Merge pull request #83 from ansible-lockdown/pub_audit_template

frederickw082922 · web-flow · commit d9c1d4449b23 · 2025-10-17T10:29:37.000-04:00
updated missing 6.2.3.19 for query and create
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -950,7 +950,7 @@ ubtu24cis_pam_confd_dir: 'usr/share/pam-configs/'
 
 # Controls 5.3.2.1 - pam_unix
 # Name of file
-ubtu24cis_pam_pwunix_file: 'pam_unix'
+ubtu24cis_pam_pwunix_file: 'unix'
 # Should NOT be enabled if allowing custom config that enabled pam_faillock
 ubtu24cis_pam_create_pamunix_file: false
 # Allow pam-auth-update --enable ubtu24cis_pam_pwunix_file to run
diff --git a/tasks/section_5/cis_5.3.3.4.x.yml b/tasks/section_5/cis_5.3.3.4.x.yml
@@ -46,7 +46,7 @@
     - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Ensure remember removed"
       when: discovered_pam_remember.stdout | length > 0
       ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwunix_file }}"
         regexp: remember=\d+
         replace: ''
       loop: "{{ discovered_pam_remember.stdout_lines }}"
diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2
@@ -121,7 +121,7 @@
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_19 %}
 -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -k kernel_modules
-{% set syscalls = ["init_module","finit_module","delete_module"] %}
+{% set syscalls = ["init_module","finit_module","delete_module","create_module","query_module"] %}
 {% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=-1 -k kernel_modules
 {% endif %}
