403Webshell
Server IP : 178.212.43.201  /  Your IP : 10.100.0.33
Web Server : Apache/2.4.37 (Oracle Linux Server) OpenSSL/1.1.1k
System : Linux spa0007.srv.paxillus.pl 5.4.17-2136.355.3.1.el8uek.x86_64 #3 SMP Sat May 9 17:11:55 PDT 2026 x86_64
User : apache ( 48)
PHP Version : 7.4.33
Disable Function : NONE
MySQL : OFF  |  cURL : ON  |  WGET : ON  |  Perl : ON  |  Python : OFF  |  Sudo : ON  |  Pkexec : ON
Directory :  /usr/share/scap-security-guide/ansible/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :


[ Back ]     

Current File : /usr/share/scap-security-guide/ansible/ol9-playbook-standard.yml
---
###############################################################################
#
# Ansible Playbook for Standard System Security Profile for Oracle Linux 9
#
# Profile Description:
# This profile contains rules to ensure standard security baseline
# of Oracle Linux 9 system. Regardless of your system's workload
# all of these checks should pass.
#
# Profile ID:  xccdf_org.ssgproject.content_profile_standard
# Benchmark ID:  xccdf_org.ssgproject.content_benchmark_OL-9
# Benchmark Version:  0.1.80
# XCCDF Version:  1.2
#
# This file can be generated by OpenSCAP using:
# $ oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_standard --fix-type ansible ssg-ol9-ds.xml
#
# This Ansible Playbook is generated from an XCCDF profile without preliminary evaluation.
# It attempts to fix every selected rule, even if the system is already compliant.
#
# How to apply this Ansible Playbook:
# $ ansible-playbook -i "localhost," -c local playbook.yml
# $ ansible-playbook -i "192.168.1.155," playbook.yml
# $ ansible-playbook -i inventory.ini playbook.yml
#
###############################################################################

- name: Ansible Playbook for xccdf_org.ssgproject.content_profile_standard
  hosts: all
  vars:
    var_system_crypto_policy: DEFAULT
  tasks:

  - name: Gather the package facts
    ansible.builtin.package_facts:
      manager: auto
    tags:
    - always

  - name: Security patches are up to date
    ansible.builtin.package:
      name: '*'
      state: latest
    tags:
    - CJIS-5.10.4.1
    - DISA-STIG-OL09-00-000015
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SI-2(5)
    - NIST-800-53-SI-2(c)
    - PCI-DSS-Req-6.2
    - PCI-DSSv4-6.3
    - PCI-DSSv4-6.3.3
    - high_disruption
    - low_complexity
    - medium_severity
    - patch_strategy
    - reboot_required
    - security_patches_up_to_date
    - skip_ansible_lint

  - name: Ensure rsyslog is installed
    ansible.builtin.package:
      name: rsyslog
      state: present
    when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-000350
    - NIST-800-53-CM-6(a)
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_rsyslog_installed

  - name: Gather the package facts
    ansible.builtin.package_facts:
      manager: auto
    tags:
    - always

  - name: Enable rsyslog Service - Enable service rsyslog
    block:

    - name: Enable rsyslog Service - Enable Service rsyslog
      ansible.builtin.systemd:
        name: rsyslog
        enabled: true
        state: started
        masked: false
      when:
      - '"rsyslog" in ansible_facts.packages'
    tags:
    - DISA-STIG-OL09-00-000351
    - NIST-800-53-AU-4(1)
    - NIST-800-53-CM-6(a)
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - service_rsyslog_enabled
    - special_service_block
    when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)

  - name: Disable the Automounter - Disable service autofs
    block:

    - name: Disable the Automounter - Collect systemd Services Present in the System
      ansible.builtin.command: systemctl -q list-unit-files --type service
      register: service_exists
      changed_when: false
      failed_when: service_exists.rc not in [0, 1]
      check_mode: false

    - name: Disable the Automounter - Ensure autofs.service is Masked
      ansible.builtin.systemd:
        name: autofs.service
        state: stopped
        enabled: false
        masked: true
      when: service_exists.stdout_lines is search("autofs.service", multiline=True)

    - name: Unit Socket Exists - autofs.socket
      ansible.builtin.command: systemctl -q list-unit-files autofs.socket
      register: socket_file_exists
      changed_when: false
      failed_when: socket_file_exists.rc not in [0, 1]
      check_mode: false

    - name: Disable the Automounter - Disable Socket autofs
      ansible.builtin.systemd:
        name: autofs.socket
        enabled: false
        state: stopped
        masked: true
      when: socket_file_exists.stdout_lines is search("autofs.socket", multiline=True)
    tags:
    - DISA-STIG-OL09-00-002000
    - NIST-800-171-3.4.6
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-MP-7
    - disable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - service_autofs_disabled
    - special_service_block
    when: ( "autofs" in ansible_facts.packages and ("kernel" in ansible_facts.packages
      or "kernel-uek" in ansible_facts.packages) )

  - name: Disable Odd Job Daemon (oddjobd) - Disable service oddjobd
    block:

    - name: Disable Odd Job Daemon (oddjobd) - Collect systemd Services Present in
        the System
      ansible.builtin.command: systemctl -q list-unit-files --type service
      register: service_exists
      changed_when: false
      failed_when: service_exists.rc not in [0, 1]
      check_mode: false

    - name: Disable Odd Job Daemon (oddjobd) - Ensure oddjobd.service is Masked
      ansible.builtin.systemd:
        name: oddjobd.service
        state: stopped
        enabled: false
        masked: true
      when: service_exists.stdout_lines is search("oddjobd.service", multiline=True)

    - name: Unit Socket Exists - oddjobd.socket
      ansible.builtin.command: systemctl -q list-unit-files oddjobd.socket
      register: socket_file_exists
      changed_when: false
      failed_when: socket_file_exists.rc not in [0, 1]
      check_mode: false

    - name: Disable Odd Job Daemon (oddjobd) - Disable Socket oddjobd
      ansible.builtin.systemd:
        name: oddjobd.socket
        enabled: false
        state: stopped
        masked: true
      when: socket_file_exists.stdout_lines is search("oddjobd.socket", multiline=True)
    tags:
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - disable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - service_oddjobd_disabled
    - special_service_block
    when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)

  - name: Disable Network Router Discovery Daemon (rdisc) - Disable service rdisc
    block:

    - name: Disable Network Router Discovery Daemon (rdisc) - Collect systemd Services
        Present in the System
      ansible.builtin.command: systemctl -q list-unit-files --type service
      register: service_exists
      changed_when: false
      failed_when: service_exists.rc not in [0, 1]
      check_mode: false

    - name: Disable Network Router Discovery Daemon (rdisc) - Ensure rdisc.service
        is Masked
      ansible.builtin.systemd:
        name: rdisc.service
        state: stopped
        enabled: false
        masked: true
      when: service_exists.stdout_lines is search("rdisc.service", multiline=True)

    - name: Unit Socket Exists - rdisc.socket
      ansible.builtin.command: systemctl -q list-unit-files rdisc.socket
      register: socket_file_exists
      changed_when: false
      failed_when: socket_file_exists.rc not in [0, 1]
      check_mode: false

    - name: Disable Network Router Discovery Daemon (rdisc) - Disable Socket rdisc
      ansible.builtin.systemd:
        name: rdisc.socket
        enabled: false
        state: stopped
        masked: true
      when: socket_file_exists.stdout_lines is search("rdisc.socket", multiline=True)
    tags:
    - NIST-800-53-AC-4
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - disable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - service_rdisc_disabled
    - special_service_block
    when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)

  - name: Disable At Service (atd) - Disable service atd
    block:

    - name: Disable At Service (atd) - Collect systemd Services Present in the System
      ansible.builtin.command: systemctl -q list-unit-files --type service
      register: service_exists
      changed_when: false
      failed_when: service_exists.rc not in [0, 1]
      check_mode: false

    - name: Disable At Service (atd) - Ensure atd.service is Masked
      ansible.builtin.systemd:
        name: atd.service
        state: stopped
        enabled: false
        masked: true
      when: service_exists.stdout_lines is search("atd.service", multiline=True)

    - name: Unit Socket Exists - atd.socket
      ansible.builtin.command: systemctl -q list-unit-files atd.socket
      register: socket_file_exists
      changed_when: false
      failed_when: socket_file_exists.rc not in [0, 1]
      check_mode: false

    - name: Disable At Service (atd) - Disable Socket atd
      ansible.builtin.systemd:
        name: atd.socket
        enabled: false
        state: stopped
        masked: true
      when: socket_file_exists.stdout_lines is search("atd.socket", multiline=True)
    tags:
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - disable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - service_atd_disabled
    - special_service_block
    when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)

  - name: Gather the service facts
    ansible.builtin.service_facts: null
    tags:
    - always

  - name: 'Set fact: Package manager reinstall command'
    ansible.builtin.set_fact:
      package_manager_reinstall_cmd: yum reinstall -y
    when:
    - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
      and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
      and "ostree" in ansible_proc_cmdline )
    - ansible_distribution in [ "Fedora", "RedHat", "CentOS", "OracleLinux", "AlmaLinux"
      ]
    tags:
    - CJIS-5.10.4.1
    - DISA-STIG-OL09-00-000243
    - NIST-800-171-3.3.8
    - NIST-800-171-3.4.1
    - NIST-800-53-AU-9(3)
    - NIST-800-53-CM-6(c)
    - NIST-800-53-CM-6(d)
    - NIST-800-53-SI-7
    - NIST-800-53-SI-7(1)
    - NIST-800-53-SI-7(6)
    - PCI-DSS-Req-11.5
    - PCI-DSSv4-11.5.2
    - high_complexity
    - high_severity
    - medium_disruption
    - no_reboot_needed
    - restrict_strategy
    - rpm_verify_hashes

  - name: 'Set fact: Package manager reinstall command (zypper)'
    ansible.builtin.set_fact:
      package_manager_reinstall_cmd: zypper in -f -y
    when:
    - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
      and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
      and "ostree" in ansible_proc_cmdline )
    - ansible_distribution == "SLES"
    tags:
    - CJIS-5.10.4.1
    - DISA-STIG-OL09-00-000243
    - NIST-800-171-3.3.8
    - NIST-800-171-3.4.1
    - NIST-800-53-AU-9(3)
    - NIST-800-53-CM-6(c)
    - NIST-800-53-CM-6(d)
    - NIST-800-53-SI-7
    - NIST-800-53-SI-7(1)
    - NIST-800-53-SI-7(6)
    - PCI-DSS-Req-11.5
    - PCI-DSSv4-11.5.2
    - high_complexity
    - high_severity
    - medium_disruption
    - no_reboot_needed
    - restrict_strategy
    - rpm_verify_hashes

