Configure journald.conf anyway

[bbaassssiiee]

Overall Review of Changes:
Run an extra task file to configure journald.conf to make the openscap scanner happy.

Issue Fixes:
#319

Enhancements:

How has this been tested?:

#!/usr/bin/env ansible-playbook
---
- name: Security Audit
  hosts: all
  become: true
  gather_facts: true

  pre_tasks:

    - name: Install packages
      ansible.builtin.package:
        state: present
        name:
          - openscap-scanner
          - scap-security-guide

  post_tasks:

    - name: Run the audit and create a report.
      ansible.builtin.shell:
        set -o pipefail;
        oscap xccdf eval \
          --report /tmp/report.html
          --fetch-remote-resources
          --profile cis
          /usr/share/xml/scap/ssg/content/ssg-almalinux8-ds.xml
          | grep -B3 fail
      changed_when: true
      no_log: false
      failed_when: false

    - name: Set permissions
      ansible.builtin.file:
        path: /tmp/report.html
        owner: "{{ ansible_ssh_user }}"
        mode: '0600'

    - name: Fetch report
      become: false
      ansible.builtin.fetch:
        src: /tmp/report.html
        dest: ../docs/compliance-reports/openscap.html
        flat: true
...

[uk-bolly]

hi @bbaassssiiee

Thank you as always.
After discussing this, I have approached this a slightly different way but adding the conditional to the tasks themselves so these are controlled at the task level.
I will also update the relevant audit controls to go alongside with this new setup. I have raised the new branch and linked.

Kindest regards

uk-bolly

[bbaassssiiee]

@uk-bolly your solution is more elegant, thanks!!