Merge pull request #427 from dev-sec/snoopotic-fix/add_auditd_restart_handler

schurzi · web-flow · commit 2882a15ee181 · 2021-03-29T21:15:46.000+02:00
add restart-auditd handler after configuration change
diff --git a/molecule/mysql_hardening/verify.yml b/molecule/mysql_hardening/verify.yml
@@ -44,7 +44,7 @@
       shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
 
     - name: Execute cinc-auditor tests
-      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/mysql-baseline.git"
+      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit supermarket://dev-sec/mysql-baseline"
       register: test_results
       changed_when: false
       ignore_errors: true
diff --git a/molecule/nginx_hardening/verify.yml b/molecule/nginx_hardening/verify.yml
@@ -47,7 +47,7 @@
       shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
 
     - name: Execute cinc-auditor tests
-      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/nginx-baseline.git"
+      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit supermarket://dev-sec/nginx-baseline"
       register: test_results
       changed_when: false
       ignore_errors: true
diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml
@@ -51,7 +51,7 @@
       shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
 
     - name: Execute cinc-auditor tests
-      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/linux-baseline.git"
+      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit supermarket://dev-sec/linux-baseline"
       register: test_results
       changed_when: false
       ignore_errors: true
diff --git a/molecule/ssh_hardening/verify.yml b/molecule/ssh_hardening/verify.yml
@@ -42,7 +42,7 @@
       shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
 
     - name: Execute cinc-auditor tests
-      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/ssh-baseline.git"
+      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit supermarket://dev-sec/nginx-baseline"
       register: test_results
       changed_when: false
       ignore_errors: true
diff --git a/roles/os_hardening/handlers/main.yml b/roles/os_hardening/handlers/main.yml
@@ -1,3 +1,9 @@
 ---
 - name: Update-initramfs
   command: 'update-initramfs -u'
+
+- name: restart-auditd
+  command:
+    cmd: 'service auditd restart'  # rhel: see: https://access.redhat.com/solutions/2664811
+    warn: false  # sadly 'service' module fails in that case also by using 'use: service'
+  when: molecule_yml is not defined  # restarting auditd in a container does not work
diff --git a/roles/os_hardening/tasks/auditd.yml b/roles/os_hardening/tasks/auditd.yml
@@ -3,6 +3,7 @@
   package:
     name: '{{ auditd_package }}'
     state: 'present'
+  tags: auditd
 
 - name: Configure auditd | package-08
   template:
@@ -11,3 +12,5 @@
     owner: 'root'
     group: 'root'
     mode: '0640'
+  notify: 'restart-auditd'
+  tags: auditd