  - name: Read files with incorrect hash
    ansible.builtin.command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps
      --nolinkto --nouser --nogroup --nomode --noghost --noconfig
    register: files_with_incorrect_hash
    changed_when: false
    failed_when: files_with_incorrect_hash.rc > 1
    check_mode: false
    when:
    - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
      and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
      and "ostree" in ansible_proc_cmdline )
    - (package_manager_reinstall_cmd is defined)
    tags:
    - CJIS-5.10.4.1
    - DISA-STIG-OL09-00-000243
    - NIST-800-171-3.3.8
    - NIST-800-171-3.4.1
    - NIST-800-53-AU-9(3)
    - NIST-800-53-CM-6(c)
    - NIST-800-53-CM-6(d)
    - NIST-800-53-SI-7
    - NIST-800-53-SI-7(1)
    - NIST-800-53-SI-7(6)
    - PCI-DSS-Req-11.5
    - PCI-DSSv4-11.5.2
    - high_complexity
    - high_severity
    - medium_disruption
    - no_reboot_needed
    - restrict_strategy
    - rpm_verify_hashes

  - name: Create list of packages
    ansible.builtin.command: rpm -qf "{{ item }}"
    with_items: '{{ files_with_incorrect_hash.stdout_lines | map(''regex_findall'',
      ''^[.]+[5]+.* (\/.*)'', ''\1'') | map(''join'') | select(''match'', ''(\/.*)'')
      | list | unique }}'
    register: list_of_packages
    changed_when: false
    check_mode: false
    when:
    - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
      and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
      and "ostree" in ansible_proc_cmdline )
    - files_with_incorrect_hash.stdout_lines is defined
    - (files_with_incorrect_hash.stdout_lines | length > 0)
    tags:
    - CJIS-5.10.4.1
    - DISA-STIG-OL09-00-000243
    - NIST-800-171-3.3.8
    - NIST-800-171-3.4.1
    - NIST-800-53-AU-9(3)
    - NIST-800-53-CM-6(c)
    - NIST-800-53-CM-6(d)
    - NIST-800-53-SI-7
    - NIST-800-53-SI-7(1)
    - NIST-800-53-SI-7(6)
    - PCI-DSS-Req-11.5
    - PCI-DSSv4-11.5.2
    - high_complexity
    - high_severity
    - medium_disruption
    - no_reboot_needed
    - restrict_strategy
    - rpm_verify_hashes

  - name: Reinstall packages of files with incorrect hash
    ansible.builtin.command: '{{ package_manager_reinstall_cmd }} ''{{ item }}'''
    with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list
      | unique }}'
    when:
    - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
      and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
      and "ostree" in ansible_proc_cmdline )
    - files_with_incorrect_hash.stdout_lines is defined
    - (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines
      | length > 0))
    tags:
    - CJIS-5.10.4.1
    - DISA-STIG-OL09-00-000243
    - NIST-800-171-3.3.8
    - NIST-800-171-3.4.1
    - NIST-800-53-AU-9(3)
    - NIST-800-53-CM-6(c)
    - NIST-800-53-CM-6(d)
    - NIST-800-53-SI-7
    - NIST-800-53-SI-7(1)
    - NIST-800-53-SI-7(6)
    - PCI-DSS-Req-11.5
    - PCI-DSSv4-11.5.2
    - high_complexity
    - high_severity
    - medium_disruption
    - no_reboot_needed
    - restrict_strategy
    - rpm_verify_hashes

  - name: Read list of files with incorrect permissions
    ansible.builtin.command: rpm -Va --nodeps --nosignature --nofiledigest --nosize
      --nomtime --nordev --nocaps --nolinkto --nouser --nogroup
    register: files_with_incorrect_permissions
    failed_when: files_with_incorrect_permissions.rc > 1
    changed_when: false
    check_mode: false
    when: not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
      and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
      and "ostree" in ansible_proc_cmdline )
    tags:
    - CJIS-5.10.4.1
    - NIST-800-171-3.3.8
    - NIST-800-171-3.4.1
    - NIST-800-53-AU-9(3)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-6(c)
    - NIST-800-53-CM-6(d)
    - NIST-800-53-SI-7
    - NIST-800-53-SI-7(1)
    - NIST-800-53-SI-7(6)
    - PCI-DSS-Req-11.5
    - PCI-DSSv4-11.5.2
    - high_complexity
    - high_severity
    - medium_disruption
    - no_reboot_needed
    - restrict_strategy
    - rpm_verify_permissions

  - name: Create list of packages
    ansible.builtin.command: rpm -qf "{{ item }}"
    with_items: '{{ files_with_incorrect_permissions.stdout_lines | map(''regex_findall'',
      ''^[.]+[M]+.* (\/.*)'', ''\1'') | map(''join'') | select(''match'', ''(\/.*)'')
      | list | unique }}'
    register: list_of_packages
    changed_when: false
    check_mode: false
    when:
    - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
      and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
      and "ostree" in ansible_proc_cmdline )
    - (files_with_incorrect_permissions.stdout_lines | length > 0)
    tags:
    - CJIS-5.10.4.1
    - NIST-800-171-3.3.8
    - NIST-800-171-3.4.1
    - NIST-800-53-AU-9(3)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-6(c)
    - NIST-800-53-CM-6(d)
    - NIST-800-53-SI-7
    - NIST-800-53-SI-7(1)
    - NIST-800-53-SI-7(6)
    - PCI-DSS-Req-11.5
    - PCI-DSSv4-11.5.2
    - high_complexity
    - high_severity
    - medium_disruption
    - no_reboot_needed
    - restrict_strategy
    - rpm_verify_permissions

  - name: Correct file permissions with RPM
    ansible.builtin.command: rpm --restore '{{ item }}'
    with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list
      | unique }}'
    when:
    - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
      and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
      and "ostree" in ansible_proc_cmdline )
    - (files_with_incorrect_permissions.stdout_lines | length > 0)
    tags:
    - CJIS-5.10.4.1
    - NIST-800-171-3.3.8
    - NIST-800-171-3.4.1
    - NIST-800-53-AU-9(3)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-6(c)
    - NIST-800-53-CM-6(d)
    - NIST-800-53-SI-7
    - NIST-800-53-SI-7(1)
    - NIST-800-53-SI-7(6)
    - PCI-DSS-Req-11.5
    - PCI-DSSv4-11.5.2
    - high_complexity
    - high_severity
    - medium_disruption
    - no_reboot_needed
    - restrict_strategy
    - rpm_verify_permissions

  - name: Configure BIND to use System Crypto Policy - Check BIND configuration file
      exists
    ansible.builtin.stat:
      path: /etc/named.conf
    register: bind_config_file
    when: '"bind" in ansible_facts.packages'
    tags:
    - DISA-STIG-OL09-00-002421
    - NIST-800-53-SC-12(2)
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SC-13
    - configure_bind_crypto_policy
    - configure_strategy
    - high_severity
    - low_complexity
    - low_disruption
    - no_reboot_needed

  - name: Configure BIND to use System Crypto Policy - Aborting remediation, file
      not found
    ansible.builtin.debug:
      msg: Aborting remediation as '/etc/named.conf' was not found.
    when:
    - '"bind" in ansible_facts.packages'
    - not bind_config_file.stat.exists
    tags:
    - DISA-STIG-OL09-00-002421
    - NIST-800-53-SC-12(2)
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SC-13
    - configure_bind_crypto_policy
    - configure_strategy
    - high_severity
    - low_complexity
    - low_disruption
    - no_reboot_needed

  - name: Configure BIND to use System Crypto Policy - Insert crypto-policy into BIND
      config
    ansible.builtin.lineinfile:
      path: /etc/named.conf
      insertafter: ^\s*options\s*{
      line: ' include "/etc/crypto-policies/back-ends/bind.config";'
      state: present
    when:
    - '"bind" in ansible_facts.packages'
    - bind_config_file.stat.exists
    tags:
    - DISA-STIG-OL09-00-002421
    - NIST-800-53-SC-12(2)
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SC-13
    - configure_bind_crypto_policy
    - configure_strategy
    - high_severity
    - low_complexity
    - low_disruption
    - no_reboot_needed

  - name: Configure System Cryptography Policy - Check current crypto policy (runtime)
    ansible.builtin.command: /usr/bin/update-crypto-policies --show
    register: current_crypto_policy
    changed_when: false
    failed_when: false
    check_mode: false
    tags:
    - DISA-STIG-OL09-00-000070
    - DISA-STIG-OL09-00-000241
    - NIST-800-53-AC-17(2)
    - NIST-800-53-AC-17(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-MA-4(6)
    - NIST-800-53-SC-12(2)
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SC-13
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.7
    - configure_crypto_policy
    - high_severity
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - restrict_strategy

  - name: Configure System Cryptography Policy - Get mtime of /etc/crypto-policies/config
    ansible.builtin.stat:
      path: /etc/crypto-policies/config
    register: config_file_stat
    changed_when: false
    failed_when: false
    check_mode: false
    tags:
    - DISA-STIG-OL09-00-000070
    - DISA-STIG-OL09-00-000241
    - NIST-800-53-AC-17(2)
    - NIST-800-53-AC-17(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-MA-4(6)
    - NIST-800-53-SC-12(2)
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SC-13
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.7
    - configure_crypto_policy
    - high_severity
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - restrict_strategy

  - name: Configure System Cryptography Policy - Get mtime of /etc/crypto-policies/state/current
    ansible.builtin.stat:
      path: /etc/crypto-policies/state/current
    register: current_file_stat
    changed_when: false
    failed_when: false
    check_mode: false
    tags:
    - DISA-STIG-OL09-00-000070
    - DISA-STIG-OL09-00-000241
    - NIST-800-53-AC-17(2)
    - NIST-800-53-AC-17(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-MA-4(6)
    - NIST-800-53-SC-12(2)
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SC-13
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.7
    - configure_crypto_policy
    - high_severity
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - restrict_strategy

  - name: Configure System Cryptography Policy - Check existence of /etc/crypto-policies/back-ends/nss.config
    ansible.builtin.stat:
      path: /etc/crypto-policies/back-ends/nss.config
    register: nss_config_stat
    changed_when: false
    failed_when: false
    check_mode: false
    tags:
    - DISA-STIG-OL09-00-000070
    - DISA-STIG-OL09-00-000241
    - NIST-800-53-AC-17(2)
    - NIST-800-53-AC-17(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-MA-4(6)
    - NIST-800-53-SC-12(2)
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SC-13
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.7
    - configure_crypto_policy
    - high_severity
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - restrict_strategy

  - name: Configure System Cryptography Policy - Verify that Crypto Policy is Set
      (runtime)
    ansible.builtin.command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy
      }}
    when: (current_crypto_policy.stdout.strip() != var_system_crypto_policy) or (config_file_stat.stat.exists
      and current_file_stat.stat.exists and config_file_stat.stat.mtime > current_file_stat.stat.mtime)
      or (not nss_config_stat.stat.exists)
    tags:
    - DISA-STIG-OL09-00-000070
    - DISA-STIG-OL09-00-000241
    - NIST-800-53-AC-17(2)
    - NIST-800-53-AC-17(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-MA-4(6)
    - NIST-800-53-SC-12(2)
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SC-13
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.7
    - configure_crypto_policy
    - high_severity
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - restrict_strategy

  - name: Configure Kerberos to use System Crypto Policy
    ansible.builtin.file:
      src: /etc/crypto-policies/back-ends/krb5.config
      path: /etc/krb5.conf.d/crypto-policies
      state: link
    tags:
    - NIST-800-53-SC-12(2)
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SC-13
    - configure_kerberos_crypto_policy
    - configure_strategy
    - high_severity
    - low_complexity
    - low_disruption
    - reboot_required

