From 5c8e1b5c544de3a9a2ac1dd655a8ec7a02ed4c69 Mon Sep 17 00:00:00 2001 From: ComplianceAsCode development team Date: Thu, 4 May 2023 10:38:52 -0400 Subject: [PATCH] Updated tasks/main.yml --- tasks/main.yml | 652 ++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 589 insertions(+), 63 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 590d652..27c9b77 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -5154,40 +5154,6 @@ - no_reboot_needed - set_password_hashing_algorithm_systemauth -- name: Set 'StopIdleSessionSec' to '{{ var_logind_session_timeout }}' in the [Login] section of '/etc/systemd/logind.conf' - ini_file: - path: /etc/systemd/logind.conf - section: Login - option: StopIdleSessionSec - value: '{{ var_logind_session_timeout }}' - create: true - mode: 420 - tags: - - CCE-90784-0 - - CJIS-5.5.6 - - NIST-800-171-3.1.11 - - NIST-800-53-AC-12 - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-2(5) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-SC-10 - - PCI-DSS-Req-8.1.8 - - logind_session_timeout - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - logind_session_timeout | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Ensure opensc is installed package: name: opensc @@ -23469,10 +23435,513 @@ - medium_severity - no_reboot_needed -- name: Set rsyslog logfile configuration facts - set_fact: +- name: Ensure Log Files Are Owned By Appropriate Group - Set rsyslog logfile configuration facts + ansible.builtin.set_fact: + rsyslog_etc_config: /etc/rsyslog.conf + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80860-0 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - Get IncludeConfig directive + ansible.builtin.shell: 'set -o pipefail + + grep -e ''$IncludeConfig'' {{ rsyslog_etc_config }} | cut -d '' '' -f 2 || true + + ' + register: rsyslog_old_inc + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80860-0 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - Get include files directives + ansible.builtin.shell: 'set -o pipefail + + awk ''/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}'' {{ + rsyslog_etc_config }} || true + + ' + register: rsyslog_new_inc + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80860-0 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - Aggregate rsyslog includes + ansible.builtin.set_fact: + include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}' + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80860-0 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - List all config files + ansible.builtin.find: + paths: '{{ item | dirname }}' + patterns: '{{ item | basename }}' + hidden: false + follow: true + loop: '{{ include_config_output | list + [rsyslog_etc_config] }}' + register: rsyslog_config_files + failed_when: false + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80860-0 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - Extract log files old format + ansible.builtin.shell: 'set -o pipefail + + grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} |awk ''{print $NF}''|sed -e ''s/^-//'' + || true + + ' + loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' + register: log_files_old + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80860-0 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - Extract log files new format + ansible.builtin.shell: 'set -o pipefail + + grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep + -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true + + ' + loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' + register: log_files_new + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80860-0 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group - Sum all log files found + ansible.builtin.set_fact: + log_files: '{{ log_files_new.results|map(attribute=''stdout_lines'')|list|flatten|unique + log_files_old.results|map(attribute=''stdout_lines'')|list|flatten|unique }}' + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80860-0 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate Group -Setup log files attribute + ansible.builtin.file: + path: '{{ item }}' + group: 0 + state: file + loop: '{{ log_files | list | flatten | unique }}' + failed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_groupownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80860-0 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_groupownership + +- name: Ensure Log Files Are Owned By Appropriate User - Set rsyslog logfile configuration facts + ansible.builtin.set_fact: + rsyslog_etc_config: /etc/rsyslog.conf + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80861-8 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - Get IncludeConfig directive + ansible.builtin.shell: 'set -o pipefail + + grep -e ''$IncludeConfig'' {{ rsyslog_etc_config }} | cut -d '' '' -f 2 || true + + ' + register: rsyslog_old_inc + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80861-8 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - Get include files directives + ansible.builtin.shell: 'set -o pipefail + + awk ''/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}'' {{ + rsyslog_etc_config }} || true + + ' + register: rsyslog_new_inc + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80861-8 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - Aggregate rsyslog includes + ansible.builtin.set_fact: + include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}' + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80861-8 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - List all config files + ansible.builtin.find: + paths: '{{ item | dirname }}' + patterns: '{{ item | basename }}' + hidden: false + follow: true + loop: '{{ include_config_output | list + [rsyslog_etc_config] }}' + register: rsyslog_config_files + failed_when: false + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80861-8 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - Extract log files old format + ansible.builtin.shell: 'set -o pipefail + + grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} |awk ''{print $NF}''|sed -e ''s/^-//'' + || true + + ' + loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' + register: log_files_old + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80861-8 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - Extract log files new format + ansible.builtin.shell: 'set -o pipefail + + grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep + -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true + + ' + loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' + register: log_files_new + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80861-8 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User - Sum all log files found + ansible.builtin.set_fact: + log_files: '{{ log_files_new.results|map(attribute=''stdout_lines'')|list|flatten|unique + log_files_old.results|map(attribute=''stdout_lines'')|list|flatten|unique }}' + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80861-8 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure Log Files Are Owned By Appropriate User -Setup log files attribute + ansible.builtin.file: + path: '{{ item }}' + owner: 0 + state: file + loop: '{{ log_files | list | flatten | unique }}' + failed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_ownership | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80861-8 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_ownership + +- name: Ensure System Log Files Have Correct Permissions - Set rsyslog logfile configuration facts + ansible.builtin.set_fact: rsyslog_etc_config: /etc/rsyslog.conf - desired_perm_mode: '600' when: - configure_strategy | bool - low_complexity | bool @@ -23494,8 +23963,8 @@ - no_reboot_needed - rsyslog_files_permissions -- name: Get IncludeConfig directive - shell: 'set -o pipefail +- name: Ensure System Log Files Have Correct Permissions - Get IncludeConfig directive + ansible.builtin.shell: 'set -o pipefail grep -e ''$IncludeConfig'' {{ rsyslog_etc_config }} | cut -d '' '' -f 2 || true @@ -23523,10 +23992,11 @@ - no_reboot_needed - rsyslog_files_permissions -- name: Get include files directives - shell: 'set -o pipefail +- name: Ensure System Log Files Have Correct Permissions - Get include files directives + ansible.builtin.shell: 'set -o pipefail - grep -oP ''^\s*include\s*\(\s*file.*'' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true + awk ''/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}'' {{ + rsyslog_etc_config }} || true ' register: rsyslog_new_inc @@ -23552,14 +24022,9 @@ - no_reboot_needed - rsyslog_files_permissions -- name: Expand glob expressions - shell: 'set -o pipefail - - eval printf ''%s\\n'' {{ item }} - - ' - register: include_config_output - loop: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}' +- name: Ensure System Log Files Have Correct Permissions - Aggregate rsyslog includes + ansible.builtin.set_fact: + include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}' when: - configure_strategy | bool - low_complexity | bool @@ -23581,9 +24046,13 @@ - no_reboot_needed - rsyslog_files_permissions -- name: List all config files - shell: find {{ item }} -not -path "*/.*" -type f - loop: '{{ include_config_output.results|map(attribute=''stdout_lines'')|list|flatten }}' +- name: Ensure System Log Files Have Correct Permissions - List all config files + ansible.builtin.find: + paths: '{{ item | dirname }}' + patterns: '{{ item | basename }}' + hidden: false + follow: true + loop: '{{ include_config_output | list + [rsyslog_etc_config] }}' register: rsyslog_config_files failed_when: false changed_when: false @@ -23608,14 +24077,15 @@ - no_reboot_needed - rsyslog_files_permissions -- name: Extract log files - shell: 'set -o pipefail +- name: Ensure System Log Files Have Correct Permissions - Extract log files old format + ansible.builtin.shell: 'set -o pipefail - grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item }} |awk ''{print $NF}''|sed -e ''s/^-//'' || true + grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} |awk ''{print $NF}''|sed -e ''s/^-//'' + || true ' - loop: '{{ rsyslog_config_files.results|map(attribute=''stdout_lines'')|list|flatten|unique + [ rsyslog_etc_config ] }}' - register: log_files + loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' + register: log_files_old changed_when: false when: - configure_strategy | bool @@ -23638,12 +24108,68 @@ - no_reboot_needed - rsyslog_files_permissions -- name: Setup log files permissions - ignore_errors: true - file: +- name: Ensure System Log Files Have Correct Permissions - Extract log files new format + ansible.builtin.shell: 'set -o pipefail + + grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep + -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true + + ' + loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' + register: log_files_new + changed_when: false + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_permissions | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80862-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_permissions + +- name: Ensure System Log Files Have Correct Permissions - Sum all log files found + ansible.builtin.set_fact: + log_files: '{{ log_files_new.results|map(attribute=''stdout_lines'')|list|flatten|unique + log_files_old.results|map(attribute=''stdout_lines'')|list|flatten|unique }}' + when: + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_files_permissions | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80862-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.1 + - PCI-DSS-Req-10.5.2 + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - rsyslog_files_permissions + +- name: Ensure System Log Files Have Correct Permissions -Setup log files attribute + ansible.builtin.file: path: '{{ item }}' - mode: '{{ desired_perm_mode }}' - loop: '{{ log_files.results|map(attribute=''stdout_lines'')|list|flatten|unique }}' + mode: 384 + state: file + loop: '{{ log_files | list | flatten | unique }}' + failed_when: false when: - configure_strategy | bool - low_complexity | bool