Merge pull request #95 from ossys/issue_93_fix

Updated fapolicyd Rules Directory Support - Issue 93 Fix

Author: georgenalen

handlers/main.yml

@@ -46,6 +46,10 @@
       name: rsyslog
       state: restarted
 
+- name: generate fapolicyd rules
+  command: fagenrules --load
+  when: rhel_08_040137_rules_dir.stat.exists
+
 - name: restart fapolicyd
   service:
       name: fapolicyd

tasks/fix-cat2.yml

@@ -6281,14 +6281,21 @@
 
 - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs."
   block:
+      - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Check for rules.d/ directory"
+        stat:
+          path: /etc/fapolicyd/rules.d/
+        register: rhel_08_040137_rules_dir
+
       - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist "
         lineinfile:
-            path: /etc/fapolicyd/fapolicyd.rules
+            path: "{{ '/etc/fapolicyd/rules.d/99-stig.rules' if rhel_08_040137_rules_dir.stat.exists else '/etc/fapolicyd/fapolicyd.rules' }}"
             line: "{{ item }}"
+            create: yes
         with_items:
             - "allow exe={{ ansible_python.executable }} : ftype=text/x-python"
             - "{{ rhel8stig_fapolicy_white_list }}"
         notify:
+            - generate fapolicyd rules
             - restart fapolicyd
 
       - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0"