  - name: Configure Libreswan to use System Crypto Policy
    ansible.builtin.lineinfile:
      path: /etc/ipsec.conf
      line: include /etc/crypto-policies/back-ends/libreswan.config
      create: true
    when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-002404
    - NIST-800-53-CM-6(a)
    - NIST-800-53-MA-4(6)
    - NIST-800-53-SC-12(2)
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SC-13
    - PCI-DSS-Req-2.2
    - configure_libreswan_crypto_policy
    - high_severity
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - restrict_strategy

  - name: Configure OpenSSL library to use System Crypto Policy - Search for crypto_policy
      Section
    ansible.builtin.find:
      paths: /etc/pki/tls
      patterns: openssl.cnf
      contains: ^\s*\[\s*crypto_policy\s*]
    register: test_crypto_policy_group
    tags:
    - NIST-800-53-AC-17(2)
    - NIST-800-53-AC-17(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-MA-4(6)
    - NIST-800-53-SC-12(2)
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SC-13
    - PCI-DSS-Req-2.2
    - configure_openssl_crypto_policy
    - low_complexity
    - medium_disruption
    - medium_severity
    - no_reboot_needed
    - unknown_strategy

  - name: Configure OpenSSL library to use System Crypto Policy - Search for crypto_policy
      Section Together With .include Directive
    ansible.builtin.find:
      paths: /etc/pki/tls
      patterns: openssl.cnf
      contains: ^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$
    register: test_crypto_policy_include_directive
    tags:
    - NIST-800-53-AC-17(2)
    - NIST-800-53-AC-17(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-MA-4(6)
    - NIST-800-53-SC-12(2)
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SC-13
    - PCI-DSS-Req-2.2
    - configure_openssl_crypto_policy
    - low_complexity
    - medium_disruption
    - medium_severity
    - no_reboot_needed
    - unknown_strategy

  - name: Configure OpenSSL library to use System Crypto Policy - Add .include Line
      for opensslcnf.config File in crypto_policy Section
    ansible.builtin.lineinfile:
      create: true
      insertafter: ^\s*\[\s*crypto_policy\s*]\s*
      line: .include = /etc/crypto-policies/back-ends/opensslcnf.config
      path: /etc/pki/tls/openssl.cnf
    when:
    - test_crypto_policy_group.matched > 0
    - test_crypto_policy_include_directive.matched == 0
    tags:
    - NIST-800-53-AC-17(2)
    - NIST-800-53-AC-17(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-MA-4(6)
    - NIST-800-53-SC-12(2)
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SC-13
    - PCI-DSS-Req-2.2
    - configure_openssl_crypto_policy
    - low_complexity
    - medium_disruption
    - medium_severity
    - no_reboot_needed
    - unknown_strategy

  - name: Configure OpenSSL library to use System Crypto Policy - Add crypto_policy
      Section With .include for opensslcnf.config File
    ansible.builtin.lineinfile:
      create: true
      line: |-
        [crypto_policy]
        .include = /etc/crypto-policies/back-ends/opensslcnf.config
      path: /etc/pki/tls/openssl.cnf
    when: test_crypto_policy_group.matched == 0
    tags:
    - NIST-800-53-AC-17(2)
    - NIST-800-53-AC-17(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-MA-4(6)
    - NIST-800-53-SC-12(2)
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SC-13
    - PCI-DSS-Req-2.2
    - configure_openssl_crypto_policy
    - low_complexity
    - medium_disruption
    - medium_severity
    - no_reboot_needed
    - unknown_strategy

  - name: Configure SSH to use System Crypto Policy
    ansible.builtin.lineinfile:
      dest: /etc/sysconfig/sshd
      state: absent
      regexp: (?i)^\s*CRYPTO_POLICY.*$
    when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - NIST-800-53-AC-17(2)
    - NIST-800-53-AC-17(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-MA-4(6)
    - NIST-800-53-SC-13
    - PCI-DSS-Req-2.2
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.7
    - configure_ssh_crypto_policy
    - disable_strategy
    - low_complexity
    - medium_disruption
    - medium_severity
    - reboot_required

  - name: Ensure GPG check is globally activated
    community.general.ini_file:
      dest: /etc/yum.conf
      section: main
      option: gpgcheck
      value: 1
      no_extra_spaces: true
      create: false
    when: '"yum" in ansible_facts.packages'
    tags:
    - CJIS-5.10.4.1
    - DISA-STIG-OL09-00-000497
    - NIST-800-171-3.4.8
    - NIST-800-53-CM-11(a)
    - NIST-800-53-CM-11(b)
    - NIST-800-53-CM-5(3)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SA-12
    - NIST-800-53-SA-12(10)
    - NIST-800-53-SC-12
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SI-7
    - PCI-DSS-Req-6.2
    - PCI-DSSv4-6.3
    - PCI-DSSv4-6.3.3
    - configure_strategy
    - ensure_gpgcheck_globally_activated
    - high_severity
    - low_complexity
    - medium_disruption
    - no_reboot_needed

  - name: Ensure Oracle Linux GPG Key Installed - Read GPG key directory permission
    ansible.builtin.stat:
      path: /etc/pki/rpm-gpg/
    register: gpg_key_directory_permission
    check_mode: false
    tags:
    - DISA-STIG-OL09-00-000499
    - NIST-800-53-CM-11(a)
    - NIST-800-53-CM-11(b)
    - NIST-800-53-CM-5(3)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SC-12
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SI-7
    - PCI-DSS-Req-6.2
    - ensure_oracle_gpgkey_installed
    - high_severity
    - medium_complexity
    - medium_disruption
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure Oracle Linux GPG Key Installed - Retrieve GPG key fingerprints information
    ansible.builtin.command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-oracle"
    changed_when: false
    register: gpg_fingerprints
    check_mode: false
    tags:
    - DISA-STIG-OL09-00-000499
    - NIST-800-53-CM-11(a)
    - NIST-800-53-CM-11(b)
    - NIST-800-53-CM-5(3)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SC-12
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SI-7
    - PCI-DSS-Req-6.2
    - ensure_oracle_gpgkey_installed
    - high_severity
    - medium_complexity
    - medium_disruption
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure Oracle Linux GPG Key Installed - Set fact for installed fingerprints
    ansible.builtin.set_fact:
      gpg_installed_fingerprints: |-
        {{ gpg_fingerprints.stdout | regex_findall('^pub.*
        (?:^fpr[:]*)([0-9A-Fa-f]*)', '\1') | list }}
    tags:
    - DISA-STIG-OL09-00-000499
    - NIST-800-53-CM-11(a)
    - NIST-800-53-CM-11(b)
    - NIST-800-53-CM-5(3)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SC-12
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SI-7
    - PCI-DSS-Req-6.2
    - ensure_oracle_gpgkey_installed
    - high_severity
    - medium_complexity
    - medium_disruption
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure Oracle Linux GPG Key Installed - Set fact for valid fingerprints
    ansible.builtin.set_fact:
      gpg_valid_fingerprints:
      - 3E6D826D3FBAB389C2F38E34BC4D06A08D8B756F
      - 982231759C7467065D0CE9B2A7DD07088B4EFBE6
    tags:
    - DISA-STIG-OL09-00-000499
    - NIST-800-53-CM-11(a)
    - NIST-800-53-CM-11(b)
    - NIST-800-53-CM-5(3)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SC-12
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SI-7
    - PCI-DSS-Req-6.2
    - ensure_oracle_gpgkey_installed
    - high_severity
    - medium_complexity
    - medium_disruption
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure Oracle Linux GPG Key Installed - Import Oracle GPG key securely
    ansible.builtin.rpm_key:
      state: present
      key: /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
    when:
    - gpg_key_directory_permission.stat.mode <= '0755'
    - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length ==
      0
    - gpg_installed_fingerprints | length > 0
    tags:
    - DISA-STIG-OL09-00-000499
    - NIST-800-53-CM-11(a)
    - NIST-800-53-CM-11(b)
    - NIST-800-53-CM-5(3)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SC-12
    - NIST-800-53-SC-12(3)
    - NIST-800-53-SI-7
    - PCI-DSS-Req-6.2
    - ensure_oracle_gpgkey_installed
    - high_severity
    - medium_complexity
    - medium_disruption
    - no_reboot_needed
    - restrict_strategy

  - name: Prevent Login to Accounts With Empty Password - Check if system relies on
      authselect
    ansible.builtin.stat:
      path: /usr/bin/authselect
    register: result_authselect_present
    when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.5.2
    - DISA-STIG-OL09-00-001110
    - NIST-800-171-3.1.1
    - NIST-800-171-3.1.5
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-IA-5(c)
    - PCI-DSS-Req-8.2.3
    - PCI-DSSv4-8.3
    - PCI-DSSv4-8.3.1
    - configure_strategy
    - high_severity
    - low_complexity
    - medium_disruption
    - no_empty_passwords
    - no_reboot_needed

  - name: Prevent Login to Accounts With Empty Password - Remediate using authselect
    block:

    - name: Prevent Login to Accounts With Empty Password - Check integrity of authselect
        current profile
      ansible.builtin.command:
        cmd: authselect check
      register: result_authselect_check_cmd
      changed_when: false
      check_mode: false
      failed_when: false

    - name: Prevent Login to Accounts With Empty Password - Informative message based
        on the authselect integrity check result
      ansible.builtin.assert:
        that:
        - ansible_check_mode or result_authselect_check_cmd.rc == 0
        fail_msg:
        - authselect integrity check failed. Remediation aborted!
        - This remediation could not be applied because an authselect profile was
          not selected or the selected profile is not intact.
        - It is not recommended to manually edit the PAM files when authselect tool
          is available.
        - In cases where the default authselect profile does not cover a specific
          demand, a custom authselect profile is recommended.
        success_msg:
        - authselect integrity check passed

    - name: Prevent Login to Accounts With Empty Password - Get authselect current
        features
      ansible.builtin.shell:
        cmd: authselect current | tail -n+3 | awk '{ print $2 }'
      register: result_authselect_features
      changed_when: false
      check_mode: false
      when:
      - result_authselect_check_cmd is success

    - name: Prevent Login to Accounts With Empty Password - Ensure "without-nullok"
        feature is enabled using authselect tool
      ansible.builtin.command:
        cmd: authselect enable-feature without-nullok
      register: result_authselect_enable_feature_cmd
      when:
      - result_authselect_check_cmd is success
      - result_authselect_features.stdout is not search("without-nullok")

    - name: Prevent Login to Accounts With Empty Password - Ensure authselect changes
        are applied
      ansible.builtin.command:
        cmd: authselect apply-changes -b
      when:
      - result_authselect_enable_feature_cmd is not skipped
      - result_authselect_enable_feature_cmd is success
    when:
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - result_authselect_present.stat.exists
    tags:
    - CJIS-5.5.2
    - DISA-STIG-OL09-00-001110
    - NIST-800-171-3.1.1
    - NIST-800-171-3.1.5
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-IA-5(c)
    - PCI-DSS-Req-8.2.3
    - PCI-DSSv4-8.3
    - PCI-DSSv4-8.3.1
    - configure_strategy
    - high_severity
    - low_complexity
    - medium_disruption
    - no_empty_passwords
    - no_reboot_needed

