rpms / scap-security-guide

Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.50-ansible_audit_avoid_duplicates_PR_5650.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c957b4e696e5ecf0a69844b2dd37d073e4d34868
  2.   SOURCES
  3.   scap-security-guide-0.1.50-ansible_audit_avoid_duplicates_PR_5650.patch
Blob History Raw
dac76a 
From 92ff3c1ee5dbeae8260d8ebbb9926cc63296c72a Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Tue, 21 Apr 2020 11:04:43 +0200
dac76a 
Subject: [PATCH 1/8] fix audit_rules_media_export ansible remediation
dac76a
dac76a 
---
dac76a 
 .../ansible/shared.yml                        | 44 +++++++++++++++++--
dac76a 
 1 file changed, 40 insertions(+), 4 deletions(-)
dac76a
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml
dac76a 
index 12a61b6d1c..944a69cfaf 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml
dac76a 
@@ -11,6 +11,39 @@
dac76a 
   set_fact:
dac76a 
     audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
dac76a
dac76a 
+#
dac76a 
+# check if rules are already present
dac76a 
+#
dac76a 
+
dac76a 
+- name: Check if the rule for x86_64 is already present in /etc/audit/rules.d/*
dac76a 
+  find:
dac76a 
+    paths: "/etc/audit/rules.d/"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+mount\s+-F\s+auid>={{{ auid }}}\s+-F\s+auid!=unset(\s|$)+'
dac76a 
+    patterns: "*.rules"
dac76a 
+  register: find_existing_media_export_64_rules_d
dac76a 
+
dac76a 
+- name: Check if the rule for x86 is already present in /etc/audit/rules.d/*
dac76a 
+  find:
dac76a 
+    paths: "/etc/audit/rules.d/"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+mount\s+-F\s+auid>={{{ auid }}}\s+-F\s+auid!=unset(\s|$)+'
dac76a 
+    patterns: "*.rules"
dac76a 
+  register: find_existing_media_export_32_rules_d
dac76a 
+
dac76a 
+- name: Check if the rule for x86_64 is already present in /etc/audit/audit.rules
dac76a 
+  find:
dac76a 
+    paths: "/etc/audit/"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+mount\s+-F\s+auid>={{{ auid }}}\s+-F\s+auid!=unset(\s|$)+'
dac76a 
+    patterns: "audit.rules"
dac76a 
+  register: find_existing_media_export_64_audit_rules
dac76a 
+
dac76a 
+- name: Check if the rule for x86 is already present in /etc/audit/rules.d/*
dac76a 
+  find:
dac76a 
+    paths: "/etc/audit/"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+mount\s+-F\s+auid>={{{ auid }}}\s+-F\s+auid!=unset(\s|$)+'
dac76a 
+    patterns: "audit.rules"
dac76a 
+  register: find_existing_media_export_32_audit_rules
dac76a 
+
dac76a 
+
dac76a 
 #
dac76a 
 # Inserts/replaces the rule in /etc/audit/rules.d
dac76a 
 #
dac76a 
@@ -21,31 +54,33 @@
dac76a 
     contains: "-F key=export$"
dac76a 
     patterns: "*.rules"
dac76a 
   register: find_mount
dac76a 
+  when: (find_existing_media_export_32_rules_d is defined and find_existing_media_export_32_rules_d.matched == 0) or (find_existing_media_export_64_rules_d is defined and find_existing_media_export_64_rules_d.matched == 0)
dac76a
dac76a 
 - name: If existing media export ruleset not found, use /etc/audit/rules.d/export.rules as the recipient for the rule
dac76a 
   set_fact:
dac76a 
     all_files:
dac76a 
       - /etc/audit/rules.d/export.rules
dac76a 
-  when: find_mount.matched is defined and find_mount.matched == 0
dac76a 
+  when: find_mount.matched is defined and find_mount.matched == 0 and ((find_existing_media_export_32_rules_d is defined and find_existing_media_export_32_rules_d.matched == 0) or (find_existing_media_export_64_rules_d is defined and find_existing_media_export_64_rules_d.matched == 0))
dac76a
dac76a 
 - name: Use matched file as the recipient for the rule
dac76a 
   set_fact:
dac76a 
     all_files:
dac76a 
       - "{{ find_mount.files | map(attribute='path') | list | first }}"
dac76a 
-  when: find_mount.matched is defined and find_mount.matched > 0
dac76a 
+  when: find_mount.matched is defined and find_mount.matched > 0 and ((find_existing_media_export_32_rules_d is defined and find_existing_media_export_32_rules_d.matched == 0) or (find_existing_media_export_64_rules_d is defined and find_existing_media_export_64_rules_d.matched == 0))
dac76a
dac76a 
 - name: Inserts/replaces the media export rule in rules.d when on x86
dac76a 
   lineinfile:
dac76a 
     path: "{{ all_files[0] }}"
dac76a 
     line: "-a always,exit -F arch=b32 -S mount -F auid>={{{ auid }}} -F auid!=unset -F key=export"
dac76a 
     create: yes
dac76a 
+  when: find_existing_media_export_32_rules_d is defined and find_existing_media_export_32_rules_d.matched == 0
dac76a
dac76a 
 - name: Inserts/replaces the media export rule in rules.d when on x86_64
dac76a 
   lineinfile:
dac76a 
     path: "{{ all_files[0] }}"
dac76a 
     line: "-a always,exit -F arch=b64 -S mount -F auid>={{{ auid }}} -F auid!=unset -F key=export"
dac76a 
     create: yes
dac76a 
-  when: audit_arch is defined and audit_arch == 'b64'
dac76a 
+  when: audit_arch is defined and audit_arch == 'b64' and find_existing_media_export_64_rules_d is defined and find_existing_media_export_64_rules_d.matched == 0
dac76a 
 #
dac76a 
 # Inserts/replaces the rule in /etc/audit/audit.rules
dac76a 
 #
dac76a 
@@ -55,6 +90,7 @@
dac76a 
     state: present
dac76a 
     dest: /etc/audit/audit.rules
dac76a 
     create: yes
dac76a 
+  when: find_existing_media_export_32_audit_rules is defined and find_existing_media_export_32_audit_rules.matched == 0
dac76a
dac76a 
 - name: Inserts/replaces the media export rule in audit.rules when on x86_64
dac76a 
   lineinfile:
dac76a 
@@ -62,4 +98,4 @@
dac76a 
     state: present
dac76a 
     dest: /etc/audit/audit.rules
dac76a 
     create: yes
dac76a 
-  when: audit_arch is defined and audit_arch == 'b64'
dac76a 
+  when: audit_arch is defined and audit_arch == 'b64' and find_existing_media_export_64_audit_rules is defined and find_existing_media_export_64_audit_rules.matched == 0
dac76a
dac76a 
From ffdfd62dc6e19ca655132f119b3998f01dea98fe Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Tue, 21 Apr 2020 14:42:40 +0200
dac76a 
Subject: [PATCH 2/8] make audit_rules_kernel_module_loading ansible
dac76a 
 remediation robust
dac76a
dac76a 
add test
dac76a 
---
dac76a 
 .../ansible/shared.yml                        | 282 ++++++++++++++++--
dac76a 
 .../syscalls_one_per_line_one_missing.fail.sh |  11 +
dac76a 
 2 files changed, 271 insertions(+), 22 deletions(-)
dac76a 
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh
dac76a
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
dac76a 
index 8cc519c61b..17eb72a99d 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
dac76a 
@@ -11,6 +11,95 @@
dac76a 
   set_fact:
dac76a 
     audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
dac76a
dac76a 
+#
dac76a 
+# check if rules don't exist already
dac76a 
+#
dac76a 
+
dac76a 
+- name: Check if rule for x86 init_module already exists in /etc/audit/rules.d/*
dac76a 
+  find:
dac76a 
+    paths: "/etc/audit/rules.d/"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+init_module[\s$]+'
dac76a 
+    patterns: "*.rules"
dac76a 
+  register: find_existing_kernel_init_module_32_rules_d
dac76a 
+
dac76a 
+- name: Check if rule for x86 delete_module already exists in /etc/audit/rules.d/*
dac76a 
+  find:
dac76a 
+    paths: "/etc/audit/rules.d/"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+delete_module[\s$]+'
dac76a 
+    patterns: "*.rules"
dac76a 
+  register: find_existing_kernel_delete_module_32_rules_d
dac76a 
+
dac76a 
+- name: Check if rule for x86 finit_module already exists in /etc/audit/rules.d/*
dac76a 
+  find:
dac76a 
+    paths: "/etc/audit/rules.d/"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+finit_module[\s$]+'
dac76a 
+    patterns: "*.rules"
dac76a 
+  register: find_existing_kernel_finit_module_32_rules_d
dac76a 
+
dac76a 
+- name: Check if rule for x86_64 init_module already exists in /etc/audit/rules.d/*
dac76a 
+  find:
dac76a 
+    paths: "/etc/audit/rules.d/"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+init_module[\s$]+'
dac76a 
+    patterns: "*.rules"
dac76a 
+  register: find_existing_kernel_init_module_64_rules_d
dac76a 
+
dac76a 
+- name: Check if rule for x86_64 delete_module already exists in /etc/audit/rules.d/*
dac76a 
+  find:
dac76a 
+    paths: "/etc/audit/rules.d/"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+delete_module[\s$]+'
dac76a 
+    patterns: "*.rules"
dac76a 
+  register: find_existing_kernel_delete_module_64_rules_d
dac76a 
+
dac76a 
+- name: Check if rule for x86_64 finit_module already exists in /etc/audit/rules.d/*
dac76a 
+  find:
dac76a 
