From a4d27d2f98a41231ad41f502c8f1303642e424c0 Mon Sep 17 00:00:00 2001 From: Tomuta Diana-Maria Date: Fri, 12 Dec 2025 16:24:57 +0200 Subject: [PATCH] Fixing issue: https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/ubuntu24-cis/-/issues/5 Signed-off-by: Diana-Maria Dumitru --- tasks/section_6/cis_6.3.x.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tasks/section_6/cis_6.3.x.yml b/tasks/section_6/cis_6.3.x.yml index 6009913..f54d41a 100644 --- a/tasks/section_6/cis_6.3.x.yml +++ b/tasks/section_6/cis_6.3.x.yml @@ -58,6 +58,22 @@ async: "{{ ubtu24cis_aide_init_async }}" poll: "{{ ubtu24cis_aide_init_poll }}" + - name: "6.3.1 | PATCH | Ensure AIDE is installed | Ensure AIDE logfiles have the appropriate permissions" + block: + - name: "6.3.1 | AUDIT | Ensure AIDE is installed | Ensure AIDE logfiles have the appropriate permissions | Find AIDE logfiles" + ansible.builtin.shell: find /var/log/aide/ -type f -exec ls {} \; + changed_when: false + failed_when: false + register: discovered_AIDE_logfiles + + - name: "6.3.1 | AUDIT | Ensure AIDE is installed | Ensure AIDE logfiles have the appropriate permissions | Apply the permissions" + ansible.builtin.file: + path: "{{ item }}" + mode: 'u-x,g-wx,o-rwx' + loop: "{{ discovered_AIDE_logfiles.stdout_lines }}" + failed_when: discovered_AIDE_file_exists.state not in '[ file, absent ]' + register: discovered_AIDE_file_exists + - name: "6.3.2 | PATCH | Ensure filesystem integrity is regularly checked" when: - ubtu24cis_config_aide