  - name: Prevent Login to Accounts With Empty Password - Remediate directly editing
      PAM files
    ansible.builtin.replace:
      dest: '{{ item }}'
      regexp: nullok
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - not result_authselect_present.stat.exists
    tags:
    - CJIS-5.5.2
    - DISA-STIG-OL09-00-001110
    - NIST-800-171-3.1.1
    - NIST-800-171-3.1.5
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-IA-5(c)
    - PCI-DSS-Req-8.2.3
    - PCI-DSSv4-8.3
    - PCI-DSSv4-8.3.1
    - configure_strategy
    - high_severity
    - low_complexity
    - medium_disruption
    - no_empty_passwords
    - no_reboot_needed

  - name: Get root paths which are not symbolic links
    ansible.builtin.stat:
      path: '{{ item }}'
    changed_when: false
    failed_when: false
    register: root_paths
    with_items: '{{ ansible_env.PATH.split('':'') }}'
    tags:
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-6(a)
    - accounts_root_path_dirs_no_write
    - low_complexity
    - medium_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Disable writability to root directories
    ansible.builtin.file:
      path: '{{ item.item }}'
      mode: g-w,o-w
    with_items: '{{ root_paths.results }}'
    when:
    - root_paths.results is defined
    - item.stat.exists
    - not item.stat.islnk
    tags:
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-6(a)
    - accounts_root_path_dirs_no_write
    - low_complexity
    - medium_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Verify that All World-Writable Directories Have Sticky Bits Set - Define
      Excluded (Non-Local) File Systems and Paths
    ansible.builtin.set_fact:
      excluded_fstypes:
      - afs
      - autofs
      - ceph
      - cifs
      - smb3
      - smbfs
      - sshfs
      - ncpfs
      - ncp
      - nfs
      - nfs4
      - gfs
      - gfs2
      - glusterfs
      - gpfs
      - pvfs2
      - ocfs2
      - lustre
      - davfs
      - fuse.sshfs
      excluded_paths:
      - dev
      - proc
      - run
      - sys
      search_paths: []
    tags:
    - DISA-STIG-OL09-00-002510
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.6
    - dir_perms_world_writable_sticky_bits
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Verify that All World-Writable Directories Have Sticky Bits Set - Find Relevant
      Root Directories Ignoring Pre-Defined Excluded Paths
    ansible.builtin.find:
      paths: /
      file_type: directory
      excludes: '{{ excluded_paths }}'
      hidden: true
      recurse: false
    register: result_relevant_root_dirs
    tags:
    - DISA-STIG-OL09-00-002510
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.6
    - dir_perms_world_writable_sticky_bits
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Verify that All World-Writable Directories Have Sticky Bits Set - Include
      Relevant Root Directories in a List of Paths to be Searched
    ansible.builtin.set_fact:
      search_paths: '{{ search_paths | union([item.path]) }}'
    loop: '{{ result_relevant_root_dirs.files }}'
    tags:
    - DISA-STIG-OL09-00-002510
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.6
    - dir_perms_world_writable_sticky_bits
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Verify that All World-Writable Directories Have Sticky Bits Set - Increment
      Search Paths List with Local Partitions Mount Points
    ansible.builtin.set_fact:
      search_paths: '{{ search_paths | union([item.mount]) }}'
    loop: '{{ ansible_mounts }}'
    when:
    - item.fstype not in excluded_fstypes
    - item.mount != '/'
    tags:
    - DISA-STIG-OL09-00-002510
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.6
    - dir_perms_world_writable_sticky_bits
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Verify that All World-Writable Directories Have Sticky Bits Set - Increment
      Search Paths List with Local NFS File System Targets
    ansible.builtin.set_fact:
      search_paths: '{{ search_paths | union([item.device.split('':'')[1]]) }}'
    loop: '{{ ansible_mounts }}'
    when: item.device is search("localhost:")
    tags:
    - DISA-STIG-OL09-00-002510
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.6
    - dir_perms_world_writable_sticky_bits
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Verify that All World-Writable Directories Have Sticky Bits Set - Define
      Rule Specific Facts
    ansible.builtin.set_fact:
      world_writable_dirs: []
    tags:
    - DISA-STIG-OL09-00-002510
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.6
    - dir_perms_world_writable_sticky_bits
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Verify that All World-Writable Directories Have Sticky Bits Set - Find All
      Uncompliant Directories in Local File Systems
    ansible.builtin.command:
      cmd: find {{ item }} -xdev -type d ( -perm -0002 -a ! -perm -1000 )
    loop: '{{ search_paths }}'
    changed_when: false
    register: result_found_dirs
    tags:
    - DISA-STIG-OL09-00-002510
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.6
    - dir_perms_world_writable_sticky_bits
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Verify that All World-Writable Directories Have Sticky Bits Set - Create
      List of World Writable Directories Without Sticky Bit
    ansible.builtin.set_fact:
      world_writable_dirs: '{{ world_writable_dirs | union(item.stdout_lines) | list
        }}'
    loop: '{{ result_found_dirs.results }}'
    when: result_found_dirs is not skipped and item is not skipped
    tags:
    - DISA-STIG-OL09-00-002510
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.6
    - dir_perms_world_writable_sticky_bits
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Verify that All World-Writable Directories Have Sticky Bits Set - Ensure
      Sticky Bit is Set on Local World Writable Directories
    ansible.builtin.file:
      path: '{{ item }}'
      mode: a+t
    loop: '{{ world_writable_dirs }}'
    tags:
    - DISA-STIG-OL09-00-002510
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.6
    - dir_perms_world_writable_sticky_bits
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: 'Add nodev Option to /dev/shm: Check information associated to mountpoint'
    ansible.builtin.command: findmnt  '/dev/shm'
    register: device_name
    failed_when: device_name.rc > 1
    changed_when: false
    check_mode: false
    when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
      and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
      and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
      in ["docker", "lxc", "openvz", "podman", "container"] ) )
    tags:
    - DISA-STIG-OL09-00-002040
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-MP-7
    - configure_strategy
    - high_disruption
    - low_complexity
    - medium_severity
    - mount_option_dev_shm_nodev
    - no_reboot_needed

  - name: 'Add nodev Option to /dev/shm: Create mount_info dictionary variable'
    set_fact:
      mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
    with_together:
    - '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
    when:
    - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
      and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
      and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
      in ["docker", "lxc", "openvz", "podman", "container"] ) )
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    tags:
    - DISA-STIG-OL09-00-002040
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-MP-7
    - configure_strategy
    - high_disruption
    - low_complexity
    - medium_severity
    - mount_option_dev_shm_nodev
    - no_reboot_needed

  - name: 'Add nodev Option to /dev/shm: If /dev/shm not mounted, craft mount_info
      manually'
    set_fact:
      mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
    with_together:
    - - target
      - source
      - fstype
      - options
    - - /dev/shm
      - tmpfs
      - tmpfs
      - defaults
    when:
    - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
      and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
      and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
      in ["docker", "lxc", "openvz", "podman", "container"] ) )
    - ("" | length == 0)
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length == 0)
    tags:
    - DISA-STIG-OL09-00-002040
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-MP-7
    - configure_strategy
    - high_disruption
    - low_complexity
    - medium_severity
    - mount_option_dev_shm_nodev
    - no_reboot_needed

  - name: 'Add nodev Option to /dev/shm: Make sure nodev option is part of the to
      /dev/shm options'
    set_fact:
      mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
        | default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nodev''
        }) }}'
    when:
    - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
      and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
      and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
      in ["docker", "lxc", "openvz", "podman", "container"] ) )
    - mount_info is defined and "nodev" not in (mount_info.options | default(''))
    tags:
    - DISA-STIG-OL09-00-002040
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-MP-7
    - configure_strategy
    - high_disruption
    - low_complexity
    - medium_severity
    - mount_option_dev_shm_nodev
    - no_reboot_needed

  - name: 'Add nodev Option to /dev/shm: Ensure /dev/shm is mounted with nodev option'
    ansible.posix.mount:
      path: /dev/shm
      src: '{{ mount_info.source | default('''') }}'
      opts: '{{ mount_info.options | default('''') }}'
      state: mounted
      fstype: '{{ mount_info.fstype | default('''') }}'
    register: mount_result
    failed_when:
    - mount_result is failed
    - '''target is busy'' not in (mount_result.msg | default(''''))'
    - '''already mounted'' not in (mount_result.msg | default(''''))'
    when:
    - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
      and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
      and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
      in ["docker", "lxc", "openvz", "podman", "container"] ) )
    - mount_info is defined
    - (device_name.stdout is defined and (device_name.stdout | length > 0)) or (""
      | length == 0)
    tags:
    - DISA-STIG-OL09-00-002040
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-MP-7
    - configure_strategy
    - high_disruption
    - low_complexity
    - medium_severity
    - mount_option_dev_shm_nodev
    - no_reboot_needed

  - name: 'Add nosuid Option to /dev/shm: Check information associated to mountpoint'
    ansible.builtin.command: findmnt  '/dev/shm'
    register: device_name
    failed_when: device_name.rc > 1
    changed_when: false
    check_mode: false
    when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
      and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
      and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
      in ["docker", "lxc", "openvz", "podman", "container"] ) )
    tags:
    - DISA-STIG-OL09-00-002042
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-MP-7
    - configure_strategy
    - high_disruption
    - low_complexity
    - medium_severity
    - mount_option_dev_shm_nosuid
    - no_reboot_needed

  - name: 'Add nosuid Option to /dev/shm: Create mount_info dictionary variable'
    set_fact:
      mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
    with_together:
    - '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
    when:
    - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
      and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
      and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
      in ["docker", "lxc", "openvz", "podman", "container"] ) )
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    tags:
    - DISA-STIG-OL09-00-002042
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-MP-7
    - configure_strategy
    - high_disruption
    - low_complexity
    - medium_severity
    - mount_option_dev_shm_nosuid
    - no_reboot_needed

  - name: 'Add nosuid Option to /dev/shm: If /dev/shm not mounted, craft mount_info
      manually'
    set_fact:
      mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
    with_together:
    - - target
      - source
      - fstype
      - options
    - - /dev/shm
      - tmpfs
      - tmpfs
      - defaults
    when:
    - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
      and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
      and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
      in ["docker", "lxc", "openvz", "podman", "container"] ) )
    - ("" | length == 0)
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length == 0)
    tags:
    - DISA-STIG-OL09-00-002042
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-MP-7
    - configure_strategy
    - high_disruption
    - low_complexity
    - medium_severity
    - mount_option_dev_shm_nosuid
    - no_reboot_needed

  - name: 'Add nosuid Option to /dev/shm: Make sure nosuid option is part of the to
      /dev/shm options'
    set_fact:
      mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
        | default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nosuid''
        }) }}'
    when:
    - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
      and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
      and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
      in ["docker", "lxc", "openvz", "podman", "container"] ) )
    - mount_info is defined and "nosuid" not in (mount_info.options | default(''))
    tags:
    - DISA-STIG-OL09-00-002042
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-MP-7
    - configure_strategy
    - high_disruption
    - low_complexity
    - medium_severity
    - mount_option_dev_shm_nosuid
    - no_reboot_needed

