From 4fa26d526f5f8d0c2acc386d3a62c3dde3fe1547 Mon Sep 17 00:00:00 2001 From: SheetalNain Date: Tue, 22 Jul 2025 13:17:25 +0530 Subject: [PATCH 1/3] Update system_Logging.yaml --- tasks/system_Logging.yaml | 233 +++++++++++++++++++++++++++++++++++++- 1 file changed, 227 insertions(+), 6 deletions(-) diff --git a/tasks/system_Logging.yaml b/tasks/system_Logging.yaml index fe2a910..a51a53d 100644 --- a/tasks/system_Logging.yaml +++ b/tasks/system_Logging.yaml @@ -1,25 +1,106 @@ -# 6.2.1 Configure journald +# # 6.1.1.1 Configure journald - name: Ensure systemd-journald service is enabled - systemd: + ansible.builtin.systemd: name: systemd-journald enabled: yes state: started - name: Copy systemd.conf to /etc/tmpfiles.d - copy: + ansible.builtin.copy: src: /usr/lib/tmpfiles.d/systemd.conf dest: /etc/tmpfiles.d/systemd.conf owner: root group: root mode: '0640' + +# # 6.1.1.4 Ensure only one logging system is in use +- name: Disable and stop rsyslog if journald is preferred + ansible.builtin.systemd: + name: rsyslog + enabled: false + state: stopped + +- name: Ensure ForwardToSyslog is set to no in journald.conf + ansible.builtin.lineinfile: + path: /etc/systemd/journald.conf + regexp: '^#?ForwardToSyslog=' + line: 'ForwardToSyslog=no' + state: present + notify: Restart systemd-journald + +# # 6.1.2.1.1 Ensure systemd-journal-remote is installed + - name: Ensure systemd-journal-remote is installed + ansible.builtin.apt: + name: systemd-journal-remote + state: present + update_cache: yes + when: ansible_facts['os_family'] == "Debian" + +# # 6.1.2.1.3 Ensure systemd-journal-upload is enabled and active +- name: Unmask systemd-journal-upload.service + ansible.builtin.command: systemctl unmask systemd-journal-upload.service + changed_when: true + +- name: Enable and start systemd-journal-upload.service + ansible.builtin.systemd: + name: systemd-journal-upload.service + enabled: yes + state: started + +# # 6.1.2.1.4 Ensure systemd-journal-remote service is not in use +- name: Stop systemd-journal-remote.socket and service + ansible.builtin.systemd: + name: "{{ item }}" + state: stopped + loop: + - systemd-journal-remote.socket + - systemd-journal-remote.service + +- name: Mask systemd-journal-remote.socket and service + ansible.builtin.systemd: + name: "{{ item }}" + masked: yes + loop: + - systemd-journal-remote.socket + - systemd-journal-remote.service + +# # 6.1.2.2 Ensure journald ForwardToSyslog is disabled +- name: Ensure override directory exists + ansible.builtin.file: + path: /etc/systemd/journald.conf.d + state: directory + mode: '0755' + +- name: Set ForwardToSyslog=no in drop-in journald override + ansible.builtin.copy: + dest: /etc/systemd/journald.conf.d/60-journald.conf + content: | + [Journal] + ForwardToSyslog=no + owner: root + group: root + mode: '0644' + +- name: Disable conflicting vendor config (optional) + ansible.builtin.command: mv /usr/lib/systemd/journald.conf.d/syslog.conf /usr/lib/systemd/journald.conf.d/syslog.conf.disabled + args: + creates: /usr/lib/systemd/journald.conf.d/syslog.conf.disabled + +- name: Restart systemd-journald + ansible.builtin.systemd: + name: systemd-journald + state: restarted + + +# # 6.1.2.3 Configure journald log compression - name: Configure journald log rotation settings - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: '^#?{{ item.key }}=' line: '{{ item.key }}={{ item.value }}' state: present - with_items: + loop: - { key: 'SystemMaxUse', value: '500M' } - { key: 'SystemKeepFree', value: '100M' } - { key: 'RuntimeMaxUse', value: '10M' } @@ -28,4 +109,144 @@ - { key: 'ForwardToSyslog', value: 'no' } - { key: 'Storage', value: 'persistent' } - { key: 'Compress', value: 'yes' } - notify: Restart systemd-journald \ No newline at end of file + notify: Restart systemd-journald + + +# # 6.1.2.4 Ensure journald Storage is configured +- name: Ensure journald drop-in directory exists + ansible.builtin.file: + path: /etc/systemd/journald.conf.d/ + state: directory + mode: '0755' + +- name: Configure Storage=persistent for systemd-journald + ansible.builtin.blockinfile: + path: /etc/systemd/journald.conf.d/60-journald.conf + create: yes + block: | + [Journal] + Storage=persistent + notify: Restart systemd-journald + +# # 6.1.3.1 Ensure rsyslog is installed +- name: Ensure rsyslog is installed + ansible.builtin.apt: + name: rsyslog + state: present + update_cache: yes + + +# # 6.1.3.2 Ensure rsyslog service is enabled and active +- name: Unmask rsyslog service + ansible.builtin.command: systemctl unmask rsyslog.service + when: ansible_facts.services['rsyslog.service'] is defined and ansible_facts.services['rsyslog.service'].status == 'masked' + +- name: Enable rsyslog service + ansible.builtin.systemd: + name: rsyslog + enabled: yes + +- name: Start rsyslog service + ansible.builtin.systemd: + name: rsyslog + state: started + +# # 6.1.3.3 - Ensure journald forwards logs to rsyslog +- name: Ensure journald forwards logs to rsyslog + block: + + - name: Ensure journald drop-in config directory exists + ansible.builtin.file: + path: /etc/systemd/journald.conf.d + state: directory + mode: '0755' + + - name: Ensure ForwardToSyslog=yes is configured in journald drop-in + ansible.builtin.blockinfile: + path: /etc/systemd/journald.conf.d/60-journald.conf + create: yes + block: | + [Journal] + ForwardToSyslog=yes + + - name: Reload systemd-journald to apply changes + ansible.builtin.systemd: + name: systemd-journald + state: restarted + +# # 6.1.3.4 - Ensure rsyslog log file creation mode is configured +- name: Ensure rsyslog uses restrictive file creation mode + block: + + - name: Ensure rsyslog drop-in config directory exists + ansible.builtin.file: + path: /etc/rsyslog.d + state: directory + mode: '0755' + + - name: Set $FileCreateMode to 0640 in drop-in config + ansible.builtin.lineinfile: + path: /etc/rsyslog.d/60-rsyslog.conf + create: yes + line: '$FileCreateMode 0640' + state: present + + - name: Reload rsyslog service to apply changes + ansible.builtin.systemd: + name: rsyslog + state: restarted + +# # 6.1.3.7 - Ensure rsyslog is not configured to receive logs from remote clients +- name: Get rsyslog config files + ansible.builtin.find: + paths: + - /etc/rsyslog.conf + - /etc/rsyslog.d/ + patterns: '*.conf' + recurse: no + register: rsyslog_conf_files + +- name: Define list of regex patterns to remove + ansible.builtin.set_fact: + rsyslog_remove_patterns: + - '^\\s*module\\s*\\(\\s*load\\s*=\\s*\\"imtcp\\"\\s*\\)' + - '^\\s*input\\s*\\(\\s*type\\s*=\\s*\\"imtcp\\".*port\\s*=\\s*\\"?514\\"?.*\\)' + - '^\\s*\\$ModLoad\\s+imtcp' + - '^\\s*\\$InputTCPServerRun' + +- name: Remove insecure rsyslog TCP config lines + ansible.builtin.lineinfile: + path: "{{ item.0 }}" + state: absent + regexp: "{{ item.1 }}" + loop: "{{ rsyslog_conf_files.files | map(attribute='path') | list | product(rsyslog_remove_patterns) | list }}" + loop_control: + label: "{{ item.0 }} => {{ item.1 }}" + +- name: Restart rsyslog service to apply config changes + ansible.builtin.systemd: + name: rsyslog + state: restarted + +# # 6.1.4.1 - Ensure access to all logfiles has been configured +- name: Copy log permission check script from template + ansible.builtin.template: + src: check_log_permissions.sh.j2 + dest: /usr/local/bin/check_log_permissions.sh + mode: '0750' + owner: root + group: root + +- name: Ensure correct permissions and ownership for /var/log files + ansible.builtin.command: /usr/local/bin/check_log_permissions.sh + become: true + register: log_check_result + changed_when: log_check_result.stdout != "" + failed_when: false + + + + + + + From 159b245ec0f1a186ad95c541e70c243ace108bd0 Mon Sep 17 00:00:00 2001 From: SheetalNain Date: Tue, 22 Jul 2025 13:18:14 +0530 Subject: [PATCH 2/3] Update main.yml --- handlers/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 54b2b00..1a06b1d 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -42,6 +42,6 @@ command: /sbin/iptables-save > /etc/iptables/rules.v4 - name: Restart systemd-journald - systemd: + ansible.builtin.systemd: name: systemd-journald - state: restarted \ No newline at end of file + state: restarted From 52e9277a6b8537f4c8703f79c14c227ff0c459b4 Mon Sep 17 00:00:00 2001 From: SheetalNain Date: Tue, 22 Jul 2025 13:51:22 +0530 Subject: [PATCH 3/3] Update filesystem_Integrity.yaml --- tasks/filesystem_Integrity.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tasks/filesystem_Integrity.yaml b/tasks/filesystem_Integrity.yaml index 63817ba..e0ac33d 100644 --- a/tasks/filesystem_Integrity.yaml +++ b/tasks/filesystem_Integrity.yaml @@ -1,7 +1,7 @@ --- -# 6.1.1 Ensure AIDE is installed +# 6.3.1 Ensure AIDE is installed - name: Install & Configure aide - apt: + ansible.builtin.apt: name: - aide - aide-common @@ -11,18 +11,18 @@ when: ansible_os_family == "Debian" - name: "Configure aide" - shell: aideinit + ansible.builtin.shell: aideinit changed_when: false - name: "copy the newly generated database" - copy: + ansible.builtin.copy: remote_src: true src: "/var/lib/aide/aide.db.new" dest: "/var/lib/aide/aide.db" -# 6.1.2 Ensure filesystem integrity is regularly checked +# 6.3.2 Ensure filesystem integrity is regularly checked - name: "Service files are copied" - template: + ansible.builtin.template: src: '{{ item.src }}' dest: '{{ item.dest }}' owner: root