Profile: Audit Ansible (audit-ansible) Version: 1.0.0 Target: local:// ✔ audit-config-ansible-01: Verify audit daemon is configured by Ansible correctly ✔ File /etc/audit/auditd.conf content should match /log_format = RAW/ ✔ File /etc/audit/auditd.conf content should not match /name =/ ✔ File /etc/audit/auditd.conf content should match /max_log_file_action = ROTATE/ ✔ File /etc/audisp/audispd.conf content should match /q_depth = 150/ ✔ File /etc/audisp/audisp-remote.conf content should match /enable_krb5 = no/ ✔ File /etc/audisp/audisp-remote.conf content should not match /remote_server = \w+/ ✔ audit-01: Verify audit daemon is installed correctly ✔ System Package audit should be installed ✔ System Package audispd-plugins should be installed ✔ Service auditd should be enabled ✔ Service auditd should be running ✔ File /etc/audit/auditd.conf should be owned by "root" ✔ File /etc/audit/auditd.conf should be grouped into "root" ✔ File /etc/audit/auditd.conf mode should cmp == "0640" ✔ File /etc/audit/rules.d/audit.rules should be owned by "root" ✔ File /etc/audit/rules.d/audit.rules should be grouped into "root" ✔ File /etc/audit/rules.d/audit.rules mode should cmp == "0640" ✔ File /etc/audisp/audispd.conf should be owned by "root" ✔ File /etc/audisp/audispd.conf should be grouped into "root" ✔ File /etc/audisp/audispd.conf mode should cmp == "0640" ✔ File /etc/audisp/audisp-remote.conf should be owned by "root" ✔ File /etc/audisp/audisp-remote.conf should be grouped into "root" ✔ File /etc/audisp/audisp-remote.conf mode should cmp == "0640" ✔ RHEL-07-030090: The operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure. ✔ Command grep -rE "^\-f\s+2" /etc/audit/* exit_status should eq 0 ✔ RHEL-07-030310: All privileged function executions must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030380: All uses of the chown command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030381: All uses of the fchown command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030382: All uses of the lchown command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030383: All uses of the fchownat command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030390: All uses of the chmod command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030391: All uses of the fchmod command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030392: All uses of the fchmodat command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030400: All uses of the setxattr command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030401: All uses of the fsetxattr command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030402: All uses of the lsetxattr command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030403: All uses of the removexattr command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030404: All uses of the fremovexattr command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030405: All uses of the lremovexattr command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030420: All uses of the creat command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030421: All uses of the open command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030422: All uses of the openat command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030423: All uses of the open_by_handle_at command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030424: All uses of the truncate command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030425: All uses of the ftruncate command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030441: All uses of the semanage command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030442: All uses of the setsebool command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030443: All uses of the chcon command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030444: All uses of the restorecon command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030490: The operating system must generate audit records for all successful/unsuccessful account access count events. ✔ Audit Daemon Rules lines should include "-w /var/log/tallylog -p wa -k logins" ✔ RHEL-07-030491: The operating system must generate audit records for all unsuccessful account access events. ✔ Audit Daemon Rules lines should include "-w /var/run/faillock -p wa -k logins" ✔ RHEL-07-030492: The operating system must generate audit records for all successful account access events. ✔ Audit Daemon Rules lines should include "-w /var/log/lastlog -p wa -k logins" ✔ RHEL-07-030510: All uses of the passwd command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030511: All uses of the unix_chkpwd command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030512: All uses of the gpasswd command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030513: All uses of the chage command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030514: All uses of the userhelper command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030521: All uses of the su command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030522: All uses of the sudo command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030523: The operating system must generate audit records containing the full-text recording of modifications to sudo configuration files. ✔ Audit Daemon Rules lines should include "-w /etc/sudoers.d -p wa -k privileged-actions" ✔ RHEL-07-030524: All uses of the newgrp command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030525: All uses of the chsh command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030526: All uses of the sudoedit command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030530: All uses of the mount command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030531: All uses of the umount command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030540: All uses of the postdrop command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030541: All uses of the postqueue command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030550: All uses of the ssh-keysign command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030560: All uses of the pt_chown command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030561: All uses of the crontab command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030630: All uses of the pam_timestamp_check command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030670: All uses of the init_module command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030671: All uses of the delete_module command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030672: All uses of the insmod command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030673: All uses of the rmmod command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030674: All uses of the modprobe command must be audited. ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030710: The operating system must generate audit records for all account creations, modifications, disabling, and termination events. ✔ Audit Daemon Rules lines should include "-w /etc/group -p wa -k audit_rules_usergroup_modification" ✔ Audit Daemon Rules lines should include "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" ✔ Audit Daemon Rules lines should include "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" ✔ Audit Daemon Rules lines should include "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" ✔ Audit Daemon Rules lines should include "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" ✔ RHEL-07-030750: All uses of the rename command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030751: All uses of the renameat command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030752: All uses of the rmdir command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030753: All uses of the unlink command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] ✔ RHEL-07-030754: All uses of the unlinkat command must be audited. ✔ ["exit"] should eq ["exit"] ✔ ["exit"] should eq ["exit"] Profile Summary: 60 successful, 0 failures, 0 skipped