+    paths: "/etc/audit/rules.d/"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+finit_module[\s$]+'
dac76a 
+    patterns: "*.rules"
dac76a 
+  register: find_existing_kernel_finit_module_64_rules_d
dac76a 
+
dac76a 
+- name: Check if rule for x86 init_module already exists in /etc/audit/audit.rules
dac76a 
+  find:
dac76a 
+    paths: "/etc/audit/"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+init_module[\s$]+'
dac76a 
+    patterns: "audit.rules"
dac76a 
+  register: find_existing_kernel_init_module_32_audit_rules
dac76a 
+
dac76a 
+- name: Check if rule for x86 delete_module already exists in /etc/audit/audit.rules
dac76a 
+  find:
dac76a 
+    paths: "/etc/audit/"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+delete_module[\s$]+'
dac76a 
+    patterns: "audit.rules"
dac76a 
+  register: find_existing_kernel_delete_module_32_audit_rules
dac76a 
+
dac76a 
+- name: Check if rule for x86 finit_module already exists in /etc/audit/audit.rules
dac76a 
+  find:
dac76a 
+    paths: "/etc/audit/audit.rules"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+finit_module[\s$]+'
dac76a 
+    patterns: "audit.rules"
dac76a 
+  register: find_existing_kernel_finit_module_32_audit_rules
dac76a 
+
dac76a 
+- name: Check if rule for x86_64 init_module already exists in /etc/audit/audit.rules
dac76a 
+  find:
dac76a 
+    paths: "/etc/audit/"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+init_module[\s$]+'
dac76a 
+    patterns: "audit.rules"
dac76a 
+  register: find_existing_kernel_init_module_64_audit_rules
dac76a 
+
dac76a 
+- name: Check if rule for x86_64 delete_module already exists in /etc/audit/audit.rules
dac76a 
+  find:
dac76a 
+    paths: "/etc/audit/"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+delete_module[\s$]+'
dac76a 
+    patterns: "audit.rules"
dac76a 
+  register: find_existing_kernel_delete_module_64_audit_rules
dac76a 
+
dac76a 
+- name: Check if rule for x86_64 finit_module already exists in /etc/audit/audit.rules
dac76a 
+  find:
dac76a 
+    paths: "/etc/audit/"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+finit_module[\s$]+'
dac76a 
+    patterns: "audit.rules"
dac76a 
+  register: find_existing_kernel_finit_module_64_audit_rules
dac76a 
+
dac76a 
+
dac76a 
 #
dac76a 
 # Inserts/replaces the rule in /etc/audit/rules.d
dac76a 
 #
dac76a 
@@ -34,48 +123,197 @@
dac76a 
       - "{{ find_modules.files | map(attribute='path') | list | first }}"
dac76a 
   when: find_modules.matched is defined and find_modules.matched > 0
dac76a
dac76a 
+#
dac76a 
+# create resulting lines to be inserted into appropriate files
dac76a 
+#
dac76a 
+
dac76a 
+- name: Start creating remediation line for 32 bit rule in /etc/audit/rules.d
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_32_rules_d = "-a always,exit -F arch=b32 "
dac76a 
+  {{% if product == "rhel6" %}}
dac76a 
+  when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0)
dac76a 
+  {{% else %}}
dac76a 
+  when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) or (find_existing_kernel_finit_module_32_rules_d is defined and find_existing_kernel_finit_module_32_rules_d.matched == 0)
dac76a 
+  {{% endif %}}
dac76a 
+
dac76a 
+- name: add init_module into line for 32 bit rules.d
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-S init_module ' }}
dac76a 
+  when: find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0 and audit_kernel_line_32_rules_d is defined
dac76a 
+
dac76a 
+- name: add delete_module into line for 32 bit rules.d
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-S delete_module ' }}
dac76a 
+  when: find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0 and audit_kernel_line_32_rules_d is defined
dac76a 
+
dac76a 
+{{% if product != "rhel6" %}}
dac76a 
+- name: add finit_module into line for 32 bit rules.d
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-S finit_module ' }}
dac76a 
+  when: find_existing_kernel_finit_module_32_rules_d is defined and find_existing_finit_delete_module_32_rules_d.matched == 0 and audit_kernel_line_32_rules_d is defined
dac76a 
+{{% endif %}}
dac76a 
+
dac76a 
+- name: Finish creating remediation line for 32 bit rule in /etc/audit/rules.d
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-k modules' }}
dac76a 
+  {{% if product == "rhel6" %}}
dac76a 
+  when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined
dac76a 
+  {{% else %}}
dac76a 
+  when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) or (find_existing_kernel_finit_module_32_rules_d is defined and find_existing_kernel_finit_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined
dac76a 
+  {{% endif %}}
dac76a 
+
dac76a 
+- name: Start creating remediation line for 64 bit rule in /etc/audit/rules.d
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_64_rules_d = "-a always,exit -F arch=b64 "
dac76a 
+  {{% if product == "rhel6" %}}
dac76a 
+  when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0)
dac76a 
+  {{% else %}}
dac76a 
+  when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) or (find_existing_kernel_finit_module_64_rules_d is defined and find_existing_kernel_finit_module_64_rules_d.matched == 0)
dac76a 
+  {{% endif %}}
dac76a 
+
dac76a 
+- name: add init_module into line for 64 bit rules.d
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-S init_module ' }}
dac76a 
+  when: find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0 and audit_kernel_line_64_rules_d is defined
dac76a 
+
dac76a 
+- name: add delete_module into line for 64 bit rules.d
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-S delete_module ' }}
dac76a 
+  when: find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0 and audit_kernel_line_64_rules_d is defined
dac76a 
+
dac76a 
+{{% if product != "rhel6" %}}
dac76a 
+- name: add finit_module into line for 64 bit rules.d
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-S finit_module ' }}
dac76a 
+  when: find_existing_kernel_finit_module_64_rules_d is defined and find_existing_finit_delete_module_64_rules_d.matched == 0 and audit_kernel_line_64_rules_d is defined
dac76a 
+{{% endif %}}
dac76a 
+
dac76a 
+- name: Finish creating remediation line for 64 bit rule in /etc/audit/rules.d
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-k modules' }}
dac76a 
+  {{% if product == "rhel6" %}}
dac76a 
+  when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined
dac76a 
+  {{% else %}}
dac76a 
+  when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) or (find_existing_kernel_finit_module_64_rules_d is defined and find_existing_kernel_finit_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined
dac76a 
+  {{% endif %}}
dac76a 
+
dac76a 
+- name: Start creating remediation line for 32 bit rule in /etc/audit/audit.rules
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_32_audit_rules = "-a always,exit -F arch=b32 "
dac76a 
+  {{% if product == "rhel6" %}}
dac76a 
+  when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0)
dac76a 
+  {{% else %}}
dac76a 
+  when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) or (find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_kernel_finit_module_32_audit_rules.matched == 0)
dac76a 
+  {{% endif %}}
dac76a 
+
dac76a 
+- name: add init_module into line for 32 bit rules.d
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-S init_module ' }}
dac76a 
+  when: find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0 and audit_kernel_line_32_audit_rules is defined
dac76a 
+
dac76a 
+- name: add delete_module into line for 32 bit rules.d
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-S delete_module ' }}
dac76a 
+  when: find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0 and audit_kernel_line_32_audit_rules is defined
dac76a 
+
dac76a 
+{{% if product != "rhel6" %}}
dac76a 
+- name: add finit_module into line for 32 bit rules.d
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-S finit_module ' }}
dac76a 
+  when: find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_finit_delete_module_32_audit_rules.matched == 0 and audit_kernel_line_32_audit_rules is defined
dac76a 
+{{% endif %}}
dac76a 
+
dac76a 
+- name: Finish creating remediation line for 32 bit rule in /etc/audit/audit.rules
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-k modules' }}
dac76a 
+  {{% if product == "rhel6" %}}
dac76a 
+  when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined
dac76a 
+  {{% else %}}
dac76a 
+  when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) or (find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_kernel_finit_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined
