.gitignore

@@ -0,0 +1,11 @@
+# ---> Ansible
+*.retry
+plugins
+library
+
+# ---> Python
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+

.markdownlint.yml

@@ -0,0 +1,7 @@
+---
+default: True
+MD013: False
+MD041: False
+MD024: False
+MD004:
+  style: dash

.prettierignore

@@ -0,0 +1 @@
+LICENSE

.woodpecker/docs.yaml

@@ -0,0 +1,47 @@
+---
+when:
+  - event: [pull_request]
+  - event: [push, manual]
+    branch:
+      - ${CI_REPO_DEFAULT_BRANCH}
+
+steps:
+  - name: generate
+    image: quay.io/thegeeklab/ansible-doctor
+    environment:
+      ANSIBLE_DOCTOR_EXCLUDE_FILES: "['molecule/']"
+      ANSIBLE_DOCTOR_RENDERER__FORCE_OVERWRITE: "true"
+      ANSIBLE_DOCTOR_LOGGING__LEVEL: info
+      ANSIBLE_DOCTOR_ROLE__NAME: ${CI_REPO_NAME}
+      ANSIBLE_DOCTOR_TEMPLATE__NAME: readme
+
+  - name: format
+    image: quay.io/thegeeklab/alpine-tools
+    commands:
+      - prettier -w README.md
+
+  - name: diff
+    image: quay.io/thegeeklab/alpine-tools
+    commands:
+      - git diff --color=always README.md
+
+  - name: publish
+    image: quay.io/thegeeklab/wp-git-action
+    settings:
+      action:
+        - commit
+        - push
+      author_email: ci-bot@rknet.org
+      author_name: ci-bot
+      branch: main
+      message: "[skip ci] automated docs update"
+      netrc_machine: gitea.rknet.org
+      netrc_password:
+        from_secret: gitea_token
+    when:
+      - event: [push, manual]
+        branch:
+          - ${CI_REPO_DEFAULT_BRANCH}
+
+depends_on:
+  - test

.woodpecker/lint.yaml

@@ -0,0 +1,30 @@
+---
+when:
+  - event: [pull_request, tag]
+  - event: [push, manual]
+    branch:
+      - ${CI_REPO_DEFAULT_BRANCH}
+
+steps:
+  - name: ansible-lint
+    image: quay.io/thegeeklab/ansible-dev-tools:1
+    commands:
+      - ansible-lint
+    environment:
+      FORCE_COLOR: "1"
+
+  - name: python-format
+    image: docker.io/python:3.12
+    commands:
+      - pip install -qq ruff
+      - ruff format --check --diff .
+    environment:
+      PY_COLORS: "1"
+
+  - name: python-lint
+    image: docker.io/python:3.12
+    commands:
+      - pip install -qq ruff
+      - ruff check .
+    environment:
+      PY_COLORS: "1"

.woodpecker/notify.yml

@@ -0,0 +1,26 @@
+---
+when:
+  - event: [tag]
+  - event: [push, manual]
+    branch:
+      - ${CI_REPO_DEFAULT_BRANCH}
+
+runs_on: [success, failure]
+
+steps:
+  - name: matrix
+    image: quay.io/thegeeklab/wp-matrix
+    settings:
+      homeserver:
+        from_secret: matrix_homeserver
+      room_id:
+        from_secret: matrix_room_id
+      user_id:
+        from_secret: matrix_user_id
+      access_token:
+        from_secret: matrix_access_token
+    when:
+      - status: [failure]
+
+depends_on:
+  - docs

.woodpecker/test.yaml

@@ -0,0 +1,25 @@
+---
+when:
+  - event: [pull_request, tag]
+  - event: [push, manual]
+    branch:
+      - ${CI_REPO_DEFAULT_BRANCH}
+
+variables:
+  - &molecule_image quay.io/thegeeklab/ansible-dev-tools:1
+  - &molecule_base
+    depends_on: []
+    environment:
+      PY_COLORS: "1"
+      HCLOUD_TOKEN:
+        from_secret: molecule_hcloud_token
+
+steps:
+  - name: molecule-default
+    image: *molecule_image
+    <<: *molecule_base
+    commands:
+      - molecule test -s default
+
+depends_on:
+  - lint

.yamllint

@@ -0,0 +1,20 @@
+---
+extends: default
+
+rules:
+  truthy:
+    allowed-values: ["True", "False"]
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: False
+  line-length: disable
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 1
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+  indentation: enable
+  octal-values:
+    forbid-implicit-octal: True
+    forbid-explicit-octal: True

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Robert Kaussow <mail@thegeeklab.de>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is furnished
+to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice (including the next
+paragraph) shall be included in all copies or substantial portions of the
+Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
+OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
+OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -1,14 +1,13 @@
----
-title: auditd
-type: docs
----
+# xoxys.auditd
 
-[![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.auditd) [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.auditd?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.auditd) [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.auditd/src/branch/main/LICENSE)
+[![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.auditd/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.auditd)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.auditd/src/branch/main/LICENSE)
 
 Setup the Linux Auditing System.
 
