rules from 30-stig.rules and remove logins.rules…

….new Relates to 489d5f0
pyllyukko · Nov 19, 2024 · 01ff108 · 01ff108
1 parent ca61aea
commit 01ff108
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 22 deletions.
diff --git a/newconfs/rules.d/logins.rules.new b/newconfs/rules.d/logins.rules.new
diff --git a/tasks/audit.yml b/tasks/audit.yml
@@ -69,21 +69,30 @@
             block: |
               -a always,exclude -F msgtype=CRYPTO_SESSION
               -a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=ntp -F subj_type=ntpd_t
-    - name: Disable noisy STIG rules
-      ansible.builtin.replace:
-        path: /etc/audit/rules.d/30-stig.rules
-        regexp: "^(-.+-F key={{ item }})$"
-        replace: '#\1'
-      with_items:
-        - perm_mod
-        - delete
-    # CIS Distribution Independent Linux v2.0.0 - 07-16-2019 4.1.16  Ensure changes to system administration scope (sudoers) is collected
-    # CIS Debian Linux 12 Benchmark v1.1.0 - 09-26-2024      6.2.3.1 Ensure changes to system administration scope (sudoers) is collected
-    - name: Rename sudoers rules to scope
-      ansible.builtin.replace:
-        path: /etc/audit/rules.d/30-stig.rules
-        regexp: "^(-a always,exit -F arch=b(32|64) -F (path=/etc/sudoers|dir=/etc/sudoers.d/) -F perm=wa -F )key=actions$"
-        replace: '\g<1>key=scope'
+    - name: Modify 30-stig.rules
+      block:
+        - name: Disable noisy STIG rules
+          ansible.builtin.replace:
+            path: /etc/audit/rules.d/30-stig.rules
+            regexp: "^(-.+-F key={{ item }})$"
+            replace: '#\1'
+          with_items:
+            - perm_mod
+            - delete
+        # CIS Distribution Independent Linux v2.0.0 - 07-16-2019 4.1.16  Ensure changes to system administration scope (sudoers) is collected
+        # CIS Debian Linux 12 Benchmark v1.1.0 - 09-26-2024      6.2.3.1 Ensure changes to system administration scope (sudoers) is collected
+        - name: Rename sudoers rules to scope
+          ansible.builtin.replace:
+            path: /etc/audit/rules.d/30-stig.rules
+            regexp: "^(-a always,exit -F arch=b(32|64) -F (path=/etc/sudoers|dir=/etc/sudoers.d/) -F perm=wa -F )key=actions$"
+            replace: '\g<1>key=scope'
+        # CIS Debian Linux 12 Benchmark v1.1.0 - 09-26-2024      6.2.3.12 Ensure login and logout events are collected
+        # CIS Distribution Independent Linux v2.0.0 - 07-16-2019 4.1.9    Ensure login and logout events are collected
+        - name: Enable few rules from 30-stig.rules
+          ansible.builtin.replace:
+            path: /etc/audit/rules.d/30-stig.rules
+            regexp: '^#(-a\s+always,exit\s+-F\s+arch=b(32|64)\s+-F\s+path=/var/(run/faillock|log/lastlog)\s+-F\s+perm=wa\s+-F\s+key=logins)$'
+            replace: '\g<1>'
     - name: Create 31-privileged.rules
       block:
         - name: Create temp dir