  - name: 'Add nosuid Option to /dev/shm: Ensure /dev/shm is mounted with nosuid option'
    ansible.posix.mount:
      path: /dev/shm
      src: '{{ mount_info.source | default('''') }}'
      opts: '{{ mount_info.options | default('''') }}'
      state: mounted
      fstype: '{{ mount_info.fstype | default('''') }}'
    register: mount_result
    failed_when:
    - mount_result is failed
    - '''target is busy'' not in (mount_result.msg | default(''''))'
    - '''already mounted'' not in (mount_result.msg | default(''''))'
    when:
    - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
      and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
      and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
      in ["docker", "lxc", "openvz", "podman", "container"] ) )
    - mount_info is defined
    - (device_name.stdout is defined and (device_name.stdout | length > 0)) or (""
      | length == 0)
    tags:
    - DISA-STIG-OL09-00-002042
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-MP-7
    - configure_strategy
    - high_disruption
    - low_complexity
    - medium_severity
    - mount_option_dev_shm_nosuid
    - no_reboot_needed

  - name: Record Events that Modify the System's Mandatory Access Controls - Check
      if watch rule for /etc/selinux/ already exists in /etc/audit/rules.d/
    ansible.builtin.find:
      paths: /etc/audit/rules.d
      contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+
      patterns: '*.rules'
    register: find_existing_watch_rules_d
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.8
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_mac_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Record Events that Modify the System's Mandatory Access Controls - Search
      /etc/audit/rules.d for other rules with specified key MAC-policy
    ansible.builtin.find:
      paths: /etc/audit/rules.d
      contains: ^.*(?:-F key=|-k\s+)MAC-policy$
      patterns: '*.rules'
    register: find_watch_key
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.8
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_mac_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Record Events that Modify the System's Mandatory Access Controls - Use /etc/audit/rules.d/MAC-policy.rules
      as the recipient for the rule
    ansible.builtin.set_fact:
      all_files:
      - /etc/audit/rules.d/MAC-policy.rules
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
      is defined and find_existing_watch_rules_d.matched == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.8
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_mac_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Record Events that Modify the System's Mandatory Access Controls - Use matched
      file as the recipient for the rule
    ansible.builtin.set_fact:
      all_files:
      - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
      is defined and find_existing_watch_rules_d.matched == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.8
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_mac_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Record Events that Modify the System's Mandatory Access Controls - Add watch
      rule for /etc/selinux/ in /etc/audit/rules.d/
    ansible.builtin.lineinfile:
      path: '{{ all_files[0] }}'
      line: -w /etc/selinux/ -p wa -k MAC-policy
      create: true
      mode: '0600'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.8
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_mac_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Record Events that Modify the System's Mandatory Access Controls - Check
      if watch rule for /etc/selinux/ already exists in /etc/audit/audit.rules
    ansible.builtin.find:
      paths: /etc/audit/
      contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+
      patterns: audit.rules
    register: find_existing_watch_audit_rules
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.8
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_mac_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Record Events that Modify the System's Mandatory Access Controls - Add watch
      rule for /etc/selinux/ in /etc/audit/audit.rules
    ansible.builtin.lineinfile:
      line: -w /etc/selinux/ -p wa -k MAC-policy
      state: present
      dest: /etc/audit/audit.rules
      create: true
      mode: '0600'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.8
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_mac_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Set architecture for audit mount tasks
    ansible.builtin.set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.7
    - PCI-DSSv4-10.2
    - PCI-DSSv4-10.2.1
    - PCI-DSSv4-10.2.1.7
    - audit_rules_media_export
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for mount for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - mount
        syscall_grouping: []

    - name: Check existence of mount in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/export.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/export.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=export
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - mount
        syscall_grouping: []

    - name: Check existence of mount in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=export
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.7
    - PCI-DSSv4-10.2
    - PCI-DSSv4-10.2.1
    - PCI-DSSv4-10.2.1.7
    - audit_rules_media_export
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for mount for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - mount
        syscall_grouping: []

    - name: Check existence of mount in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/export.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/export.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=export
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - mount
        syscall_grouping: []

    - name: Check existence of mount in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=export
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.7
    - PCI-DSSv4-10.2
    - PCI-DSSv4-10.2.1
    - PCI-DSSv4-10.2.1.7
    - audit_rules_media_export
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Set architecture for audit tasks
    ansible.builtin.set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Remediate audit rules for network configuration for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - sethostname
        - setdomainname
        syscall_grouping:
        - sethostname
        - setdomainname

    - name: Check existence of sethostname, setdomainname in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - sethostname
        - setdomainname
        syscall_grouping:
        - sethostname
        - setdomainname

    - name: Check existence of sethostname, setdomainname in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Remediate audit rules for network configuration for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - sethostname
        - setdomainname
        syscall_grouping:
        - sethostname
        - setdomainname

    - name: Check existence of sethostname, setdomainname in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - sethostname
        - setdomainname
        syscall_grouping:
        - sethostname
        - setdomainname