-<!--more-->
+## Table of content
 
+- [Requirements](#requirements)
 - [Default Variables](#default-variables)
   - [auditd_action_mail_acct](#auditd_action_mail_acct)
   - [auditd_admin_space_left_action](#auditd_admin_space_left_action)
@@ -29,9 +28,15 @@ Setup the Linux Auditing System.
   - [auditd_refuse_manual_stop](#auditd_refuse_manual_stop)
   - [auditd_space_left_action](#auditd_space_left_action)
 - [Dependencies](#dependencies)
+- [License](#license)
+- [Author](#author)
 
 ---
 
+## Requirements
+
+- Minimum Ansible version: `2.10`
+
 ## Default Variables
 
 ### auditd_action_mail_acct
@@ -60,7 +65,8 @@ auditd_buffer_size: 8192
 
 ### auditd_config_immutable
 
-The auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), use this option to make the auditd configuration immutable.
+The auditd daemon is configured to use the augenrules program to read audit rules during
+daemon startup (the default), use this option to make the auditd configuration immutable.
 
 #### Default value
 
@@ -70,7 +76,8 @@ auditd_config_immutable: false
 
 ### auditd_exclude_rule_stages
 
-There is a set of pre-defined rule stages you can exclude if needed. Availabe stages: 10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize
+There is a set of pre-defined rule stages you can exclude if needed. Availabe stages:
+10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize
 
 #### Default value
 
@@ -292,7 +299,8 @@ auditd_reboot_on_change: false
 
 ### auditd_refuse_manual_stop
 
-This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead. For security reasons, this option should only be disabled for testing purposes.
+This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead.
+For security reasons, this option should only be disabled for testing purposes.
 