dac76a 
+  {{% endif %}}
dac76a 
+
dac76a 
+- name: Start creating remediation line for 64 bit rule in /etc/audit/audit.rules
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_64_audit_rules = "-a always,exit -F arch=b64 "
dac76a 
+  {{% if product == "rhel6" %}}
dac76a 
+  when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0)
dac76a 
+  {{% else %}}
dac76a 
+  when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) or (find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_kernel_finit_module_64_audit_rules.matched == 0)
dac76a 
+  {{% endif %}}
dac76a 
+
dac76a 
+- name: add init_module into line for 64 bit rules.d
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-S init_module ' }}
dac76a 
+  when: find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0 and audit_kernel_line_64_audit_rules is defined
dac76a 
+
dac76a 
+- name: add delete_module into line for 64 bit rules.d
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-S delete_module ' }}
dac76a 
+  when: find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0 and audit_kernel_line_64_audit_rules is defined
dac76a 
+
dac76a 
+{{% if product != "rhel6" %}}
dac76a 
+- name: add finit_module into line for 64 bit rules.d
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-S finit_module ' }}
dac76a 
+  when: find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_finit_delete_module_64_audit_rules.matched == 0 and audit_kernel_line_64_audit_rules is defined
dac76a 
+{{% endif %}}
dac76a 
+
dac76a 
+- name: Finish creating remediation line for 64 bit rule in /etc/audit/audit.rules
dac76a 
+  set_fact:
dac76a 
+    audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-k modules' }}
dac76a 
+  {{% if product == "rhel6" %}}
dac76a 
+  when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined
dac76a 
+  {{% else %}}
dac76a 
+  when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) or (find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_kernel_finit_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined
dac76a 
+  {{% endif %}}
dac76a 
+
dac76a 
+
dac76a 
+
dac76a 
 - name: Inserts/replaces the modules rule in rules.d when on x86
dac76a 
   lineinfile:
dac76a 
     path: "{{ all_files[0] }}"
dac76a 
-    {{% if product == "rhel6" %}}
dac76a 
-    line: "-a always,exit -F arch=b32 -S init_module -S delete_module -k modules"
dac76a 
-    {{% else %}}
dac76a 
-    line: "-a always,exit -F arch=b32 -S init_module -S delete_module -S finit_module -k modules"
dac76a 
-    {{% endif %}}
dac76a 
+    line: "{{ audit_kernel_line_32_rules_d }}"
dac76a 
     create: yes
dac76a 
+  {{% if product == "rhel6" %}}
dac76a 
+  when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined
dac76a 
+  {{% else %}}
dac76a 
+  when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) or (find_existing_kernel_finit_module_32_rules_d is defined and find_existing_kernel_finit_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined
dac76a 
+  {{% endif %}}
dac76a
dac76a 
 - name: Inserts/replaces the modules rule in rules.d when on x86_64
dac76a 
   lineinfile:
dac76a 
     path: "{{ all_files[0] }}"
dac76a 
-    {{% if product == "rhel6" %}}
dac76a 
-    line: "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules"
dac76a 
-    {{% else %}}
dac76a 
-    line: "-a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k modules"
dac76a 
-    {{% endif %}}
dac76a 
+    line: "{{ audit_kernel_line_32_rules_d }}"
dac76a 
     create: yes
dac76a 
-  when: audit_arch is defined and audit_arch == 'b64'
dac76a 
+  {{% if product == "rhel6" %}}
dac76a 
+  when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined
dac76a 
+  {{% else %}}
dac76a 
+  when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) or (find_existing_kernel_finit_module_64_rules_d is defined and find_existing_kernel_finit_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined
dac76a 
+  {{% endif %}}
dac76a 
+
dac76a 
 #
dac76a 
 # Inserts/replaces the rule in /etc/audit/audit.rules
dac76a 
 #
dac76a 
 - name: Inserts/replaces the modules rule in /etc/audit/audit.rules when on x86
dac76a 
   lineinfile:
dac76a 
-    {{% if product == "rhel6" %}}
dac76a 
-    line: "-a always,exit -F arch=b32 -S init_module -S delete_module -k modules"
dac76a 
-    {{% else %}}
dac76a 
-    line: "-a always,exit -F arch=b32 -S init_module -S delete_module -S finit_module -k modules"
dac76a 
-    {{% endif %}}
dac76a 
+    line: "{{ audit_kernel_line_32_audit_rules }}"
dac76a 
     state: present
dac76a 
     dest: /etc/audit/audit.rules
dac76a 
     create: yes
dac76a 
+  {{% if product == "rhel6" %}}
dac76a 
+  when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined
dac76a 
+  {{% else %}}
dac76a 
+  when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) or (find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_kernel_finit_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined
dac76a 
+  {{% endif %}}
dac76a
dac76a 
 - name: Inserts/replaces the modules rule in audit.rules when on x86_64
dac76a 
   lineinfile:
dac76a 
-    {{% if product == "rhel6" %}}
dac76a 
-    line: "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules"
dac76a 
-    {{% else %}}
dac76a 
-    line: "-a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k modules"
dac76a 
-    {{% endif %}}
dac76a 
+    line: "{{ audit_kernel_line_64_audit_rules }}"
dac76a 
     state: present
dac76a 
     dest: /etc/audit/audit.rules
dac76a 
     create: yes
dac76a 
-  when: audit_arch is defined and audit_arch == 'b64'
dac76a 
+  {{% if product == "rhel6" %}}
dac76a 
+  when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined
dac76a 
+  {{% else %}}
dac76a 
+  when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) or (find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_kernel_finit_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined
dac76a 
+  {{% endif %}}
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh
dac76a 
new file mode 100644
dac76a 
index 0000000000..13219b7ece
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh
dac76a 
@@ -0,0 +1,11 @@
dac76a 
+#!/bin/bash
dac76a 
+# profiles = xccdf_org.ssgproject.content_profile_C2S
dac76a 
+# remediation = bash
dac76a 
+
dac76a 
+# Use auditctl, on RHEL7, default is to use augenrules
dac76a 
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
dac76a 
+
dac76a 
+rm -f /etc/audit/rules.d/*
dac76a 
+
dac76a 
+# cut out irrelevant rules for this test
dac76a 
+sed -e '11,18d' -e '/.*init.*/d' test_audit.rules > /etc/audit/audit.rules
dac76a
dac76a 
From 9ababe26e4ffb0ab96de75c5fd4f911811d1085a Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Fri, 24 Apr 2020 11:10:12 +0200
dac76a 
Subject: [PATCH 3/8] fix metadata in tests
dac76a
dac76a 
---
dac76a 
 .../audit_rules_kernel_module_loading/tests/default.fail.sh     | 2 +-
dac76a 
 .../tests/syscalls_multiple_per_arg.pass.sh                     | 2 +-
dac76a 
 .../tests/syscalls_one_per_arg.pass.sh                          | 2 +-
dac76a 
 .../tests/syscalls_one_per_line.pass.sh                         | 2 +-
dac76a 
 .../tests/syscalls_one_per_line_one_missing.fail.sh             | 2 +-
dac76a 
 5 files changed, 5 insertions(+), 5 deletions(-)
dac76a
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/default.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/default.fail.sh
dac76a 
index 43da7e67e5..c1ea54b990 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/default.fail.sh
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/default.fail.sh
dac76a 
@@ -1,6 +1,6 @@
dac76a 
 #!/bin/bash
dac76a 
 # profiles = xccdf_org.ssgproject.content_profile_C2S
dac76a 
-# remediation = bash
dac76a 
+
dac76a
dac76a 
 rm -f /etc/audit/rules.d/*
dac76a 
 > /etc/audit/audit.rules
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh
dac76a 
index af0ceda059..80d5e8d6d4 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh
dac76a 
@@ -1,6 +1,6 @@
dac76a 
 #!/bin/bash
dac76a 
 # profiles = xccdf_org.ssgproject.content_profile_C2S
dac76a 
-# remediation = bash
dac76a 
+
dac76a
dac76a 
 # Use auditctl, on RHEL7, default is to use augenrules
dac76a 
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh
dac76a 
index ccc2d4beee..0e162c7c94 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh
dac76a 
@@ -1,6 +1,6 @@
dac76a 
 #!/bin/bash
dac76a 
 # profiles = xccdf_org.ssgproject.content_profile_C2S
dac76a 
-# remediation = bash
dac76a 
+
dac76a
dac76a 
 # Use auditctl, on RHEL7, default is to use augenrules
dac76a 
