search

ansible-lockdown / RHEL7-CIS

Ansible role for Red Hat 7 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
473 stars 303 forks source link

Task for 4.1.1.3 is not fully idempotent #202

Closed Thulium-Drake closed 3 years ago

Thulium-Drake commented 3 years ago

It seems that the task for enforcing auditd is not fully idempotent when audit=1 is not the last argument configured in grub.

As far as I can see, it's not harmful, it just showed up :-)

TASK [cis_hardening_el7 : AUTOMATED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled] ***
--- before: /etc/default/grub
+++ after: /etc/default/grub
@@ -3,5 +3,5 @@
 GRUB_DEFAULT=saved
 GRUB_DISABLE_SUBMENU=true
 GRUB_TERMINAL_OUTPUT="console"
-GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos_somehost/root rd.lvm.lv=centos_somehost/swap rhgb quiet audit=1 audit_backlog_limit=8192"
+GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos_somehost/root rd.lvm.lv=centos_somehost/swap rhgb quiet audit=1 audit_backlog_limit=8192 audit=1"
 GRUB_DISABLE_RECOVERY="true"

changed: [somehost.example.com]
uk-bolly commented 3 years ago

Hi @Thulium-Drake

Thanks again for highlighting the issue. I pushed a number of changed through yesterday into dev. Hopefully this is now resolved.

Thanks uk-bolly

Thulium-Drake commented 3 years ago

Confirmed fixed as of devel :-)

Thanks!