    - name: Check existence of sethostname, setdomainname in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Check if watch
      rule for /etc/issue already exists in /etc/audit/rules.d/
    ansible.builtin.find:
      paths: /etc/audit/rules.d
      contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+
      patterns: '*.rules'
    register: find_existing_watch_rules_d
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d
      for other rules with specified key audit_rules_networkconfig_modification
    ansible.builtin.find:
      paths: /etc/audit/rules.d
      contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
      patterns: '*.rules'
    register: find_watch_key
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
      as the recipient for the rule
    ansible.builtin.set_fact:
      all_files:
      - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
      is defined and find_existing_watch_rules_d.matched == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Use matched
      file as the recipient for the rule
    ansible.builtin.set_fact:
      all_files:
      - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
      is defined and find_existing_watch_rules_d.matched == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Add watch rule
      for /etc/issue in /etc/audit/rules.d/
    ansible.builtin.lineinfile:
      path: '{{ all_files[0] }}'
      line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
      create: true
      mode: '0600'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Check if watch
      rule for /etc/issue already exists in /etc/audit/audit.rules
    ansible.builtin.find:
      paths: /etc/audit/
      contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+
      patterns: audit.rules
    register: find_existing_watch_audit_rules
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Add watch rule
      for /etc/issue in /etc/audit/audit.rules
    ansible.builtin.lineinfile:
      line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
      state: present
      dest: /etc/audit/audit.rules
      create: true
      mode: '0600'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Check if watch
      rule for /etc/issue.net already exists in /etc/audit/rules.d/
    ansible.builtin.find:
      paths: /etc/audit/rules.d
      contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+
      patterns: '*.rules'
    register: find_existing_watch_rules_d
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d
      for other rules with specified key audit_rules_networkconfig_modification
    ansible.builtin.find:
      paths: /etc/audit/rules.d
      contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
      patterns: '*.rules'
    register: find_watch_key
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
      as the recipient for the rule
    ansible.builtin.set_fact:
      all_files:
      - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
      is defined and find_existing_watch_rules_d.matched == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Use matched
      file as the recipient for the rule
    ansible.builtin.set_fact:
      all_files:
      - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
      is defined and find_existing_watch_rules_d.matched == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Add watch rule
      for /etc/issue.net in /etc/audit/rules.d/
    ansible.builtin.lineinfile:
      path: '{{ all_files[0] }}'
      line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
      create: true
      mode: '0600'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Check if watch
      rule for /etc/issue.net already exists in /etc/audit/audit.rules
    ansible.builtin.find:
      paths: /etc/audit/
      contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+
      patterns: audit.rules
    register: find_existing_watch_audit_rules
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Add watch rule
      for /etc/issue.net in /etc/audit/audit.rules
    ansible.builtin.lineinfile:
      line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
      state: present
      dest: /etc/audit/audit.rules
      create: true
      mode: '0600'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Check if watch
      rule for /etc/hosts already exists in /etc/audit/rules.d/
    ansible.builtin.find:
      paths: /etc/audit/rules.d
      contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+
      patterns: '*.rules'
    register: find_existing_watch_rules_d
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d
      for other rules with specified key audit_rules_networkconfig_modification
    ansible.builtin.find:
      paths: /etc/audit/rules.d
      contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
      patterns: '*.rules'
    register: find_watch_key
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
      as the recipient for the rule
    ansible.builtin.set_fact:
      all_files:
      - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
      is defined and find_existing_watch_rules_d.matched == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Use matched
      file as the recipient for the rule
    ansible.builtin.set_fact:
      all_files:
      - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
      is defined and find_existing_watch_rules_d.matched == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Add watch rule
      for /etc/hosts in /etc/audit/rules.d/
    ansible.builtin.lineinfile:
      path: '{{ all_files[0] }}'
      line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
      create: true
      mode: '0600'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Check if watch
      rule for /etc/hosts already exists in /etc/audit/audit.rules
    ansible.builtin.find:
      paths: /etc/audit/
      contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+
      patterns: audit.rules
    register: find_existing_watch_audit_rules
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Add watch rule
      for /etc/hosts in /etc/audit/audit.rules
    ansible.builtin.lineinfile:
      line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
      state: present
      dest: /etc/audit/audit.rules
      create: true
      mode: '0600'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Check if watch
      rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/
    ansible.builtin.find:
      paths: /etc/audit/rules.d
      contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+
      patterns: '*.rules'
    register: find_existing_watch_rules_d
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d
      for other rules with specified key audit_rules_networkconfig_modification
    ansible.builtin.find:
      paths: /etc/audit/rules.d
      contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
      patterns: '*.rules'
    register: find_watch_key
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
      as the recipient for the rule
    ansible.builtin.set_fact:
      all_files:
      - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
      is defined and find_existing_watch_rules_d.matched == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Use matched
      file as the recipient for the rule
    ansible.builtin.set_fact:
      all_files:
      - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
      is defined and find_existing_watch_rules_d.matched == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Add watch rule
      for /etc/sysconfig/network in /etc/audit/rules.d/
    ansible.builtin.lineinfile:
      path: '{{ all_files[0] }}'
      line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
      create: true
      mode: '0600'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Check if watch
      rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules
    ansible.builtin.find:
      paths: /etc/audit/
      contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+
      patterns: audit.rules
    register: find_existing_watch_audit_rules
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Events that Modify the System's Network Environment - Add watch rule
      for /etc/sysconfig/network in /etc/audit/audit.rules
    ansible.builtin.lineinfile:
      line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
      state: present
      dest: /etc/audit/audit.rules
      create: true
      mode: '0600'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_networkconfig_modification
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects System Administrator Actions - Check if watch rule
      for /etc/sudoers already exists in /etc/audit/audit.rules
    ansible.builtin.find:
      paths: /etc/audit/
      contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+
      patterns: audit.rules
    register: find_existing_watch_audit_rules
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(7)(b)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.2
    - PCI-DSS-Req-10.2.5.b
    - PCI-DSSv4-10.2
    - PCI-DSSv4-10.2.1
    - PCI-DSSv4-10.2.1.5
    - audit_rules_sysadmin_actions
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects System Administrator Actions - Add watch rule for
      /etc/sudoers in /etc/audit/audit.rules
    ansible.builtin.lineinfile:
      line: -w /etc/sudoers -p wa -k actions
      state: present
      dest: /etc/audit/audit.rules
      create: true
      mode: '0600'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(7)(b)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.2
    - PCI-DSS-Req-10.2.5.b
    - PCI-DSSv4-10.2
    - PCI-DSSv4-10.2.1
    - PCI-DSSv4-10.2.1.5
    - audit_rules_sysadmin_actions
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects System Administrator Actions - Check if watch rule
      for /etc/sudoers already exists in /etc/audit/rules.d/
    ansible.builtin.find:
      paths: /etc/audit/rules.d
      contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+
      patterns: '*.rules'
    register: find_existing_watch_rules_d
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(7)(b)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.2
    - PCI-DSS-Req-10.2.5.b
    - PCI-DSSv4-10.2
    - PCI-DSSv4-10.2.1
    - PCI-DSSv4-10.2.1.5
    - audit_rules_sysadmin_actions
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects System Administrator Actions - Search /etc/audit/rules.d
      for other rules with specified key actions
    ansible.builtin.find:
      paths: /etc/audit/rules.d
      contains: ^.*(?:-F key=|-k\s+)actions$
      patterns: '*.rules'
    register: find_watch_key
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(7)(b)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.2
    - PCI-DSS-Req-10.2.5.b
    - PCI-DSSv4-10.2
    - PCI-DSSv4-10.2.1
    - PCI-DSSv4-10.2.1.5
    - audit_rules_sysadmin_actions
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects System Administrator Actions - Use /etc/audit/rules.d/actions.rules
      as the recipient for the rule
    ansible.builtin.set_fact:
      all_files:
      - /etc/audit/rules.d/actions.rules
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
      is defined and find_existing_watch_rules_d.matched == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(7)(b)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.2
    - PCI-DSS-Req-10.2.5.b
    - PCI-DSSv4-10.2
    - PCI-DSSv4-10.2.1
    - PCI-DSSv4-10.2.1.5
    - audit_rules_sysadmin_actions
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects System Administrator Actions - Use matched file as
      the recipient for the rule
    ansible.builtin.set_fact:
      all_files:
      - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
      is defined and find_existing_watch_rules_d.matched == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(7)(b)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.2
    - PCI-DSS-Req-10.2.5.b
    - PCI-DSSv4-10.2
    - PCI-DSSv4-10.2.1
    - PCI-DSSv4-10.2.1.5
    - audit_rules_sysadmin_actions
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects System Administrator Actions - Add watch rule for
      /etc/sudoers in /etc/audit/rules.d/
    ansible.builtin.lineinfile:
      path: '{{ all_files[0] }}'
      line: -w /etc/sudoers -p wa -k actions
      create: true
      mode: '0600'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(7)(b)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.2
    - PCI-DSS-Req-10.2.5.b
    - PCI-DSSv4-10.2
    - PCI-DSSv4-10.2.1
    - PCI-DSSv4-10.2.1.5
    - audit_rules_sysadmin_actions
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects System Administrator Actions - Check if watch rule
      for /etc/sudoers.d/ already exists in /etc/audit/audit.rules
    ansible.builtin.find:
      paths: /etc/audit/
      contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+
      patterns: audit.rules
    register: find_existing_watch_audit_rules
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(7)(b)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.2
    - PCI-DSS-Req-10.2.5.b
    - PCI-DSSv4-10.2
    - PCI-DSSv4-10.2.1
    - PCI-DSSv4-10.2.1.5
    - audit_rules_sysadmin_actions
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects System Administrator Actions - Add watch rule for
      /etc/sudoers.d/ in /etc/audit/audit.rules
    ansible.builtin.lineinfile:
      line: -w /etc/sudoers.d/ -p wa -k actions
      state: present
      dest: /etc/audit/audit.rules
      create: true
      mode: '0600'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(7)(b)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.2
    - PCI-DSS-Req-10.2.5.b
    - PCI-DSSv4-10.2
    - PCI-DSSv4-10.2.1
    - PCI-DSSv4-10.2.1.5
    - audit_rules_sysadmin_actions
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects System Administrator Actions - Check if watch rule
      for /etc/sudoers.d/ already exists in /etc/audit/rules.d/
    ansible.builtin.find:
      paths: /etc/audit/rules.d
      contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+
      patterns: '*.rules'
    register: find_existing_watch_rules_d
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(7)(b)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.2
    - PCI-DSS-Req-10.2.5.b
    - PCI-DSSv4-10.2
    - PCI-DSSv4-10.2.1
    - PCI-DSSv4-10.2.1.5
    - audit_rules_sysadmin_actions
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects System Administrator Actions - Search /etc/audit/rules.d
      for other rules with specified key actions
    ansible.builtin.find:
      paths: /etc/audit/rules.d
      contains: ^.*(?:-F key=|-k\s+)actions$
      patterns: '*.rules'
    register: find_watch_key
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(7)(b)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.2
    - PCI-DSS-Req-10.2.5.b
    - PCI-DSSv4-10.2
    - PCI-DSSv4-10.2.1
    - PCI-DSSv4-10.2.1.5
    - audit_rules_sysadmin_actions
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects System Administrator Actions - Use /etc/audit/rules.d/actions.rules
      as the recipient for the rule
    ansible.builtin.set_fact:
      all_files:
      - /etc/audit/rules.d/actions.rules
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
      is defined and find_existing_watch_rules_d.matched == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(7)(b)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.2
    - PCI-DSS-Req-10.2.5.b
    - PCI-DSSv4-10.2
    - PCI-DSSv4-10.2.1
    - PCI-DSSv4-10.2.1.5
    - audit_rules_sysadmin_actions
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects System Administrator Actions - Use matched file as
      the recipient for the rule
    ansible.builtin.set_fact:
      all_files:
      - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
      is defined and find_existing_watch_rules_d.matched == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(7)(b)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.2
    - PCI-DSS-Req-10.2.5.b
    - PCI-DSSv4-10.2
    - PCI-DSSv4-10.2.1
    - PCI-DSSv4-10.2.1.5
    - audit_rules_sysadmin_actions
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects System Administrator Actions - Add watch rule for
      /etc/sudoers.d/ in /etc/audit/rules.d/
    ansible.builtin.lineinfile:
      path: '{{ all_files[0] }}'
      line: -w /etc/sudoers.d/ -p wa -k actions
      create: true
      mode: '0600'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(7)(b)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.2
    - PCI-DSS-Req-10.2.5.b
    - PCI-DSSv4-10.2
    - PCI-DSSv4-10.2.1
    - PCI-DSSv4-10.2.1.5
    - audit_rules_sysadmin_actions
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Set architecture for audit chmod tasks
    ansible.builtin.set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - not ( ansible_architecture == "aarch64" )
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000640
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_chmod
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for chmod for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - chmod
        syscall_grouping:
        - chmod
        - fchmod
        - fchmodat

    - name: Check existence of chmod in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - chmod
        syscall_grouping:
        - chmod
        - fchmod
        - fchmodat

    - name: Check existence of chmod in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - not ( ansible_architecture == "aarch64" )
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000640
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_chmod
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for chmod for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - chmod
        syscall_grouping:
        - chmod
        - fchmod
        - fchmodat

    - name: Check existence of chmod in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - chmod
        syscall_grouping:
        - chmod
        - fchmod
        - fchmodat

    - name: Check existence of chmod in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - not ( ansible_architecture == "aarch64" )
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000640
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_chmod
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Set architecture for audit chown tasks
    ansible.builtin.set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - not ( ansible_architecture == "aarch64" )
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000645
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_chown
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for chown for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - chown
        syscall_grouping:
        - chown
        - fchown
        - fchownat
        - lchown

    - name: Check existence of chown in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - chown
        syscall_grouping:
        - chown
        - fchown
        - fchownat
        - lchown

    - name: Check existence of chown in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - not ( ansible_architecture == "aarch64" )
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000645
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_chown
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for chown for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - chown
        syscall_grouping:
        - chown
        - fchown
        - fchownat
        - lchown

    - name: Check existence of chown in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - chown
        syscall_grouping:
        - chown
        - fchown
        - fchownat
        - lchown

    - name: Check existence of chown in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - not ( ansible_architecture == "aarch64" )
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000645
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_chown
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Set architecture for audit fchmod tasks
    ansible.builtin.set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000640
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_fchmod
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for fchmod for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fchmod
        syscall_grouping:
        - chmod
        - fchmod
        - fchmodat

    - name: Check existence of fchmod in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fchmod
        syscall_grouping:
        - chmod
        - fchmod
        - fchmodat

    - name: Check existence of fchmod in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000640
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_fchmod
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for fchmod for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fchmod
        syscall_grouping:
        - chmod
        - fchmod
        - fchmodat

    - name: Check existence of fchmod in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fchmod
        syscall_grouping:
        - chmod
        - fchmod
        - fchmodat

    - name: Check existence of fchmod in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000640
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_fchmod
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Set architecture for audit fchmodat tasks
    ansible.builtin.set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000640
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_fchmodat
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for fchmodat for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fchmodat
        syscall_grouping:
        - chmod
        - fchmod
        - fchmodat

    - name: Check existence of fchmodat in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fchmodat
        syscall_grouping:
        - chmod
        - fchmod
        - fchmodat

    - name: Check existence of fchmodat in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000640
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_fchmodat
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for fchmodat for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fchmodat
        syscall_grouping:
        - chmod
        - fchmod
        - fchmodat

    - name: Check existence of fchmodat in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fchmodat
        syscall_grouping:
        - chmod
        - fchmod
        - fchmodat

    - name: Check existence of fchmodat in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000640
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_fchmodat
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Set architecture for audit fchown tasks
    ansible.builtin.set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000645
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_fchown
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for fchown for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fchown
        syscall_grouping:
        - chown
        - fchown
        - fchownat
        - lchown

    - name: Check existence of fchown in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fchown
        syscall_grouping:
        - chown
        - fchown
        - fchownat
        - lchown

    - name: Check existence of fchown in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000645
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_fchown
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for fchown for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fchown
        syscall_grouping:
        - chown
        - fchown
        - fchownat
        - lchown

    - name: Check existence of fchown in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fchown
        syscall_grouping:
        - chown
        - fchown
        - fchownat
        - lchown

    - name: Check existence of fchown in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000645
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_fchown
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Set architecture for audit fchownat tasks
    ansible.builtin.set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000645
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_fchownat
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for fchownat for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fchownat
        syscall_grouping:
        - chown
        - fchown
        - fchownat
        - lchown

    - name: Check existence of fchownat in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fchownat
        syscall_grouping:
        - chown
        - fchown
        - fchownat
        - lchown

    - name: Check existence of fchownat in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000645
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_fchownat
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for fchownat for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fchownat
        syscall_grouping:
        - chown
        - fchown
        - fchownat
        - lchown

    - name: Check existence of fchownat in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fchownat
        syscall_grouping:
        - chown
        - fchown
        - fchownat
        - lchown