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh
dac76a 
index 48e03e071d..a043f787bc 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh
dac76a 
@@ -1,6 +1,6 @@
dac76a 
 #!/bin/bash
dac76a 
 # profiles = xccdf_org.ssgproject.content_profile_C2S
dac76a 
-# remediation = bash
dac76a 
+
dac76a
dac76a 
 # Use auditctl, on RHEL7, default is to use augenrules
dac76a 
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh
dac76a 
index 13219b7ece..4d717db422 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh
dac76a 
@@ -1,6 +1,6 @@
dac76a 
 #!/bin/bash
dac76a 
 # profiles = xccdf_org.ssgproject.content_profile_C2S
dac76a 
-# remediation = bash
dac76a 
+
dac76a
dac76a 
 # Use auditctl, on RHEL7, default is to use augenrules
dac76a 
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
dac76a
dac76a 
From d16f0eb2ee839209bc2ace51da49ca795003a27c Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Fri, 24 Apr 2020 11:10:46 +0200
dac76a 
Subject: [PATCH 4/8] rewrite audit_rules_kernel_module_loading remediation to
dac76a 
 be effective
dac76a
dac76a 
---
dac76a 
 .../ansible/shared.yml                        | 364 ++++++------------
dac76a 
 1 file changed, 108 insertions(+), 256 deletions(-)
dac76a
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
dac76a 
index 17eb72a99d..e417e147ea 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
dac76a 
@@ -11,103 +11,73 @@
dac76a 
   set_fact:
dac76a 
     audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
dac76a
dac76a 
-#
dac76a 
-# check if rules don't exist already
dac76a 
-#
dac76a 
-
dac76a 
-- name: Check if rule for x86 init_module already exists in /etc/audit/rules.d/*
dac76a 
-  find:
dac76a 
-    paths: "/etc/audit/rules.d/"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+init_module[\s$]+'
dac76a 
-    patterns: "*.rules"
dac76a 
-  register: find_existing_kernel_init_module_32_rules_d
dac76a 
+- name: Declare list of syscals
dac76a 
+  set_fact:
dac76a 
+    syscalls:
dac76a 
+      - "init_module"
dac76a 
+      - "delete_module"
dac76a 
+      {{% if product != "rhel6" %}}
dac76a 
+      - "finit_module"
dac76a 
+      {{% endif %}}
dac76a
dac76a 
-- name: Check if rule for x86 delete_module already exists in /etc/audit/rules.d/*
dac76a 
-  find:
dac76a 
-    paths: "/etc/audit/rules.d/"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+delete_module[\s$]+'
dac76a 
-    patterns: "*.rules"
dac76a 
-  register: find_existing_kernel_delete_module_32_rules_d
dac76a 
+- name: declare number of syscalls
dac76a 
+  set_fact: audit_kernel_number_of_syscalls="{{ syscalls|length|int }}"
dac76a
dac76a 
-- name: Check if rule for x86 finit_module already exists in /etc/audit/rules.d/*
dac76a 
-  find:
dac76a 
-    paths: "/etc/audit/rules.d/"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+finit_module[\s$]+'
dac76a 
-    patterns: "*.rules"
dac76a 
-  register: find_existing_kernel_finit_module_32_rules_d
dac76a
dac76a 
-- name: Check if rule for x86_64 init_module already exists in /etc/audit/rules.d/*
dac76a 
+- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/*
dac76a 
   find:
dac76a 
-    paths: "/etc/audit/rules.d/"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+init_module[\s$]+'
dac76a 
+    paths: "/etc/audit/rules.d"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*{{ item }}.*$'
dac76a 
     patterns: "*.rules"
dac76a 
-  register: find_existing_kernel_init_module_64_rules_d
dac76a 
+  register: audit_kernel_found_32_rules_d
dac76a 
+  loop: "{{ syscalls }}"
dac76a
dac76a 
-- name: Check if rule for x86_64 delete_module already exists in /etc/audit/rules.d/*
dac76a 
-  find:
dac76a 
-    paths: "/etc/audit/rules.d/"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+delete_module[\s$]+'
dac76a 
-    patterns: "*.rules"
dac76a 
-  register: find_existing_kernel_delete_module_64_rules_d
dac76a 
+- name: get number of matched 32 bit syscalls in /etc/audit/rules.d/*
dac76a 
+  set_fact: audit_kernel_matched_32_rules_d="{{audit_kernel_found_32_rules_d.results|sum(attribute='matched')|int }}"
dac76a
dac76a 
-- name: Check if rule for x86_64 finit_module already exists in /etc/audit/rules.d/*
dac76a 
+- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/*
dac76a 
   find:
dac76a 
-    paths: "/etc/audit/rules.d/"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+finit_module[\s$]+'
dac76a 
+    paths: "/etc/audit/rules.d"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*{{ item }}.*$'
dac76a 
     patterns: "*.rules"
dac76a 
-  register: find_existing_kernel_finit_module_64_rules_d
dac76a 
+  register: audit_kernel_found_64_rules_d
dac76a 
+  loop: "{{ syscalls }}"
dac76a
dac76a 
-- name: Check if rule for x86 init_module already exists in /etc/audit/audit.rules
dac76a 
-  find:
dac76a 
-    paths: "/etc/audit/"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+init_module[\s$]+'
dac76a 
-    patterns: "audit.rules"
dac76a 
-  register: find_existing_kernel_init_module_32_audit_rules
dac76a 
-
dac76a 
-- name: Check if rule for x86 delete_module already exists in /etc/audit/audit.rules
dac76a 
-  find:
dac76a 
-    paths: "/etc/audit/"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+delete_module[\s$]+'
dac76a 
-    patterns: "audit.rules"
dac76a 
-  register: find_existing_kernel_delete_module_32_audit_rules
dac76a 
+- name: get number of matched 64 bit syscalls in /etc/audit/rules.d/*
dac76a 
+  set_fact: audit_kernel_matched_64_rules_d="{{audit_kernel_found_64_rules_d.results|sum(attribute='matched')|int }}"
dac76a
dac76a 
-- name: Check if rule for x86 finit_module already exists in /etc/audit/audit.rules
dac76a 
+- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules
dac76a 
   find:
dac76a 
-    paths: "/etc/audit/audit.rules"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+finit_module[\s$]+'
dac76a 
+    paths: "/etc/audit"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*{{ item }}.*$'
dac76a 
     patterns: "audit.rules"
dac76a 
-  register: find_existing_kernel_finit_module_32_audit_rules
dac76a 
+  register: audit_kernel_found_32_audit_rules
dac76a 
+  loop: "{{ syscalls }}"
dac76a
dac76a 
-- name: Check if rule for x86_64 init_module already exists in /etc/audit/audit.rules
dac76a 
-  find:
dac76a 
-    paths: "/etc/audit/"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+init_module[\s$]+'
dac76a 
-    patterns: "audit.rules"
dac76a 
-  register: find_existing_kernel_init_module_64_audit_rules
dac76a 
+- name: get number of matched 32 bit syscalls in /etc/audit/audit.rules
dac76a 
+  set_fact: audit_kernel_matched_32_audit_rules="{{audit_kernel_found_32_audit_rules.results|sum(attribute='matched')|int }}"
dac76a
dac76a 
-- name: Check if rule for x86_64 delete_module already exists in /etc/audit/audit.rules
dac76a 
+- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules
dac76a 
   find:
dac76a 
-    paths: "/etc/audit/"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+delete_module[\s$]+'
dac76a 
+    paths: "/etc/audit"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*{{ item }}.*$'
dac76a 
     patterns: "audit.rules"
dac76a 
-  register: find_existing_kernel_delete_module_64_audit_rules
dac76a 
+  register: audit_kernel_found_64_audit_rules
dac76a 
+  loop: "{{ syscalls }}"
dac76a
dac76a 
-- name: Check if rule for x86_64 finit_module already exists in /etc/audit/audit.rules
dac76a 
-  find:
dac76a 
-    paths: "/etc/audit/"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+finit_module[\s$]+'
dac76a 
-    patterns: "audit.rules"
dac76a 
-  register: find_existing_kernel_finit_module_64_audit_rules
dac76a 
+- name: get number of matched 64 bit syscalls in /etc/audit/rules.d/*
dac76a 
+  set_fact: audit_kernel_matched_64_audit_rules="{{audit_kernel_found_64_audit_rules.results|sum(attribute='matched')|int }}"
dac76a
dac76a
dac76a 
 #
dac76a 
 # Inserts/replaces the rule in /etc/audit/rules.d
dac76a 
 #
dac76a 
+
dac76a 
 - name: Search /etc/audit/rules.d for other kernel module loading audit rules
dac76a 
   find:
dac76a 
     paths: "/etc/audit/rules.d"
dac76a 
     recurse: no
dac76a 
-    contains: "-F key=modules$"
dac76a 
+    contains: "(-F key=modules)|(-k modules)$"
dac76a 
     patterns: "*.rules"
dac76a 
   register: find_modules
dac76a
dac76a 
@@ -123,197 +93,79 @@
dac76a 
       - "{{ find_modules.files | map(attribute='path') | list | first }}"
dac76a 
   when: find_modules.matched is defined and find_modules.matched > 0
dac76a
dac76a 
-#
dac76a 
-# create resulting lines to be inserted into appropriate files
