4.1.1.2 Ensure auditing for processes that start prior to auditd is enabled
4.1.1.3 Ensure audit_backlog_limit is sufficient
are still failing after role-execution.
Expected Behavior
CIS - Pass
Actual Behavior
CIS - Fail
Control(s) Affected
4.1.1.2, 4.1.1.3
Environment (please complete the following information):
branch being used: [e.g. devel]
Ansible Version: [e.g. 2.10]
Host Python Version: [e.g. Python 3.7.6]
Ansible Server Python Version: [e.g. Python 3.7.6]
Additional Details:
Additional Notes
Current approach was the one I was also aware of, some time ago: Configuring params in /etc/default/grub and then use the command in grub2cfg handler(grub2-mkconfig -o /boot/grub2/grub.cfg) to generate the grub config file.
But, what I also noticed is that despite some not-so-old hardening suggestions(RHEL8, 2021) encourage us to use both approaches(/boot/grub2/grub.cfg & gruby), the most recent ones(RHEL9, 2023) only use grubby approach.
Same does CIS in their nix_grubby_exist_chk.sh script.
Describe the Issue Rules:
4.1.1.2 Ensure auditing for processes that start prior to auditd is enabled4.1.1.3 Ensure audit_backlog_limit is sufficientare still failing after role-execution.Expected Behavior CIS - Pass
Actual Behavior CIS - Fail
Control(s) Affected 4.1.1.2, 4.1.1.3
Environment (please complete the following information):
Additional Notes
Current approach was the one I was also aware of, some time ago: Configuring params in
/etc/default/gruband then use the command ingrub2cfghandler(grub2-mkconfig -o /boot/grub2/grub.cfg) to generate the grub config file.But, what I also noticed is that despite some not-so-old hardening suggestions(RHEL8, 2021) encourage us to use both approaches(
/boot/grub2/grub.cfg&gruby), the most recent ones(RHEL9, 2023) only usegrubbyapproach. Same does CIS in theirnix_grubby_exist_chk.shscript.Possible Solution PR