    - name: Check existence of fchownat in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000645
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_fchownat
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Set architecture for audit fremovexattr tasks
    ansible.builtin.set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000545
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_fremovexattr
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for fremovexattr for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fremovexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of fremovexattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fremovexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of fremovexattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fremovexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of fremovexattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fremovexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of fremovexattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000545
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_fremovexattr
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for fremovexattr for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fremovexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of fremovexattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fremovexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of fremovexattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fremovexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of fremovexattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fremovexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of fremovexattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000545
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_fremovexattr
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Set architecture for audit fsetxattr tasks
    ansible.builtin.set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000545
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_fsetxattr
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for fsetxattr for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fsetxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of fsetxattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fsetxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of fsetxattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fsetxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of fsetxattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fsetxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of fsetxattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000545
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_fsetxattr
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for fsetxattr for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fsetxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of fsetxattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fsetxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of fsetxattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fsetxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of fsetxattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - fsetxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of fsetxattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000545
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_fsetxattr
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Set architecture for audit lchown tasks
    ansible.builtin.set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - not ( ansible_architecture == "aarch64" )
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000645
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_lchown
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for lchown for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lchown
        syscall_grouping:
        - chown
        - fchown
        - fchownat
        - lchown

    - name: Check existence of lchown in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lchown
        syscall_grouping:
        - chown
        - fchown
        - fchownat
        - lchown

    - name: Check existence of lchown in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - not ( ansible_architecture == "aarch64" )
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000645
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_lchown
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for lchown for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lchown
        syscall_grouping:
        - chown
        - fchown
        - fchownat
        - lchown

    - name: Check existence of lchown in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lchown
        syscall_grouping:
        - chown
        - fchown
        - fchownat
        - lchown

    - name: Check existence of lchown in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - not ( ansible_architecture == "aarch64" )
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000645
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_lchown
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Set architecture for audit lremovexattr tasks
    ansible.builtin.set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000545
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_lremovexattr
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for lremovexattr for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lremovexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of lremovexattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lremovexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of lremovexattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lremovexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of lremovexattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lremovexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of lremovexattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000545
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_lremovexattr
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for lremovexattr for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lremovexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of lremovexattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lremovexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of lremovexattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lremovexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of lremovexattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lremovexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of lremovexattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000545
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_lremovexattr
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Set architecture for audit lsetxattr tasks
    ansible.builtin.set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000545
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_lsetxattr
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for lsetxattr for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lsetxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of lsetxattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lsetxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of lsetxattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lsetxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of lsetxattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lsetxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of lsetxattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000545
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_lsetxattr
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for lsetxattr for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lsetxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of lsetxattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lsetxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of lsetxattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lsetxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of lsetxattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - lsetxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of lsetxattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000545
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_lsetxattr
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Set architecture for audit removexattr tasks
    ansible.builtin.set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000545
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_removexattr
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for removexattr for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - removexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of removexattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - removexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of removexattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - removexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of removexattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - removexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of removexattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000545
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_removexattr
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for removexattr for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - removexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of removexattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - removexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of removexattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - removexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of removexattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - removexattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of removexattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000545
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_removexattr
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Set architecture for audit setxattr tasks
    ansible.builtin.set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000545
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_setxattr
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for setxattr for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - setxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of setxattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - setxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of setxattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - setxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of setxattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - setxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of setxattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000545
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_setxattr
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for setxattr for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - setxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of setxattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - setxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of setxattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - setxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of setxattr in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - setxattr
        syscall_grouping:
        - fremovexattr
        - lremovexattr
        - removexattr
        - fsetxattr
        - lsetxattr
        - setxattr

    - name: Check existence of setxattr in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
          key=perm_mod
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - DISA-STIG-OL09-00-000545
    - NIST-800-171-3.1.7
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.5.5
    - PCI-DSSv4-10.3
    - PCI-DSSv4-10.3.4
    - audit_rules_dac_modification_setxattr
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Set architecture for audit tasks
    ansible.builtin.set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.7
    - audit_rules_kernel_module_loading
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for kernel module loading for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - init_module
        - delete_module
        - finit_module
        syscall_grouping:
        - init_module
        - delete_module
        - finit_module

    - name: Check existence of init_module, delete_module, finit_module in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=modules
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - init_module
        - delete_module
        - finit_module
        syscall_grouping:
        - init_module
        - delete_module
        - finit_module

    - name: Check existence of init_module, delete_module, finit_module in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=modules
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.7
    - audit_rules_kernel_module_loading
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Perform remediation of Audit rules for kernel module loading for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - init_module
        - delete_module
        - finit_module
        syscall_grouping:
        - init_module
        - delete_module
        - finit_module

    - name: Check existence of init_module, delete_module, finit_module in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=modules
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - init_module
        - delete_module
        - finit_module
        syscall_grouping:
        - init_module
        - delete_module
        - finit_module

    - name: Check existence of init_module, delete_module, finit_module in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
          |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
          -F auid!=unset -F key=modules
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.7
    - audit_rules_kernel_module_loading
    - low_complexity
    - low_disruption
    - medium_severity
    - reboot_required
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - Set
      List of Mount Points Which Permits Execution of Privileged Commands
    ansible.builtin.set_fact:
      privileged_mount_points: '{{ (ansible_facts.mounts | rejectattr(''options'',
        ''search'', ''noexec|nosuid'') | rejectattr(''mount'', ''match'', ''/proc($|/.*$)'')
        | map(attribute=''mount'') | list ) }}'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(4)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.2
    - audit_rules_privileged_commands
    - configure_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - Search
      for Privileged Commands in Eligible Mount Points
    ansible.builtin.shell:
      cmd: find {{ item }} -xdev -perm /6000 -type f 2>/dev/null
    register: result_privileged_commands_search
    changed_when: false
    failed_when: false
    with_items: '{{ privileged_mount_points }}'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(4)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.2
    - audit_rules_privileged_commands
    - configure_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - Set
      List of Privileged Commands Found in Eligible Mount Points
    ansible.builtin.set_fact:
      privileged_commands: '{{ privileged_commands | default([]) + item.stdout_lines
        }}'
    loop: '{{ result_privileged_commands_search.results }}'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - item is not skipped
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(4)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.2
    - audit_rules_privileged_commands
    - configure_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - Privileged
      Commands are Present in the System
    block:

    - name: Ensure auditd Collects Information on the Use of Privileged Commands -
        Ensure Rules for All Privileged Commands in augenrules Format
      ansible.builtin.lineinfile:
        path: /etc/audit/rules.d/privileged.rules
        line: -a always,exit -F path={{ item }} -F perm=x -F auid>=1000 -F auid!=unset
          -F key=privileged
        regexp: ^.*path={{ item | regex_escape() }} .*$
        create: true
      with_items:
      - '{{ privileged_commands }}'

    - name: Ensure auditd Collects Information on the Use of Privileged Commands -
        Ensure Rules for All Privileged Commands in auditctl Format
      ansible.builtin.lineinfile:
        path: /etc/audit/audit.rules
        line: -a always,exit -F path={{ item }} -F perm=x -F auid>=1000 -F auid!=unset
          -F key=privileged
        regexp: ^.*path={{ item | regex_escape() }} .*$
        create: true
      with_items:
      - '{{ privileged_commands }}'

    - name: Ensure auditd Collects Information on the Use of Privileged Commands -
        Search for Duplicated Rules in Other Files
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        recurse: false
        contains: ^-a always,exit (-F arch=b32 |-F arch=b64 )?-F path={{ item | regex_escape()
          }} .*$
        patterns: '*.rules'
      with_items:
      - '{{ privileged_commands }}'
      register: result_augenrules_files

    - name: Ensure auditd Collects Information on the Use of Privileged Commands -
        Ensure Rules for Privileged Commands are Defined Only in One File
      ansible.builtin.lineinfile:
        path: '{{ item.1.path }}'
        regexp: ^-a always,exit (-F arch=b32 |-F arch=b64 )?-F path={{ item.0.item
          | regex_escape() }} .*$
        state: absent
      with_subelements:
      - '{{ result_augenrules_files.results }}'
      - files
      when:
      - item.1.path != '/etc/audit/rules.d/privileged.rules'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - privileged_commands is defined
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(4)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.2.2
    - audit_rules_privileged_commands
    - configure_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - at
      - Perform remediation of Audit rules for /usr/bin/at
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/at -F perm=x -F
          auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/at -F perm=x
          -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/at -F perm=x -F auid>=1000 -F
          auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/at -F perm=x
          -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - audit_rules_privileged_commands_at
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - chage
      - Perform remediation of Audit rules for /usr/bin/chage
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chage -F perm=x
          -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chage -F perm=x
          -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chage -F perm=x -F auid>=1000
          -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chage -F perm=x
          -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-000550
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(4)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - audit_rules_privileged_commands_chage
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - chsh
      - Perform remediation of Audit rules for /usr/bin/chsh
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chsh -F perm=x -F
          auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chsh -F perm=x
          -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chsh -F perm=x -F auid>=1000
          -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chsh -F perm=x
          -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-000565
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(4)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - audit_rules_privileged_commands_chsh
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - crontab
      - Perform remediation of Audit rules for /usr/bin/crontab
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/crontab -F perm=x
          -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/crontab -F
          perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/crontab -F perm=x -F auid>=1000
          -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/crontab -F
          perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-000570
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - audit_rules_privileged_commands_crontab
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
      - Perform remediation of Audit rules for /usr/bin/gpasswd
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/gpasswd -F perm=x
          -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/gpasswd -F
          perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000
          -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/gpasswd -F
          perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-000575
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(4)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - audit_rules_privileged_commands_gpasswd
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - mount
      - Perform remediation of Audit rules for /usr/bin/mount
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/mount -F perm=x
          -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/mount -F perm=x
          -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/mount -F perm=x -F auid>=1000
          -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/mount -F perm=x
          -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-000630
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - audit_rules_privileged_commands_mount
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
      - Perform remediation of Audit rules for /usr/bin/newgrp
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/newgrp -F perm=x
          -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgrp -F
          perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/newgrp -F perm=x -F auid>=1000
          -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgrp -F
          perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-000580
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(4)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - audit_rules_privileged_commands_newgrp
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
      - Perform remediation of Audit rules for /usr/sbin/pam_timestamp_check
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset
          (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/pam_timestamp_check
          -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/pam_timestamp_check
          -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset
          (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/pam_timestamp_check -F perm=x
          -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/pam_timestamp_check
          -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-000585
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - audit_rules_privileged_commands_pam_timestamp_check
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - passwd
      - Perform remediation of Audit rules for /usr/bin/passwd
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/passwd -F perm=x
          -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/passwd -F
          perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/passwd -F perm=x -F auid>=1000
          -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/passwd -F
          perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-000590
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(4)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - audit_rules_privileged_commands_passwd
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
      - Perform remediation of Audit rules for /usr/sbin/postdrop
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/postdrop -F perm=x
          -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postdrop
          -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000
          -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postdrop
          -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-000595
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - audit_rules_privileged_commands_postdrop
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
      - Perform remediation of Audit rules for /usr/sbin/postqueue
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/postqueue -F perm=x
          -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postqueue
          -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000
          -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postqueue
          -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-000600
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - audit_rules_privileged_commands_postqueue
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
      - Perform remediation of Audit rules for /usr/libexec/openssh/ssh-keysign
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset
          (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/libexec/openssh/ssh-keysign
          -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/openssh/ssh-keysign
          -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset
          (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/libexec/openssh/ssh-keysign -F perm=x
          -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/openssh/ssh-keysign
          -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-000610
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - audit_rules_privileged_commands_ssh_keysign
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - su
      - Perform remediation of Audit rules for /usr/bin/su
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/su -F perm=x -F
          auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/su -F perm=x
          -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/su -F perm=x -F auid>=1000 -F
          auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/su -F perm=x
          -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-000540
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - audit_rules_privileged_commands_su
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - sudo
      - Perform remediation of Audit rules for /usr/bin/sudo
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/sudo -F perm=x -F
          auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudo -F perm=x
          -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/sudo -F perm=x -F auid>=1000
          -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudo -F perm=x
          -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-000670
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - audit_rules_privileged_commands_sudo
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
      - Perform remediation of Audit rules for /usr/bin/sudoedit
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/sudoedit -F perm=x
          -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudoedit -F
          perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000
          -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudoedit -F
          perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-000615
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - audit_rules_privileged_commands_sudoedit
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - umount
      - Perform remediation of Audit rules for /usr/bin/umount
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/umount -F perm=x
          -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/umount -F
          perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/umount -F perm=x -F auid>=1000
          -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/umount -F
          perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-000705
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - audit_rules_privileged_commands_umount
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
      - Perform remediation of Audit rules for /usr/sbin/unix_chkpwd
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/unix_chkpwd -F
          perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_chkpwd
          -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000
          -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_chkpwd
          -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-000620
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-2(4)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(a)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-12.1(ii)
    - NIST-800-53-AU-12.1(iv)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-AU-3
    - NIST-800-53-AU-3.1
    - NIST-800-53-CM-6(a)
    - NIST-800-53-MA-4(1)(a)
    - audit_rules_privileged_commands_unix_chkpwd
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
      - Perform remediation of Audit rules for /usr/sbin/userhelper
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/userhelper -F perm=x
          -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/userhelper
          -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000
          -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/userhelper
          -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - DISA-STIG-OL09-00-000625
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - audit_rules_privileged_commands_userhelper
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl
      - Perform remediation of Audit rules for /usr/sbin/usernetctl
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/usernetctl -F perm=x
          -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usernetctl
          -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls: []
        syscall_grouping: []