dac76a 
-#
dac76a 
-
dac76a 
-- name: Start creating remediation line for 32 bit rule in /etc/audit/rules.d
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_32_rules_d = "-a always,exit -F arch=b32 "
dac76a 
-  {{% if product == "rhel6" %}}
dac76a 
-  when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0)
dac76a 
-  {{% else %}}
dac76a 
-  when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) or (find_existing_kernel_finit_module_32_rules_d is defined and find_existing_kernel_finit_module_32_rules_d.matched == 0)
dac76a 
-  {{% endif %}}
dac76a 
-
dac76a 
-- name: add init_module into line for 32 bit rules.d
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-S init_module ' }}
dac76a 
-  when: find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0 and audit_kernel_line_32_rules_d is defined
dac76a 
-
dac76a 
-- name: add delete_module into line for 32 bit rules.d
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-S delete_module ' }}
dac76a 
-  when: find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0 and audit_kernel_line_32_rules_d is defined
dac76a 
-
dac76a 
-{{% if product != "rhel6" %}}
dac76a 
-- name: add finit_module into line for 32 bit rules.d
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-S finit_module ' }}
dac76a 
-  when: find_existing_kernel_finit_module_32_rules_d is defined and find_existing_finit_delete_module_32_rules_d.matched == 0 and audit_kernel_line_32_rules_d is defined
dac76a 
-{{% endif %}}
dac76a 
-
dac76a 
-- name: Finish creating remediation line for 32 bit rule in /etc/audit/rules.d
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-k modules' }}
dac76a 
-  {{% if product == "rhel6" %}}
dac76a 
-  when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined
dac76a 
-  {{% else %}}
dac76a 
-  when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) or (find_existing_kernel_finit_module_32_rules_d is defined and find_existing_kernel_finit_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined
dac76a 
-  {{% endif %}}
dac76a 
-
dac76a 
-- name: Start creating remediation line for 64 bit rule in /etc/audit/rules.d
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_64_rules_d = "-a always,exit -F arch=b64 "
dac76a 
-  {{% if product == "rhel6" %}}
dac76a 
-  when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0)
dac76a 
-  {{% else %}}
dac76a 
-  when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) or (find_existing_kernel_finit_module_64_rules_d is defined and find_existing_kernel_finit_module_64_rules_d.matched == 0)
dac76a 
-  {{% endif %}}
dac76a 
-
dac76a 
-- name: add init_module into line for 64 bit rules.d
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-S init_module ' }}
dac76a 
-  when: find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0 and audit_kernel_line_64_rules_d is defined
dac76a 
-
dac76a 
-- name: add delete_module into line for 64 bit rules.d
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-S delete_module ' }}
dac76a 
-  when: find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0 and audit_kernel_line_64_rules_d is defined
dac76a 
-
dac76a 
-{{% if product != "rhel6" %}}
dac76a 
-- name: add finit_module into line for 64 bit rules.d
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-S finit_module ' }}
dac76a 
-  when: find_existing_kernel_finit_module_64_rules_d is defined and find_existing_finit_delete_module_64_rules_d.matched == 0 and audit_kernel_line_64_rules_d is defined
dac76a 
-{{% endif %}}
dac76a 
-
dac76a 
-- name: Finish creating remediation line for 64 bit rule in /etc/audit/rules.d
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-k modules' }}
dac76a 
-  {{% if product == "rhel6" %}}
dac76a 
-  when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined
dac76a 
-  {{% else %}}
dac76a 
-  when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) or (find_existing_kernel_finit_module_64_rules_d is defined and find_existing_kernel_finit_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined
dac76a 
-  {{% endif %}}
dac76a 
-
dac76a 
-- name: Start creating remediation line for 32 bit rule in /etc/audit/audit.rules
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_32_audit_rules = "-a always,exit -F arch=b32 "
dac76a 
-  {{% if product == "rhel6" %}}
dac76a 
-  when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0)
dac76a 
-  {{% else %}}
dac76a 
-  when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) or (find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_kernel_finit_module_32_audit_rules.matched == 0)
dac76a 
-  {{% endif %}}
dac76a 
-
dac76a 
-- name: add init_module into line for 32 bit rules.d
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-S init_module ' }}
dac76a 
-  when: find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0 and audit_kernel_line_32_audit_rules is defined
dac76a 
-
dac76a 
-- name: add delete_module into line for 32 bit rules.d
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-S delete_module ' }}
dac76a 
-  when: find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0 and audit_kernel_line_32_audit_rules is defined
dac76a 
-
dac76a 
-{{% if product != "rhel6" %}}
dac76a 
-- name: add finit_module into line for 32 bit rules.d
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-S finit_module ' }}
dac76a 
-  when: find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_finit_delete_module_32_audit_rules.matched == 0 and audit_kernel_line_32_audit_rules is defined
dac76a 
-{{% endif %}}
dac76a 
-
dac76a 
-- name: Finish creating remediation line for 32 bit rule in /etc/audit/audit.rules
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-k modules' }}
dac76a 
-  {{% if product == "rhel6" %}}
dac76a 
-  when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined
dac76a 
-  {{% else %}}
dac76a 
-  when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) or (find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_kernel_finit_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined
dac76a 
-  {{% endif %}}
dac76a 
-
dac76a 
-- name: Start creating remediation line for 64 bit rule in /etc/audit/audit.rules
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_64_audit_rules = "-a always,exit -F arch=b64 "
dac76a 
-  {{% if product == "rhel6" %}}
dac76a 
-  when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0)
dac76a 
-  {{% else %}}
dac76a 
-  when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) or (find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_kernel_finit_module_64_audit_rules.matched == 0)
dac76a 
-  {{% endif %}}
dac76a 
-
dac76a 
-- name: add init_module into line for 64 bit rules.d
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-S init_module ' }}
dac76a 
-  when: find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0 and audit_kernel_line_64_audit_rules is defined
dac76a 
-
dac76a 
-- name: add delete_module into line for 64 bit rules.d
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-S delete_module ' }}
dac76a 
-  when: find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0 and audit_kernel_line_64_audit_rules is defined
dac76a 
-
dac76a 
-{{% if product != "rhel6" %}}
dac76a 
-- name: add finit_module into line for 64 bit rules.d
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-S finit_module ' }}
dac76a 
-  when: find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_finit_delete_module_64_audit_rules.matched == 0 and audit_kernel_line_64_audit_rules is defined
dac76a 
-{{% endif %}}
dac76a 
-
dac76a 
-- name: Finish creating remediation line for 64 bit rule in /etc/audit/audit.rules
dac76a 
-  set_fact:
dac76a 
-    audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-k modules' }}
dac76a 
-  {{% if product == "rhel6" %}}
dac76a 
-  when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined
dac76a 
-  {{% else %}}
dac76a 
-  when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) or (find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_kernel_finit_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined
dac76a 
-  {{% endif %}}
dac76a 
-
dac76a 
-
dac76a 
-
dac76a 
 - name: Inserts/replaces the modules rule in rules.d when on x86
dac76a 
-  lineinfile:
dac76a 
-    path: "{{ all_files[0] }}"
dac76a 
-    line: "{{ audit_kernel_line_32_rules_d }}"
dac76a 
-    create: yes
dac76a 
-  {{% if product == "rhel6" %}}
dac76a 
-  when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined
dac76a 
-  {{% else %}}
dac76a 