 #### Default value
 
@@ -308,8 +316,14 @@ auditd_refuse_manual_stop: true
 auditd_space_left_action: email
 ```
 
-
-
 ## Dependencies
 
 None.
+
+## License
+
+MIT
+
+## Author
+
+[Robert Kaussow](https://gitea.rknet.org/xoxys)

defaults/main.yml

@@ -0,0 +1,131 @@
+---
+# @var auditd_exclude_rule_stages:description: >
+# There is a set of pre-defined rule stages you can exclude if needed. Availabe stages:
+# 10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize
+# @var auditd_exclude_rule_stages:example: $ ["10-start.rules", "90-finalize"]
+auditd_exclude_rule_stages: []
+
+# @var auditd_refuse_manual_stop:description: >
+# This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead.
+# For security reasons, this option should only be disabled for testing purposes.
+auditd_refuse_manual_stop: True
+auditd_reboot_on_change: False
+
+# @var auditd_config_immutable:description: >
+# The auditd daemon is configured to use the augenrules program to read audit rules during
+# daemon startup (the default), use this option to make the auditd configuration immutable.
+auditd_config_immutable: False
+
+auditd_buffer_size: 8192
+# @var auditd_failure_mode:description: >
+# Possible values: 0 (silent) | 1 (printk, print a failure message) | 2 (panic, halt the system)
+auditd_failure_mode: 1
+
+# @var auditd_max_log_file:description: Maximum size of a single logfile (MB)
+auditd_max_log_file: 10
+# @var auditd_num_logs:description: Number of logs to keep
+auditd_num_logs: 5
+
+auditd_space_left_action: email
+auditd_action_mail_acct: root
+auditd_admin_space_left_action: halt
+auditd_max_log_file_action: rotate
+
+auditd_filter_rules_default:
+  - comment: Ignore current working directory records
+    rule: "-a always,exclude -F msgtype=CWD"
+  - comment: Ignore EOE records (End Of Event, not needed)
+    rule: "-a always,exclude -F msgtype=EOE"
+  - comment: Cron jobs fill the logs with stuff we normally don't want
+    rule:
+      - "-a never,user -F subj_type=crond_t"
+      - "-a exit,never -F subj_type=crond_t"
+  - comment: This is not very interesting and wastes a lot of space if the server is public facing
+    rule: "-a always,exclude -F msgtype=CRYPTO_KEY_USER"
+  - comment: High Volume Event Filter
+    rule:
+      - "-a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess"
+      - "-a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess"
+      - "-a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm"
+      - "-a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm"
+
+# @var auditd_filter_rules_extra:example: >
+# auditd_filter_rules_extra:
+#   - comment: Ignore current working directory records # defaults to not set
+#     rule: '-a always,exclude -F msgtype=CWD' # can be list or string
+#     state: present # defaults to present
+auditd_filter_rules_extra: []
+
+auditd_main_rules_default:
+  - comment: CIS 4.1.3.1 - Changes to system administration scope
+    rule:
+      - "-w /etc/sudoers -p wa -k actions"
+      - "-w /etc/sudoers.d/ -p wa -k actions"
+  - comment: CIS 4.1.3.4 - Events that modify date and time information
+    rule:
+      - "-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time_change"
+      - "-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time_change"
+      - "-w /etc/localtime -p wa -k time-change"
+  - comment: CIS 4.1.3.5 - Changes to the network environment
+    rule:
+      - "-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale"
+      - "-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale"
+      - "-w /etc/issue -p wa -k system-locale"
+      - "-w /etc/issue.net -p wa -k system-locale"
+      - "-w /etc/hosts -p wa -k system-locale"
+      - "-w /etc/sysconfig/network -p wa -k system-locale"
+      - "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale"
+  - comment: CIS 4.1.3.7 - Unsuccessful file access attempts
+    rule:
+      - "-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access"
+      - "-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access"
+      - "-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access"
+      - "-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access"
+  - comment: CIS 4.1.3.8 - Modify user/group information
+    rule:
+      - "-w /etc/group -p wa -k identity"
+      - "-w /etc/passwd -p wa -k identity"
+      - "-w /etc/gshadow -p wa -k identity"
+      - "-w /etc/shadow -p wa -k identity"
+      - "-w /etc/security/opasswd -p wa -k identity"
+  - comment: CIS 4.1.3.9 - Discretionary access control permission modifications
+    rule:
+      - "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod"
+      - "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod"
+      - "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod"
+      - "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod"
+      - "-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod"
+      - "-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod"
+  - comment: CIS 4.1.3.10 - Successful file system mounts
+    rule:
+      - "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
+      - "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
+  - comment: CIS 4.1.3.11 - Session initiation information
+    rule:
+      - "-w /var/run/utmp -p wa -k session"
+      - "-w /var/log/wtmp -p wa -k logins"
+      - "-w /var/log/btmp -p wa -k logins"
+  - comment: CIS 4.1.3.12 - Login and logout events
+    rule:
+      - "-w /var/log/lastlog -p wa -k logins"
+      - "-w /var/log/tallylog -p wa -k logins"
+      - "-w /var/run/faillock -p wa -k logins"
+  - comment: CIS 4.1.3.13 - File deletion events by users
+    rule:
+      - "-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete"
+      - "-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete"
+  - comment: CIS 4.1.3.14 - Changes to the Mandatory Access Controls
+    rule:
+      - "-w /etc/selinux/ -p wa -k MAC-policy"
+      - "-w /usr/share/selinux/ -p wa -k MAC-policy"
+  - comment: CIS 4.1.3.19 - Kernel module loading unloading and modification
+    rule:
+      - "-a always,exit -F arch=b64 -S finit_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules"
+      - "-a always,exit -F arch=b32 -S finit_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules"
+      - "-a always,exit -F arch=b64 -S init_module,delete_module -k kernel_modules"
+      - "-a always,exit -F arch=b32 -S init_module,delete_module -k kernel_modules"
+      - "-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules"
+auditd_main_rules_extra: []
+
+auditd_optional_rules_default: []
+auditd_optional_rules_extra: []

handlers/main.yml

@@ -0,0 +1,17 @@
+---
+- name: Restart auditd
+  ansible.builtin.service:
+    name: auditd
+    daemon_reload: True
+    enabled: True
+    state: started
+  when: not auditd_refuse_manual_stop | bool
+  listen: __auditd_restart
+
+- name: Reboot server
+  ansible.builtin.reboot:
+    reboot_timeout: 600
+  when:
+    - auditd_reboot_on_change | bool
+    - auditd_refuse_manual_stop | bool
+  listen: __auditd_restart

meta/main.yml

@@ -0,0 +1,21 @@
+---
+galaxy_info:
+  # @meta author:value: [Robert Kaussow](https://gitea.rknet.org/xoxys)
+  author: "Robert Kaussow <mail@thegeeklab.de>"
+  namespace: xoxys
+  role_name: auditd
+  # @meta description: >
+  # [![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.auditd/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.auditd)
+  # [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.auditd/src/branch/main/LICENSE)
+  #
+  # Setup the Linux Auditing System.
+  # @end
+  description: Setup the Linux Auditing System
+  license: MIT
+  min_ansible_version: "2.10"
+  platforms:
+    - name: EL
+      versions:
+        - "9"
+  galaxy_tags: []
+dependencies: []

molecule/default/converge.yml

@@ -0,0 +1,7 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    auditd_refuse_manual_stop: False
+  roles:
+    - role: xoxys.auditd

molecule/default/molecule.yml

@@ -0,0 +1,17 @@
+---
+driver:
+  name: molecule_hetznercloud
+dependency:
+  name: galaxy
+  options:
+    role-file: requirements.yml
+    requirements-file: requirements.yml
+platforms:
+  - name: "rocky9-auditd"
+    server_type: "cx22"
+    image: "rocky-9"
+provisioner:
+  name: ansible
+  log: False
+verifier:
+  name: testinfra

molecule/default/prepare.yml

@@ -0,0 +1,11 @@
+---
+- name: Prepare
+  hosts: all
+  gather_facts: False
+  tasks:
+    - name: Bootstrap Python for Ansible
+      ansible.builtin.raw: |
+        command -v python3 python ||
+        ((test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
+        echo "Warning: Python not boostrapped due to unknown platform.")
+      changed_when: False

molecule/default/tests/test_default.py

@@ -0,0 +1,13 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ["MOLECULE_INVENTORY_FILE"]
+).get_hosts("all")
+
+
+def test_auditd_running_and_enabled(host):
+    auditd = host.service("auditd")
+    assert auditd.is_running
+    assert auditd.is_enabled

pyproject.toml

@@ -0,0 +1,17 @@
+[tool.ruff]
+exclude = [".git", "__pycache__"]
+
+line-length = 99
+indent-width = 4
+
+[tool.ruff.lint]
+ignore = ["W191", "E111", "E114", "E117", "S101", "S105"]
+select = ["F", "E", "I", "W", "S"]
+
+[tool.ruff.format]
+quote-style = "double"
+indent-style = "space"
+line-ending = "lf"
+
+[tool.pytest.ini_options]
+filterwarnings = ["ignore::FutureWarning", "ignore::DeprecationWarning"]

requirements.yml

@@ -0,0 +1,4 @@
+---
+collections: []
+
+roles: []

tasks/main.yml

@@ -0,0 +1,74 @@
+---
+- name: Install required packages
+  loop:
+    - audit
+    - audispd-plugins
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: present
+
+- name: Create folders
+  ansible.builtin.file:
+    name: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0750"
+  loop:
+    - /etc/audit/rules.d/
+    - /etc/systemd/system/auditd.service.d/
+
+- name: Create systemd override
+  ansible.builtin.template:
+    src: etc/systemd/system/auditd.service.d/override.conf.j2
+    dest: "/etc/systemd/system/auditd.service.d/override.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: __auditd_restart
+
+- name: Create config file
+  ansible.builtin.template:
+    src: etc/audit/auditd.conf.j2
+    dest: "/etc/audit/auditd.conf"
+    owner: root
+    group: root
+    mode: "0640"
+  notify: __auditd_restart
+
+- name: Create rules files
+  ansible.builtin.template:
+    src: "etc/audit/rules.d/{{ item }}.j2"
+    dest: "/etc/audit/rules.d/{{ item }}"
+    owner: root
+    group: root
+    mode: "0640"
+  loop: "{{ __auditd_rule_templates }}"
+  loop_control:
+    label: "/etc/audit/rules.d/{{ item }}"
+  when: item not in auditd_exclude_rule_stages
+  notify: __auditd_restart
+
+- name: Register rules files
+  ansible.builtin.find:
+    paths: /etc/audit/rules.d/
+    file_type: file
+    patterns: "*.rules"
+  register: __auditd_rules_active
+  changed_when: False
+  failed_when: False
+
+- name: Remove unmanaged rules files
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop: "{{ __auditd_rules_active.files | map(attribute='path') | list }}"
+  notify: __auditd_restart
+  when: item | basename not in __auditd_rule_templates
+
+- name: Ensure audit service is up and running
+  ansible.builtin.service:
+    name: auditd
+    daemon_reload: True
+    enabled: True
+    state: started

templates/etc/audit/auditd.conf.j2

@@ -0,0 +1,38 @@
+#jinja2: lstrip_blocks: True
+{{ ansible_managed | comment }}
+local_events = yes
+write_logs = yes
+log_file = /var/log/audit/audit.log
+log_group = root
+log_format = ENRICHED
+flush = INCREMENTAL_ASYNC
+freq = 50
+max_log_file = {{ auditd_max_log_file }}
+num_logs = {{ auditd_num_logs }}
+priority_boost = 4
+name_format = NONE
+##name = mydomain
+max_log_file_action = {{ auditd_max_log_file_action }}
+space_left = 75
+space_left_action = {{ auditd_space_left_action }}
+verify_email = yes
+action_mail_acct = {{ auditd_action_mail_acct }}
+admin_space_left = 50
+admin_space_left_action = {{ auditd_admin_space_left_action }}
+disk_full_action = SUSPEND
+disk_error_action = SUSPEND
+use_libwrap = yes
+##tcp_listen_port = 60
+tcp_listen_queue = 5
+tcp_max_per_addr = 1
+##tcp_client_ports = 1024-65535
+tcp_client_max_idle = 0
+transport = TCP
+krb5_principal = auditd
+##krb5_key_file = /etc/audit/audit.key
+distribute_network = no
+q_depth = 1200
+overflow_action = SYSLOG
+max_restarts = 10
+plugin_dir = /etc/audit/plugins.d
+end_of_event_timeout = 2

templates/etc/audit/rules.d/10-start.rules.j2

@@ -0,0 +1,13 @@
+## Make the loginuid immutable. This prevents tampering with the auid.
+--loginuid-immutable
+
+## Remove any existing rules
+-D
+
+## Buffer Size
+# Feel free to increase this if the machine panic's
+-b {{ auditd_buffer_size }}
+
+## Failure Mode
+# Possible values: 0 (silent), 1 (printk, print a failure message), 2 (panic, halt the system)
+-f {{ auditd_failure_mode }}

templates/etc/audit/rules.d/20-selfaudit.rules.j2

@@ -0,0 +1,11 @@
+## Audit the audit logs
+-w /var/log/audit/ -k auditlog
+
+## Auditd configuration
+-w /etc/audit/ -p wa -k auditconfig
+-w /etc/libaudit.conf -p wa -k auditconfig
+-w /etc/audisp/ -p wa -k audispconfig
+
+## Monitor for use of audit management tools
+-w /sbin/auditctl -p x -k audittools
+-w /sbin/auditd -p x -k audittools

templates/etc/audit/rules.d/30-filter.rules.j2

@@ -0,0 +1,15 @@
+{% for item in (auditd_filter_rules_default + auditd_filter_rules_extra )%}
+{% if item.state | default("present") == "present" %}
+{% if item.comment is defined and item.comment %}
+## {{ item.comment }}
+{% endif %}
+{% if not item.rule is string and item.rule is iterable %}
+{% for rule in item.rule %}
+{{ rule }}
+{% endfor %}
+{% else %}
+{{ item.rule }}
+{% endif %}
+
+{% endif %}
+{% endfor %}

templates/etc/audit/rules.d/40-main.rules.j2

@@ -0,0 +1,13 @@
+{% for item in (auditd_main_rules_default + auditd_main_rules_extra) %}
+{% if item.comment is defined and item.comment %}
+## {{ item.comment }}
+{% endif %}
+{% if not item.rule is string and item.rule is iterable %}
+{% for rule in item.rule %}
+{{ rule }}
+{% endfor %}
+{% else %}
+{{ item.rule }}
+{% endif %}
+
+{% endfor %}

templates/etc/audit/rules.d/50-optional.rules.j2

@@ -0,0 +1,13 @@
+{% for item in (auditd_optional_rules_default + auditd_optional_rules_extra) %}
+{% if item.comment is defined and item.comment %}
+## {{ item.comment }}
+{% endif %}
+{% if not item.rule is string and item.rule is iterable %}
+{% for rule in item.rule %}
+{{ rule }}
+{% endfor %}
+{% else %}
+{{ item.rule }}
+{% endif %}
+
+{% endfor %}

templates/etc/audit/rules.d/90-finalize.rules.j2

@@ -0,0 +1,4 @@
+{% if auditd_config_immutable | bool %}
+## Make the configuration immutable
+-e 2
+{% endif %}

templates/etc/systemd/system/auditd.service.d/override.conf.j2

@@ -0,0 +1,9 @@
+#jinja2: lstrip_blocks: True
+{{ ansible_managed | comment }}
+{% if not auditd_refuse_manual_stop | bool %}
+[Unit]
+RefuseManualStop=no
+
+{% endif %}
+[Service]
+ExecStartPost=-/sbin/augenrules --load

vars/main.yml

@@ -0,0 +1,8 @@
+---
+__auditd_rule_templates:
+  - 10-start.rules
+  - 20-selfaudit.rules
+  - 30-filter.rules
+  - 40-main.rules
+  - 50-optional.rules
+  - 90-finalize.rules