Add configuration-content

ash-linux/el9/RuleById/low/content_rule_configure_usbguard_auditbackend.sls

@@ -2,6 +2,9 @@
 # Finding Level:        low
 #
 # Rule Summary:
+#       Configure USBGuard daemon to log via Linux Audit service by setting the
+#       `AuditBackend` option in the `/etc/usbguard/usbguard-daemon.conf`
+#       file to `LinuxAudit`
 #
 # Identifiers:
 #   - content_rule_configure_usbguard_auditbackend
@@ -21,3 +24,51 @@
 #     - SRG-OS-000471-GPOS-00215
 #   - APP-SRG
 #     - SRG-APP-000141-CTR-000315
+#
+#################################################################
+{%- set stig_id = 'configure_usbguard_auditbackend' %}
+{%- set helperLoc = tpldir ~ '/files' %}
+{%- set skipIt = salt.pillar.get('ash-linux:lookup:skip-stigs', []) %}
+{%- set cfgFile = '/etc/usbguard/usbguard-daemon.conf' %}
+
+{{ stig_id }}-description:
+  test.show_notification:
+    - text: |
+        --------------------------------------
+        STIG Finding ID: {{ stig_id }}:
+          Configure USBGuard daemon to log via
+          Linux Audit service
+        --------------------------------------
+
+{%- if stig_id in skipIt %}
+notify_{{ stig_id }}-skipSet:
+  test.show_notification:
+    - text: |
+        Handler for {{ stig_id }} has been selected for skip.
+{%- else %}
+# Ensure file-protections
+{{ cfgFile }} exists:
+  file.managed:
+    - name: '{{ cfgFile }}'
+    - mode: '0600'
+    - user: 'root'
+    - group: 'root'
+    - selinux:
+        serange: 's0'
+        serole: 'object_r'
+        setype: 'usbguard_conf_t'
+        seuser: 'system_u'
+
+# Make config-change
+file.replace:
+    - name: '{{ cfgFile }}'
+    - append_if_not_found: True
+    - not_found_content: |-
+        # Set per rule '{{ stig_id }}'
+        AuditBackend=LinuxAudit
+    - pattern: '^(|\s*)(AuditBackend)=.*$'
+    - repl: '# Set per rule "{{ stig_id }}"\n\1=LinuxAudit'
+    - require:
+      - file: {{ cfgFile }} exists
+
+{%- endif %}