-  when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) or (find_existing_kernel_finit_module_32_rules_d is defined and find_existing_kernel_finit_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined
dac76a 
-  {{% endif %}}
dac76a 
+  block:
dac76a 
+    - name: start the line
dac76a 
+      set_fact: tmpline="-a always,exit -F arch=b32 "
dac76a 
+    - name: add syscalls
dac76a 
+      set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
dac76a 
+      loop: "{{ audit_kernel_found_32_rules_d.results }}"
dac76a 
+      when: item.matched is defined and item.matched == 0
dac76a 
+    - name: finish the line
dac76a 
+      set_fact: tmpline="{{ tmpline + '-k modules' }}"
dac76a 
+    - name: insert/replace the line in appropriate file
dac76a 
+      lineinfile:
dac76a 
+        path: "{{ all_files[0] }}"
dac76a 
+        line: "{{ tmpline }}"
dac76a 
+        create: true
dac76a 
+        state: present
dac76a 
+  when: audit_kernel_matched_32_rules_d < audit_kernel_number_of_syscalls
dac76a
dac76a 
 - name: Inserts/replaces the modules rule in rules.d when on x86_64
dac76a 
-  lineinfile:
dac76a 
-    path: "{{ all_files[0] }}"
dac76a 
-    line: "{{ audit_kernel_line_32_rules_d }}"
dac76a 
-    create: yes
dac76a 
-  {{% if product == "rhel6" %}}
dac76a 
-  when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined
dac76a 
-  {{% else %}}
dac76a 
-  when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) or (find_existing_kernel_finit_module_64_rules_d is defined and find_existing_kernel_finit_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined
dac76a 
-  {{% endif %}}
dac76a 
+  block:
dac76a 
+    - name: start the line
dac76a 
+      set_fact: tmpline="-a always,exit -F arch=b64 "
dac76a 
+    - name: add syscalls
dac76a 
+      set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
dac76a 
+      loop: "{{ audit_kernel_found_64_rules_d.results }}"
dac76a 
+      when: item.matched is defined and item.matched == 0
dac76a 
+    - name: finish the line
dac76a 
+      set_fact: tmpline="{{ tmpline + '-k modules' }}"
dac76a 
+    - name: insert/replace the line in appropriate file
dac76a 
+      lineinfile:
dac76a 
+        path: "{{ all_files[0] }}"
dac76a 
+        line: "{{ tmpline }}"
dac76a 
+        create: true
dac76a 
+        state: present
dac76a 
+  when: audit_kernel_matched_64_rules_d < audit_kernel_number_of_syscalls and audit_arch is defined and audit_arch == 'b64'
dac76a 
+
dac76a
dac76a 
 #
dac76a 
 # Inserts/replaces the rule in /etc/audit/audit.rules
dac76a 
 #
dac76a 
-- name: Inserts/replaces the modules rule in /etc/audit/audit.rules when on x86
dac76a 
-  lineinfile:
dac76a 
-    line: "{{ audit_kernel_line_32_audit_rules }}"
dac76a 
-    state: present
dac76a 
-    dest: /etc/audit/audit.rules
dac76a 
-    create: yes
dac76a 
-  {{% if product == "rhel6" %}}
dac76a 
-  when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined
dac76a 
-  {{% else %}}
dac76a 
-  when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) or (find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_kernel_finit_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined
dac76a 
-  {{% endif %}}
dac76a
dac76a 
-- name: Inserts/replaces the modules rule in audit.rules when on x86_64
dac76a 
-  lineinfile:
dac76a 
-    line: "{{ audit_kernel_line_64_audit_rules }}"
dac76a 
-    state: present
dac76a 
-    dest: /etc/audit/audit.rules
dac76a 
-    create: yes
dac76a 
-  {{% if product == "rhel6" %}}
dac76a 
-  when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined
dac76a 
-  {{% else %}}
dac76a 
-  when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) or (find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_kernel_finit_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined
dac76a 
-  {{% endif %}}
dac76a 
+- name: Inserts/replaces the modules rule in audit.rules when on x86
dac76a 
+  block:
dac76a 
+    - name: start the line
dac76a 
+      set_fact: tmpline="-a always,exit -F arch=b32 "
dac76a 
+    - name: add syscalls
dac76a 
+      set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
dac76a 
+      loop: "{{ audit_kernel_found_32_audit_rules.results }}"
dac76a 
+      when: item.matched is defined and item.matched == 0
dac76a 
+    - name: finish the line
dac76a 
+      set_fact: tmpline="{{ tmpline + '-k modules' }}"
dac76a 
+    - name: insert/replace the line in appropriate file
dac76a 
+      lineinfile:
dac76a 
+        path: "/etc/audit/audit.rules"
dac76a 
+        line: "{{ tmpline }}"
dac76a 
+        create: true
dac76a 
+        state: present
dac76a 
+  when: audit_kernel_matched_32_audit_rules < audit_kernel_number_of_syscalls
dac76a 
+
dac76a 
+- name: Inserts/replaces the modules rule in rules.d when on x86_64
dac76a 
+  block:
dac76a 
+    - name: start the line
dac76a 
+      set_fact: tmpline="-a always,exit -F arch=b64 "
dac76a 
+    - name: add syscalls
dac76a 
+      set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
dac76a 
+      loop: "{{ audit_kernel_found_64_audit_rules.results }}"
dac76a 
+      when: item.matched is defined and item.matched == 0
dac76a 
+    - name: finish the line
dac76a 
+      set_fact: tmpline="{{ tmpline + '-k modules' }}"
dac76a 
+    - name: insert/replace the line in appropriate file
dac76a 
+      lineinfile:
dac76a 
+        path: "/etc/audit/audit.rules"
dac76a 
+        line: "{{ tmpline }}"
dac76a 
+        create: true
dac76a 
+        state: present
dac76a 
+  when: audit_kernel_matched_64_audit_rules < audit_kernel_number_of_syscalls and audit_arch is defined and audit_arch == 'b64'
dac76a
dac76a 
From 9ab15b0a7926d8d017753d1ce9189ed22e81c35c Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Fri, 24 Apr 2020 15:55:19 +0200
dac76a 
Subject: [PATCH 5/8] fix regex and task descriptions
dac76a
dac76a 
---
dac76a 
 .../ansible/shared.yml                        | 52 +++++++++----------
dac76a 
 1 file changed, 26 insertions(+), 26 deletions(-)
dac76a
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
dac76a 
index e417e147ea..c82077b57a 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
dac76a 
@@ -27,7 +27,7 @@
dac76a 
 - name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/*
dac76a 
   find:
dac76a 
     paths: "/etc/audit/rules.d"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*{{ item }}.*$'
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$'
dac76a 
     patterns: "*.rules"
dac76a 
   register: audit_kernel_found_32_rules_d
dac76a 
   loop: "{{ syscalls }}"
dac76a 
@@ -38,7 +38,7 @@
dac76a 
 - name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/*
dac76a 
   find:
dac76a 
     paths: "/etc/audit/rules.d"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*{{ item }}.*$'
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$'
dac76a 
     patterns: "*.rules"
dac76a 
   register: audit_kernel_found_64_rules_d
dac76a 
   loop: "{{ syscalls }}"
dac76a 
@@ -49,7 +49,7 @@
dac76a 
 - name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules
dac76a 
   find:
dac76a 
     paths: "/etc/audit"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*{{ item }}.*$'
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$'
dac76a 
     patterns: "audit.rules"
dac76a 
   register: audit_kernel_found_32_audit_rules
dac76a 
   loop: "{{ syscalls }}"
dac76a 
@@ -60,7 +60,7 @@
dac76a 
 - name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules
dac76a 
   find:
dac76a 
     paths: "/etc/audit"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*{{ item }}.*$'
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$'
dac76a 
     patterns: "audit.rules"
dac76a 
   register: audit_kernel_found_64_audit_rules
dac76a 
   loop: "{{ syscalls }}"
dac76a 
@@ -70,7 +70,7 @@
dac76a
dac76a
dac76a 
 #
dac76a 
-# Inserts/replaces the rule in /etc/audit/rules.d
dac76a 
+# Inserts the rule in /etc/audit/rules.d
dac76a 
 #
dac76a
dac76a 
 - name: Search /etc/audit/rules.d for other kernel module loading audit rules
dac76a 
@@ -93,17 +93,17 @@
dac76a 
       - "{{ find_modules.files | map(attribute='path') | list | first }}"
dac76a 
   when: find_modules.matched is defined and find_modules.matched > 0
dac76a
dac76a 
-- name: Inserts/replaces the modules rule in rules.d when on x86
dac76a 
+- name: Inserts the modules rule in rules.d when on x86
dac76a 
   block:
dac76a 
-    - name: start the line
dac76a 
+    - name: "Construct rule: add rule list, action and arch"
dac76a 
       set_fact: tmpline="-a always,exit -F arch=b32 "
dac76a 
-    - name: add syscalls
dac76a 
+    - name: "Construct rule: add syscalls"
dac76a 
