openstack/ansible-hardening
Code Issues Proposed changes

Apply architecture specific audit rules

Browse Source 
Some audit rules do not work on arm systems, so disable this
subset when the target system is aarch64 architecture.

Closes-Bug: 2081831
Change-Id: Ia5cea0533eb174b52009a54fceeee36b9e4dfe8b
(cherry picked from commit f97af47301)
This commit is contained in:
Jonathan Rosser
2024-09-25 13:32:12 +01:00
committed by Dmitriy Rabotyagov
parent aa4e3fbf1a
commit 13a111e438
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
defaults/main.yml
View File

@@ -103,7 +103,7 @@ security_rhel7_audit_chage: yes # V-72155
security_rhel7_audit_chcon: yes # V-72139 security_rhel7_audit_chcon: yes # V-72139
security_rhel7_audit_chmod: no # V-72105 security_rhel7_audit_chmod: no # V-72105
security_rhel7_audit_chown: no # V-72097 security_rhel7_audit_chown: no # V-72097
security_rhel7_audit_creat: yes # V-72123 security_rhel7_audit_creat: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72123
security_rhel7_audit_crontab: yes # V-72183 security_rhel7_audit_crontab: yes # V-72183
security_rhel7_audit_delete_module: yes # V-72189 security_rhel7_audit_delete_module: yes # V-72189
security_rhel7_audit_fchmod: no # V-72107 security_rhel7_audit_fchmod: no # V-72107
@@ -120,7 +120,7 @@ security_rhel7_audit_lremovexattr: no # V-72121
security_rhel7_audit_lsetxattr: no # V-72115 security_rhel7_audit_lsetxattr: no # V-72115
security_rhel7_audit_mount: yes # V-72171 security_rhel7_audit_mount: yes # V-72171
security_rhel7_audit_newgrp: yes # V-72165 security_rhel7_audit_newgrp: yes # V-72165
security_rhel7_audit_open: yes # V-72125 security_rhel7_audit_open: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72125
security_rhel7_audit_openat: yes # V-72127 security_rhel7_audit_openat: yes # V-72127
security_rhel7_audit_open_by_handle_at: yes # V-72129 security_rhel7_audit_open_by_handle_at: yes # V-72129
security_rhel7_audit_pam_timestamp_check: yes # V-72185 security_rhel7_audit_pam_timestamp_check: yes # V-72185
@@ -128,10 +128,10 @@ security_rhel7_audit_passwd: yes # V-72149
security_rhel7_audit_postdrop: yes # V-72175 security_rhel7_audit_postdrop: yes # V-72175
security_rhel7_audit_postqueue: yes # V-72177 security_rhel7_audit_postqueue: yes # V-72177
security_rhel7_audit_removexattr: no # V-72117 security_rhel7_audit_removexattr: no # V-72117
security_rhel7_audit_rename: yes # V-72199 security_rhel7_audit_rename: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72199
security_rhel7_audit_renameat: yes # V-72201 security_rhel7_audit_renameat: yes # V-72201
security_rhel7_audit_restorecon: yes # V-72141 security_rhel7_audit_restorecon: yes # V-72141
security_rhel7_audit_rmdir: yes # V-72203 security_rhel7_audit_rmdir: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72203
security_rhel7_audit_semanage: yes # V-72135 security_rhel7_audit_semanage: yes # V-72135
security_rhel7_audit_setsebool: yes # V-72137 security_rhel7_audit_setsebool: yes # V-72137
security_rhel7_audit_setxattr: no # V-72111 security_rhel7_audit_setxattr: no # V-72111
@@ -142,7 +142,7 @@ security_rhel7_audit_sudoedit: yes # V-72169
security_rhel7_audit_truncate: yes # V-72131 security_rhel7_audit_truncate: yes # V-72131
security_rhel7_audit_umount: yes # V-72173 security_rhel7_audit_umount: yes # V-72173
security_rhel7_audit_unix_chkpwd: yes # V-72151 security_rhel7_audit_unix_chkpwd: yes # V-72151
security_rhel7_audit_unlink: yes # V-72205 security_rhel7_audit_unlink: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72205
security_rhel7_audit_unlinkat: yes # V-72207 security_rhel7_audit_unlinkat: yes # V-72207
security_rhel7_audit_userhelper: yes # V-72157 security_rhel7_audit_userhelper: yes # V-72157
# Add audit rules for other events. # Add audit rules for other events.