    - name: Check existence of  in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
          -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
          }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000
          -F auid!=unset (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usernetctl
          -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - NIST-800-53-AC-2(4)
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - audit_rules_privileged_commands_usernetctl
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Set architecture for audit tasks
    ansible.builtin.set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4.2.b
    - PCI-DSSv4-10.6
    - PCI-DSSv4-10.6.3
    - audit_rules_time_adjtimex
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Perform remediation of Audit rules for adjtimex for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - adjtimex
        syscall_grouping:
        - adjtimex
        - settimeofday
        - stime

    - name: Check existence of adjtimex in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - adjtimex
        syscall_grouping:
        - adjtimex
        - settimeofday
        - stime

    - name: Check existence of adjtimex in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4.2.b
    - PCI-DSSv4-10.6
    - PCI-DSSv4-10.6.3
    - audit_rules_time_adjtimex
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Perform remediation of Audit rules for adjtimex for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - adjtimex
        syscall_grouping:
        - adjtimex
        - settimeofday

    - name: Check existence of adjtimex in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - adjtimex
        syscall_grouping:
        - adjtimex
        - settimeofday
        - stime

    - name: Check existence of adjtimex in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4.2.b
    - PCI-DSSv4-10.6
    - PCI-DSSv4-10.6.3
    - audit_rules_time_adjtimex
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Set architecture for audit tasks
    ansible.builtin.set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4.2.b
    - PCI-DSSv4-10.6
    - PCI-DSSv4-10.6.3
    - audit_rules_time_clock_settime
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Perform remediation of Audit rules for clock_settime for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - clock_settime
        syscall_grouping: []

    - name: Check existence of clock_settime in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/time-change.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F
          key=time-change
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - clock_settime
        syscall_grouping: []

    - name: Check existence of clock_settime in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F
          key=time-change
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4.2.b
    - PCI-DSSv4-10.6
    - PCI-DSSv4-10.6.3
    - audit_rules_time_clock_settime
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Perform remediation of Audit rules for clock_settime for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - clock_settime
        syscall_grouping: []

    - name: Check existence of clock_settime in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/time-change.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F
          key=time-change
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - clock_settime
        syscall_grouping: []

    - name: Check existence of clock_settime in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F
          key=time-change
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4.2.b
    - PCI-DSSv4-10.6
    - PCI-DSSv4-10.6.3
    - audit_rules_time_clock_settime
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Set architecture for audit tasks
    set_fact:
      audit_arch: b64
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
      == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4.2.b
    - PCI-DSSv4-10.6
    - PCI-DSSv4-10.6.3
    - audit_rules_time_settimeofday
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Perform remediation of Audit rules for settimeofday for 32bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - settimeofday
        syscall_grouping:
        - adjtimex
        - settimeofday
        - stime

    - name: Check existence of settimeofday in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - settimeofday
        syscall_grouping:
        - adjtimex
        - settimeofday
        - stime

    - name: Check existence of settimeofday in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4.2.b
    - PCI-DSSv4-10.6
    - PCI-DSSv4-10.6.3
    - audit_rules_time_settimeofday
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Perform remediation of Audit rules for settimeofday for 64bit platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - settimeofday
        syscall_grouping:
        - adjtimex
        - settimeofday
        - stime

    - name: Check existence of settimeofday in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - settimeofday
        syscall_grouping:
        - adjtimex
        - settimeofday
        - stime

    - name: Check existence of settimeofday in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - audit_arch == "b64"
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4.2.b
    - PCI-DSSv4-10.6
    - PCI-DSSv4-10.6.3
    - audit_rules_time_settimeofday
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Perform remediation of Audit rules for stime syscall for x86 platform
    block:

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - stime
        syscall_grouping:
        - adjtimex
        - settimeofday
        - stime

    - name: Check existence of stime in /etc/audit/rules.d/
      ansible.builtin.find:
        paths: /etc/audit/rules.d
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
        patterns: '*.rules'
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Reset syscalls found per file
      ansible.builtin.set_fact:
        syscalls_per_file: {}
        found_paths_dict: {}

    - name: Declare syscalls found per file
      ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
        {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
        []) } ) }}"
      loop: '{{ find_command.results | selectattr(''matched'') | list }}'

    - name: Declare files where syscalls were found
      ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
        | flatten | map(attribute='path') | list }}"

    - name: Count occurrences of syscalls in paths
      ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
        item:1+found_paths_dict.get(item, 0) }) }}"
      loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
        | list }}'

    - name: Get path with most syscalls
      ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
        sort(attribute='value') | last).key }}"
      when: found_paths | length >= 1

    - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
      when: found_paths | length == 0

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
          | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0

    - name: Declare list of syscalls
      ansible.builtin.set_fact:
        syscalls:
        - stime
        syscall_grouping:
        - adjtimex
        - settimeofday
        - stime

    - name: Check existence of stime in /etc/audit/audit.rules
      ansible.builtin.find:
        paths: /etc/audit
        contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
          -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
        patterns: audit.rules
      register: find_command
      loop: '{{ (syscall_grouping + syscalls) | unique }}'

    - name: Set path to /etc/audit/audit.rules
      ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"

    - name: Declare found syscalls
      ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
        | map(attribute='item') | list }}"

    - name: Declare missing syscalls
      ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
        }}"

    - name: Replace the audit rule in {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
          | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
        line: \1\2\3{{ missing_syscalls | join("\3") }}\4
        backrefs: true
        state: present
        mode: g-rwx,o-rwx
      when: syscalls_found | length > 0 and missing_syscalls | length > 0

    - name: Add the audit rule to {{ audit_file }}
      ansible.builtin.lineinfile:
        path: '{{ audit_file }}'
        line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
        create: true
        mode: g-rwx,o-rwx
        state: present
      when: syscalls_found | length == 0
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - ( not ( ansible_architecture == "aarch64" ) and not ( ansible_architecture ==
      "s390x" ) )
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4.2.b
    - PCI-DSSv4-10.6
    - PCI-DSSv4-10.6.3
    - audit_rules_time_stime
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Attempts to Alter the localtime File - Check if watch rule for /etc/localtime
      already exists in /etc/audit/rules.d/
    ansible.builtin.find:
      paths: /etc/audit/rules.d
      contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+
      patterns: '*.rules'
    register: find_existing_watch_rules_d
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4.2.b
    - PCI-DSSv4-10.6
    - PCI-DSSv4-10.6.3
    - audit_rules_time_watch_localtime
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Attempts to Alter the localtime File - Search /etc/audit/rules.d
      for other rules with specified key audit_time_rules
    ansible.builtin.find:
      paths: /etc/audit/rules.d
      contains: ^.*(?:-F key=|-k\s+)audit_time_rules$
      patterns: '*.rules'
    register: find_watch_key
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4.2.b
    - PCI-DSSv4-10.6
    - PCI-DSSv4-10.6.3
    - audit_rules_time_watch_localtime
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Attempts to Alter the localtime File - Use /etc/audit/rules.d/audit_time_rules.rules
      as the recipient for the rule
    ansible.builtin.set_fact:
      all_files:
      - /etc/audit/rules.d/audit_time_rules.rules
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
      is defined and find_existing_watch_rules_d.matched == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4.2.b
    - PCI-DSSv4-10.6
    - PCI-DSSv4-10.6.3
    - audit_rules_time_watch_localtime
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Attempts to Alter the localtime File - Use matched file as the recipient
      for the rule
    ansible.builtin.set_fact:
      all_files:
      - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
      is defined and find_existing_watch_rules_d.matched == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4.2.b
    - PCI-DSSv4-10.6
    - PCI-DSSv4-10.6.3
    - audit_rules_time_watch_localtime
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Attempts to Alter the localtime File - Add watch rule for /etc/localtime
      in /etc/audit/rules.d/
    ansible.builtin.lineinfile:
      path: '{{ all_files[0] }}'
      line: -w /etc/localtime -p wa -k audit_time_rules
      create: true
      mode: '0600'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4.2.b
    - PCI-DSSv4-10.6
    - PCI-DSSv4-10.6.3
    - audit_rules_time_watch_localtime
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Attempts to Alter the localtime File - Check if watch rule for /etc/localtime
      already exists in /etc/audit/audit.rules
    ansible.builtin.find:
      paths: /etc/audit/
      contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+
      patterns: audit.rules
    register: find_existing_watch_audit_rules
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4.2.b
    - PCI-DSSv4-10.6
    - PCI-DSSv4-10.6.3
    - audit_rules_time_watch_localtime
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

  - name: Record Attempts to Alter the localtime File - Add watch rule for /etc/localtime
      in /etc/audit/audit.rules
    ansible.builtin.lineinfile:
      line: -w /etc/localtime -p wa -k audit_time_rules
      state: present
      dest: /etc/audit/audit.rules
      create: true
      mode: '0600'
    when:
    - '"audit" in ansible_facts.packages'
    - ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
    - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
      == 0
    tags:
    - CJIS-5.4.1.1
    - NIST-800-171-3.1.7
    - NIST-800-53-AC-6(9)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4.2.b
    - PCI-DSSv4-10.6
    - PCI-DSSv4-10.6.3
    - audit_rules_time_watch_localtime
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - restrict_strategy

Youez - 2016 - github.com/yon3zu
LinuXploit