       set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
dac76a 
       loop: "{{ audit_kernel_found_32_rules_d.results }}"
dac76a 
       when: item.matched is defined and item.matched == 0
dac76a 
-    - name: finish the line
dac76a 
+    - name: "Construct rule: add key"
dac76a 
       set_fact: tmpline="{{ tmpline + '-k modules' }}"
dac76a 
-    - name: insert/replace the line in appropriate file
dac76a 
+    - name: insert the line in appropriate file
dac76a 
       lineinfile:
dac76a 
         path: "{{ all_files[0] }}"
dac76a 
         line: "{{ tmpline }}"
dac76a 
@@ -111,17 +111,17 @@
dac76a 
         state: present
dac76a 
   when: audit_kernel_matched_32_rules_d < audit_kernel_number_of_syscalls
dac76a
dac76a 
-- name: Inserts/replaces the modules rule in rules.d when on x86_64
dac76a 
+- name: Inserts the modules rule in rules.d when on x86_64
dac76a 
   block:
dac76a 
-    - name: start the line
dac76a 
+    - name: "Construct rule: add rule list, action and arch"
dac76a 
       set_fact: tmpline="-a always,exit -F arch=b64 "
dac76a 
-    - name: add syscalls
dac76a 
+    - name: "Construct rule: add syscalls"
dac76a 
       set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
dac76a 
       loop: "{{ audit_kernel_found_64_rules_d.results }}"
dac76a 
       when: item.matched is defined and item.matched == 0
dac76a 
-    - name: finish the line
dac76a 
+    - name: "Construct rule: add key"
dac76a 
       set_fact: tmpline="{{ tmpline + '-k modules' }}"
dac76a 
-    - name: insert/replace the line in appropriate file
dac76a 
+    - name: insert the line in appropriate file
dac76a 
       lineinfile:
dac76a 
         path: "{{ all_files[0] }}"
dac76a 
         line: "{{ tmpline }}"
dac76a 
@@ -131,20 +131,20 @@
dac76a
dac76a
dac76a 
 #
dac76a 
-# Inserts/replaces the rule in /etc/audit/audit.rules
dac76a 
+# Inserts the rule in /etc/audit/audit.rules
dac76a 
 #
dac76a
dac76a 
-- name: Inserts/replaces the modules rule in audit.rules when on x86
dac76a 
+- name: Inserts the modules rule in audit.rules when on x86
dac76a 
   block:
dac76a 
-    - name: start the line
dac76a 
+    - name: "Construct rule: add rule list, action and arch"
dac76a 
       set_fact: tmpline="-a always,exit -F arch=b32 "
dac76a 
-    - name: add syscalls
dac76a 
+    - name: "Construct rule: add syscalls"
dac76a 
       set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
dac76a 
       loop: "{{ audit_kernel_found_32_audit_rules.results }}"
dac76a 
       when: item.matched is defined and item.matched == 0
dac76a 
-    - name: finish the line
dac76a 
+    - name: "Construct rule: add key"
dac76a 
       set_fact: tmpline="{{ tmpline + '-k modules' }}"
dac76a 
-    - name: insert/replace the line in appropriate file
dac76a 
+    - name: insert the line in appropriate file
dac76a 
       lineinfile:
dac76a 
         path: "/etc/audit/audit.rules"
dac76a 
         line: "{{ tmpline }}"
dac76a 
@@ -152,17 +152,17 @@
dac76a 
         state: present
dac76a 
   when: audit_kernel_matched_32_audit_rules < audit_kernel_number_of_syscalls
dac76a
dac76a 
-- name: Inserts/replaces the modules rule in rules.d when on x86_64
dac76a 
+- name: Inserts the modules rule in rules.d when on x86_64
dac76a 
   block:
dac76a 
-    - name: start the line
dac76a 
+    - name: "Construct rule: add rule list, action and arch"
dac76a 
       set_fact: tmpline="-a always,exit -F arch=b64 "
dac76a 
-    - name: add syscalls
dac76a 
+    - name: "Construct rule: add syscalls"
dac76a 
       set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
dac76a 
       loop: "{{ audit_kernel_found_64_audit_rules.results }}"
dac76a 
       when: item.matched is defined and item.matched == 0
dac76a 
-    - name: finish the line
dac76a 
+    - name: "Construct rule: add key"
dac76a 
       set_fact: tmpline="{{ tmpline + '-k modules' }}"
dac76a 
-    - name: insert/replace the line in appropriate file
dac76a 
+    - name: insert the line in appropriate file
dac76a 
       lineinfile:
dac76a 
         path: "/etc/audit/audit.rules"
dac76a 
         line: "{{ tmpline }}"
dac76a
dac76a 
From 391d2319bd0091271ff927300211eb0462aa84c3 Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Fri, 24 Apr 2020 16:07:36 +0200
dac76a 
Subject: [PATCH 6/8] reorder tasks to improve readability
dac76a
dac76a 
---
dac76a 
 .../ansible/shared.yml                        | 54 +++++++++----------
dac76a 
 1 file changed, 26 insertions(+), 28 deletions(-)
dac76a
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
dac76a 
index c82077b57a..865e77ed40 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
dac76a 
@@ -23,6 +23,9 @@
dac76a 
 - name: declare number of syscalls
dac76a 
   set_fact: audit_kernel_number_of_syscalls="{{ syscalls|length|int }}"
dac76a
dac76a 
+#
dac76a 
+#rules in /etc/audit/rules.d/*
dac76a 
+#
dac76a
dac76a 
 - name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/*
dac76a 
   find:
dac76a 
@@ -46,33 +49,6 @@
dac76a 
 - name: get number of matched 64 bit syscalls in /etc/audit/rules.d/*
dac76a 
   set_fact: audit_kernel_matched_64_rules_d="{{audit_kernel_found_64_rules_d.results|sum(attribute='matched')|int }}"
dac76a
dac76a 
-- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules
dac76a 
-  find:
dac76a 
-    paths: "/etc/audit"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$'
dac76a 
-    patterns: "audit.rules"
dac76a 
-  register: audit_kernel_found_32_audit_rules
dac76a 
-  loop: "{{ syscalls }}"
dac76a 
-
dac76a 
-- name: get number of matched 32 bit syscalls in /etc/audit/audit.rules
dac76a 
-  set_fact: audit_kernel_matched_32_audit_rules="{{audit_kernel_found_32_audit_rules.results|sum(attribute='matched')|int }}"
dac76a 
-
dac76a 
-- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules
dac76a 
-  find:
dac76a 
-    paths: "/etc/audit"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$'
dac76a 
-    patterns: "audit.rules"
dac76a 
-  register: audit_kernel_found_64_audit_rules
dac76a 
-  loop: "{{ syscalls }}"
dac76a 
-
dac76a 
-- name: get number of matched 64 bit syscalls in /etc/audit/rules.d/*
dac76a 
-  set_fact: audit_kernel_matched_64_audit_rules="{{audit_kernel_found_64_audit_rules.results|sum(attribute='matched')|int }}"
dac76a 
-
dac76a 
-
dac76a 
-#
dac76a 
-# Inserts the rule in /etc/audit/rules.d
dac76a 
-#
dac76a 
-
dac76a 
 - name: Search /etc/audit/rules.d for other kernel module loading audit rules
dac76a 
   find:
dac76a 
     paths: "/etc/audit/rules.d"
dac76a 
@@ -131,9 +107,31 @@
dac76a
dac76a
dac76a 
 #
dac76a 
-# Inserts the rule in /etc/audit/audit.rules
dac76a 
+# rules in /etc/audit/audit.rules
dac76a 
 #
dac76a
dac76a 
+- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules
dac76a 
+  find:
dac76a 
+    paths: "/etc/audit"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$'
dac76a 
+    patterns: "audit.rules"
dac76a 
+  register: audit_kernel_found_32_audit_rules
dac76a 
+  loop: "{{ syscalls }}"
dac76a 
+
dac76a 
+- name: get number of matched 32 bit syscalls in /etc/audit/audit.rules
dac76a 
+  set_fact: audit_kernel_matched_32_audit_rules="{{audit_kernel_found_32_audit_rules.results|sum(attribute='matched')|int }}"
dac76a 
+
dac76a 
+- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules
dac76a 
+  find:
dac76a 
+    paths: "/etc/audit"
dac76a 
+    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$'
dac76a 
+    patterns: "audit.rules"
dac76a 
+  register: audit_kernel_found_64_audit_rules
dac76a 
+  loop: "{{ syscalls }}"
dac76a 
+
dac76a 
+- name: get number of matched 64 bit syscalls in /etc/audit/rules.d/*
dac76a 
+  set_fact: audit_kernel_matched_64_audit_rules="{{audit_kernel_found_64_audit_rules.results|sum(attribute='matched')|int }}"
dac76a 
+
dac76a 
 - name: Inserts the modules rule in audit.rules when on x86
dac76a 
   block:
dac76a 
     - name: "Construct rule: add rule list, action and arch"
dac76a
dac76a 
From c665c7949d8cc765fd489f839b73e38404ec466b Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Mon, 27 Apr 2020 09:32:01 +0200
dac76a 
Subject: [PATCH 7/8] fix task names
dac76a
dac76a 
---
dac76a 
 .../ansible/shared.yml                        | 32 +++++++++----------
dac76a 
 1 file changed, 16 insertions(+), 16 deletions(-)
dac76a
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
dac76a 
index 865e77ed40..ba45d40dcb 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
dac76a 
@@ -20,14 +20,14 @@
dac76a 
       - "finit_module"
dac76a 
       {{% endif %}}
dac76a
dac76a 
-- name: declare number of syscalls
dac76a 
