Ubuntu 24 filesystem integrity

handlers/main.yml

@@ -42,6 +42,6 @@
   command: /sbin/iptables-save > /etc/iptables/rules.v4
 
 - name: Restart systemd-journald
-  systemd:
+  ansible.builtin.systemd:
     name: systemd-journald
-    state: restarted
+    state: restarted

tasks/filesystem_Integrity.yaml

@@ -1,7 +1,7 @@
 ---
-# 6.1.1 Ensure AIDE is installed
+# 6.3.1 Ensure AIDE is installed
 - name: Install & Configure aide
-  apt:
+  ansible.builtin.apt:
     name:
       - aide
       - aide-common
@@ -11,18 +11,18 @@
   when: ansible_os_family == "Debian"
 
 - name: "Configure aide"
-  shell: aideinit
+  ansible.builtin.shell: aideinit
   changed_when: false
 
 - name: "copy the newly generated database"
-  copy:
+  ansible.builtin.copy:
     remote_src: true
     src: "/var/lib/aide/aide.db.new"
     dest: "/var/lib/aide/aide.db"
 
-# 6.1.2 Ensure filesystem integrity is regularly checked
+# 6.3.2 Ensure filesystem integrity is regularly checked
 - name: "Service files are copied"
-  template:
+  ansible.builtin.template:
     src: '{{ item.src }}'
     dest: '{{ item.dest }}'
     owner: root

tasks/system_Logging.yaml

@@ -1,25 +1,106 @@
-# 6.2.1 Configure journald
+# # 6.1.1.1 Configure journald
 - name: Ensure systemd-journald service is enabled
-  systemd:
+  ansible.builtin.systemd:
     name: systemd-journald
     enabled: yes
     state: started
 
 - name: Copy systemd.conf to /etc/tmpfiles.d
-  copy:
+  ansible.builtin.copy:
     src: /usr/lib/tmpfiles.d/systemd.conf
     dest: /etc/tmpfiles.d/systemd.conf
     owner: root
     group: root
     mode: '0640'
 
+
+# # 6.1.1.4 Ensure only one logging system is in use
+- name: Disable and stop rsyslog if journald is preferred
+  ansible.builtin.systemd:
+    name: rsyslog
+    enabled: false
+    state: stopped
+
+- name: Ensure ForwardToSyslog is set to no in journald.conf
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/journald.conf
+    regexp: '^#?ForwardToSyslog='
+    line: 'ForwardToSyslog=no'
+    state: present
+  notify: Restart systemd-journald
+
+# # 6.1.2.1.1 Ensure systemd-journal-remote is installed
+ - name: Ensure systemd-journal-remote is installed
+   ansible.builtin.apt:
+    name: systemd-journal-remote
+    state: present
+    update_cache: yes
+   when: ansible_facts['os_family'] == "Debian"
+
+# # 6.1.2.1.3 Ensure systemd-journal-upload is enabled and active
+- name: Unmask systemd-journal-upload.service
+  ansible.builtin.command: systemctl unmask systemd-journal-upload.service
+  changed_when: true
+
+- name: Enable and start systemd-journal-upload.service
+  ansible.builtin.systemd:
+    name: systemd-journal-upload.service
+    enabled: yes
+    state: started
+
+# # 6.1.2.1.4 Ensure systemd-journal-remote service is not in use
+- name: Stop systemd-journal-remote.socket and service
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    state: stopped
+  loop:
+    - systemd-journal-remote.socket
+    - systemd-journal-remote.service
+
+- name: Mask systemd-journal-remote.socket and service
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    masked: yes
+  loop:
+    - systemd-journal-remote.socket
+    - systemd-journal-remote.service
+
+# # 6.1.2.2 Ensure journald ForwardToSyslog is disabled
+- name: Ensure override directory exists
+  ansible.builtin.file:
+    path: /etc/systemd/journald.conf.d
+    state: directory
+    mode: '0755'
+
+- name: Set ForwardToSyslog=no in drop-in journald override
+  ansible.builtin.copy:
+    dest: /etc/systemd/journald.conf.d/60-journald.conf
+    content: |
+      [Journal]
+      ForwardToSyslog=no
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Disable conflicting vendor config (optional)
+  ansible.builtin.command: mv /usr/lib/systemd/journald.conf.d/syslog.conf /usr/lib/systemd/journald.conf.d/syslog.conf.disabled
+  args:
+    creates: /usr/lib/systemd/journald.conf.d/syslog.conf.disabled
+
+- name: Restart systemd-journald
+  ansible.builtin.systemd:
+    name: systemd-journald
+    state: restarted
+
+
+# # 6.1.2.3 Configure journald log compression
 - name: Configure journald log rotation settings
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: /etc/systemd/journald.conf
     regexp: '^#?{{ item.key }}='
     line: '{{ item.key }}={{ item.value }}'
     state: present
-  with_items:
+  loop:
     - { key: 'SystemMaxUse', value: '500M' }
     - { key: 'SystemKeepFree', value: '100M' }
     - { key: 'RuntimeMaxUse', value: '10M' }
@@ -28,4 +109,144 @@
     - { key: 'ForwardToSyslog', value: 'no' }
     - { key: 'Storage', value: 'persistent' }
     - { key: 'Compress', value: 'yes' }
-  notify: Restart systemd-journald
+  notify: Restart systemd-journald
+
+
+# # 6.1.2.4 Ensure journald Storage is configured
+- name: Ensure journald drop-in directory exists
+  ansible.builtin.file:
+    path: /etc/systemd/journald.conf.d/
+    state: directory
+    mode: '0755'
+
+- name: Configure Storage=persistent for systemd-journald
+  ansible.builtin.blockinfile:
+    path: /etc/systemd/journald.conf.d/60-journald.conf
+    create: yes
+    block: |
+      [Journal]
+      Storage=persistent
+  notify: Restart systemd-journald
+
+# # 6.1.3.1 Ensure rsyslog is installed
+- name: Ensure rsyslog is installed
+  ansible.builtin.apt:
+    name: rsyslog
+    state: present
+    update_cache: yes
+
+
+# # 6.1.3.2 Ensure rsyslog service is enabled and active
+- name: Unmask rsyslog service
+  ansible.builtin.command: systemctl unmask rsyslog.service
+  when: ansible_facts.services['rsyslog.service'] is defined and ansible_facts.services['rsyslog.service'].status == 'masked'
+
+- name: Enable rsyslog service
+  ansible.builtin.systemd:
+    name: rsyslog
+    enabled: yes
+
+- name: Start rsyslog service
+  ansible.builtin.systemd:
+    name: rsyslog
+    state: started
+
+# # 6.1.3.3 - Ensure journald forwards logs to rsyslog
+- name: Ensure journald forwards logs to rsyslog
+  block:
+
+    - name: Ensure journald drop-in config directory exists
+      ansible.builtin.file:
+        path: /etc/systemd/journald.conf.d
+        state: directory
+        mode: '0755'
+
+    - name: Ensure ForwardToSyslog=yes is configured in journald drop-in
+      ansible.builtin.blockinfile:
+        path: /etc/systemd/journald.conf.d/60-journald.conf
+        create: yes
+        block: |
+          [Journal]
+          ForwardToSyslog=yes
+
+    - name: Reload systemd-journald to apply changes
+      ansible.builtin.systemd:
+        name: systemd-journald
+        state: restarted
+
+# # 6.1.3.4 - Ensure rsyslog log file creation mode is configured
+- name: Ensure rsyslog uses restrictive file creation mode
+  block:
+
+    - name: Ensure rsyslog drop-in config directory exists
+      ansible.builtin.file:
+        path: /etc/rsyslog.d
+        state: directory
+        mode: '0755'
+
+    - name: Set $FileCreateMode to 0640 in drop-in config
+      ansible.builtin.lineinfile:
+        path: /etc/rsyslog.d/60-rsyslog.conf
+        create: yes
+        line: '$FileCreateMode 0640'
+        state: present
+
+    - name: Reload rsyslog service to apply changes
+      ansible.builtin.systemd:
+        name: rsyslog
+        state: restarted
+
+# # 6.1.3.7 - Ensure rsyslog is not configured to receive logs from remote clients
+- name: Get rsyslog config files
+  ansible.builtin.find:
+    paths:
+      - /etc/rsyslog.conf
+      - /etc/rsyslog.d/
+    patterns: '*.conf'
+    recurse: no
+  register: rsyslog_conf_files
+
+- name: Define list of regex patterns to remove
+  ansible.builtin.set_fact:
+    rsyslog_remove_patterns:
+      - '^\\s*module\\s*\\(\\s*load\\s*=\\s*\\"imtcp\\"\\s*\\)'
+      - '^\\s*input\\s*\\(\\s*type\\s*=\\s*\\"imtcp\\".*port\\s*=\\s*\\"?514\\"?.*\\)'
+      - '^\\s*\\$ModLoad\\s+imtcp'
+      - '^\\s*\\$InputTCPServerRun'
+
+- name: Remove insecure rsyslog TCP config lines
+  ansible.builtin.lineinfile:
+    path: "{{ item.0 }}"
+    state: absent
+    regexp: "{{ item.1 }}"
+  loop: "{{ rsyslog_conf_files.files | map(attribute='path') | list | product(rsyslog_remove_patterns) | list }}"
+  loop_control:
+    label: "{{ item.0 }} => {{ item.1 }}"
+
+- name: Restart rsyslog service to apply config changes
+  ansible.builtin.systemd:
+    name: rsyslog
+    state: restarted
+
+# # 6.1.4.1 - Ensure access to all logfiles has been configured
+- name: Copy log permission check script from template
+  ansible.builtin.template:
+    src: check_log_permissions.sh.j2
+    dest: /usr/local/bin/check_log_permissions.sh
+    mode: '0750'
+    owner: root
+    group: root
+
+- name: Ensure correct permissions and ownership for /var/log files
+  ansible.builtin.command: /usr/local/bin/check_log_permissions.sh
+  become: true
+  register: log_check_result
+  changed_when: log_check_result.stdout != ""
+  failed_when: false
+
+
+
+
+
+
+