+- name: Declare number of syscalls
dac76a 
   set_fact: audit_kernel_number_of_syscalls="{{ syscalls|length|int }}"
dac76a
dac76a 
 #
dac76a 
 #rules in /etc/audit/rules.d/*
dac76a 
 #
dac76a
dac76a 
-- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/*
dac76a 
+- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/
dac76a 
   find:
dac76a 
     paths: "/etc/audit/rules.d"
dac76a 
     contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$'
dac76a 
@@ -35,10 +35,10 @@
dac76a 
   register: audit_kernel_found_32_rules_d
dac76a 
   loop: "{{ syscalls }}"
dac76a
dac76a 
-- name: get number of matched 32 bit syscalls in /etc/audit/rules.d/*
dac76a 
+- name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/
dac76a 
   set_fact: audit_kernel_matched_32_rules_d="{{audit_kernel_found_32_rules_d.results|sum(attribute='matched')|int }}"
dac76a
dac76a 
-- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/*
dac76a 
+- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/
dac76a 
   find:
dac76a 
     paths: "/etc/audit/rules.d"
dac76a 
     contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$'
dac76a 
@@ -46,7 +46,7 @@
dac76a 
   register: audit_kernel_found_64_rules_d
dac76a 
   loop: "{{ syscalls }}"
dac76a
dac76a 
-- name: get number of matched 64 bit syscalls in /etc/audit/rules.d/*
dac76a 
+- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/
dac76a 
   set_fact: audit_kernel_matched_64_rules_d="{{audit_kernel_found_64_rules_d.results|sum(attribute='matched')|int }}"
dac76a
dac76a 
 - name: Search /etc/audit/rules.d for other kernel module loading audit rules
dac76a 
@@ -57,7 +57,7 @@
dac76a 
     patterns: "*.rules"
dac76a 
   register: find_modules
dac76a
dac76a 
-- name: If existing kernel module loading ruleset not found, use /etc/audit/rules.d/modules.rules as the recipient for the rule
dac76a 
+- name: Use /etc/audit/rules.d/modules.rules as the recipient for the rule
dac76a 
   set_fact:
dac76a 
     all_files:
dac76a 
       - /etc/audit/rules.d/modules.rules
dac76a 
@@ -69,7 +69,7 @@
dac76a 
       - "{{ find_modules.files | map(attribute='path') | list | first }}"
dac76a 
   when: find_modules.matched is defined and find_modules.matched > 0
dac76a
dac76a 
-- name: Inserts the modules rule in rules.d when on x86
dac76a 
+- name: "Insert the modules rule in {{ all_files[0] }} when on x86"
dac76a 
   block:
dac76a 
     - name: "Construct rule: add rule list, action and arch"
dac76a 
       set_fact: tmpline="-a always,exit -F arch=b32 "
dac76a 
@@ -79,7 +79,7 @@
dac76a 
       when: item.matched is defined and item.matched == 0
dac76a 
     - name: "Construct rule: add key"
dac76a 
       set_fact: tmpline="{{ tmpline + '-k modules' }}"
dac76a 
-    - name: insert the line in appropriate file
dac76a 
+    - name: "Insert the line in {{ all_files[0] }}"
dac76a 
       lineinfile:
dac76a 
         path: "{{ all_files[0] }}"
dac76a 
         line: "{{ tmpline }}"
dac76a 
@@ -87,7 +87,7 @@
dac76a 
         state: present
dac76a 
   when: audit_kernel_matched_32_rules_d < audit_kernel_number_of_syscalls
dac76a
dac76a 
-- name: Inserts the modules rule in rules.d when on x86_64
dac76a 
+- name: "Insert the modules rule in {{ all_files[0] }} when on x86_64"
dac76a 
   block:
dac76a 
     - name: "Construct rule: add rule list, action and arch"
dac76a 
       set_fact: tmpline="-a always,exit -F arch=b64 "
dac76a 
@@ -97,7 +97,7 @@
dac76a 
       when: item.matched is defined and item.matched == 0
dac76a 
     - name: "Construct rule: add key"
dac76a 
       set_fact: tmpline="{{ tmpline + '-k modules' }}"
dac76a 
-    - name: insert the line in appropriate file
dac76a 
+    - name: "Insert the line in {{ all_files[0] }}"
dac76a 
       lineinfile:
dac76a 
         path: "{{ all_files[0] }}"
dac76a 
         line: "{{ tmpline }}"
dac76a 
@@ -118,7 +118,7 @@
dac76a 
   register: audit_kernel_found_32_audit_rules
dac76a 
   loop: "{{ syscalls }}"
dac76a
dac76a 
-- name: get number of matched 32 bit syscalls in /etc/audit/audit.rules
dac76a 
+- name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules
dac76a 
   set_fact: audit_kernel_matched_32_audit_rules="{{audit_kernel_found_32_audit_rules.results|sum(attribute='matched')|int }}"
dac76a
dac76a 
 - name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules
dac76a 
@@ -129,10 +129,10 @@
dac76a 
   register: audit_kernel_found_64_audit_rules
dac76a 
   loop: "{{ syscalls }}"
dac76a
dac76a 
-- name: get number of matched 64 bit syscalls in /etc/audit/rules.d/*
dac76a 
+- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/*
dac76a 
   set_fact: audit_kernel_matched_64_audit_rules="{{audit_kernel_found_64_audit_rules.results|sum(attribute='matched')|int }}"
dac76a
dac76a 
-- name: Inserts the modules rule in audit.rules when on x86
dac76a 
+- name: Insert the modules rule in /etc/audit/audit.rules when on x86
dac76a 
   block:
dac76a 
     - name: "Construct rule: add rule list, action and arch"
dac76a 
       set_fact: tmpline="-a always,exit -F arch=b32 "
dac76a 
@@ -142,7 +142,7 @@
dac76a 
       when: item.matched is defined and item.matched == 0
dac76a 
     - name: "Construct rule: add key"
dac76a 
       set_fact: tmpline="{{ tmpline + '-k modules' }}"
dac76a 
-    - name: insert the line in appropriate file
dac76a 
+    - name: Insert the line in /etc/audit/audit.rules
dac76a 
       lineinfile:
dac76a 
         path: "/etc/audit/audit.rules"
dac76a 
         line: "{{ tmpline }}"
dac76a 
@@ -150,7 +150,7 @@
dac76a 
         state: present
dac76a 
   when: audit_kernel_matched_32_audit_rules < audit_kernel_number_of_syscalls
dac76a
dac76a 
-- name: Inserts the modules rule in rules.d when on x86_64
dac76a 
+- name: Insert the modules rule in /etc/audit/rules.d when on x86_64
dac76a 
   block:
dac76a 
     - name: "Construct rule: add rule list, action and arch"
dac76a 
       set_fact: tmpline="-a always,exit -F arch=b64 "
dac76a 
@@ -160,7 +160,7 @@
dac76a 
       when: item.matched is defined and item.matched == 0
dac76a 
     - name: "Construct rule: add key"
dac76a 
       set_fact: tmpline="{{ tmpline + '-k modules' }}"
dac76a 
-    - name: insert the line in appropriate file
dac76a 
+    - name: Insert the line in /etc/audit/audit.rules
dac76a 
       lineinfile:
dac76a 
         path: "/etc/audit/audit.rules"
dac76a 
         line: "{{ tmpline }}"
dac76a
dac76a 
From f8c997abea70edc40c29afd81f134da788f7c1b2 Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Mon, 27 Apr 2020 11:59:25 +0200
dac76a 
Subject: [PATCH 8/8] fix regex to prevent duplicate lines
dac76a
dac76a 
---
dac76a 
 .../audit_rules_kernel_module_loading/ansible/shared.yml  | 8 ++++----
dac76a 
 1 file changed, 4 insertions(+), 4 deletions(-)
dac76a
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
dac76a 
index ba45d40dcb..9d028a598d 100644
dac76a 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml
dac76a 
@@ -30,7 +30,7 @@
dac76a 
 - name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/
dac76a 
   find:
dac76a 
     paths: "/etc/audit/rules.d"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$'
dac76a 
+    contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
dac76a 
     patterns: "*.rules"
dac76a 
   register: audit_kernel_found_32_rules_d
dac76a 
   loop: "{{ syscalls }}"
dac76a 
@@ -41,7 +41,7 @@
dac76a 
 - name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/
dac76a 
   find:
dac76a 
     paths: "/etc/audit/rules.d"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$'
dac76a 
+    contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
dac76a 
     patterns: "*.rules"
dac76a 
   register: audit_kernel_found_64_rules_d
dac76a 
   loop: "{{ syscalls }}"
dac76a 
@@ -113,7 +113,7 @@
dac76a 
 - name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules
dac76a 
   find:
dac76a 
     paths: "/etc/audit"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$'
dac76a 
+    contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
dac76a 
     patterns: "audit.rules"
dac76a 
   register: audit_kernel_found_32_audit_rules
dac76a 
   loop: "{{ syscalls }}"
dac76a 
@@ -124,7 +124,7 @@
dac76a 
 - name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules
dac76a 
   find:
dac76a 
     paths: "/etc/audit"
dac76a 
-    contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$'
dac76a 
+    contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
dac76a 
     patterns: "audit.rules"
dac76a 
   register: audit_kernel_found_64_audit_rules
dac76a 
   loop: "{{ syscalls }}"

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation