ansible/xoxys.auditd
0
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: ansible:main
Branches Tags
ansible:main
ansible:fix-molecule
ansible:docs
..
compare: ansible:docs
Branches Tags
ansible:main
ansible:fix-molecule
ansible:docs

No commits in common. "main" and "docs" have entirely different histories.
main ... docs

29 changed files with 11 additions and 649 deletions
Show Stats Expand all files Collapse all files

11
.gitignore vendored
View File

@ -1,11 +0,0 @@
# ---> Ansible
*.retry
plugins
library
# ---> Python
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class

7
.markdownlint.yml
View File

@ -1,7 +0,0 @@
---
default: True
MD013: False
MD041: False
MD024: False
MD004:
style: dash

1
.prettierignore
View File

@ -1 +0,0 @@
LICENSE

47
.woodpecker/docs.yaml
View File

@ -1,47 +0,0 @@
---
when:
- event: [pull_request]
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
steps:
- name: generate
image: quay.io/thegeeklab/ansible-doctor
environment:
ANSIBLE_DOCTOR_EXCLUDE_FILES: "['molecule/']"
ANSIBLE_DOCTOR_RENDERER__FORCE_OVERWRITE: "true"
ANSIBLE_DOCTOR_LOGGING__LEVEL: info
ANSIBLE_DOCTOR_ROLE__NAME: ${CI_REPO_NAME}
ANSIBLE_DOCTOR_TEMPLATE__NAME: readme
- name: format
image: quay.io/thegeeklab/alpine-tools
commands:
- prettier -w README.md
- name: diff
image: quay.io/thegeeklab/alpine-tools
commands:
- git diff --color=always README.md
- name: publish
image: quay.io/thegeeklab/wp-git-action
settings:
action:
- commit
- push
author_email: ci-bot@rknet.org
author_name: ci-bot
branch: main
message: "[skip ci] automated docs update"
netrc_machine: gitea.rknet.org
netrc_password:
from_secret: gitea_token
when:
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
depends_on:
- test

30
.woodpecker/lint.yaml
View File

@ -1,30 +0,0 @@
---
when:
- event: [pull_request, tag]
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
steps:
- name: ansible-lint
image: quay.io/thegeeklab/ansible-dev-tools:1
commands:
- ansible-lint
environment:
FORCE_COLOR: "1"
- name: python-format
image: docker.io/python:3.12
commands:
- pip install -qq ruff
- ruff format --check --diff .
environment:
PY_COLORS: "1"
- name: python-lint
image: docker.io/python:3.12
commands:
- pip install -qq ruff
- ruff check .
environment:
PY_COLORS: "1"

26
.woodpecker/notify.yml
View File

@ -1,26 +0,0 @@
---
when:
- event: [tag]
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
runs_on: [success, failure]
steps:
- name: matrix
image: quay.io/thegeeklab/wp-matrix
settings:
homeserver:
from_secret: matrix_homeserver
room_id:
from_secret: matrix_room_id
user_id:
from_secret: matrix_user_id
access_token:
from_secret: matrix_access_token
when:
- status: [failure]
depends_on:
- docs

25
.woodpecker/test.yaml
View File

@ -1,25 +0,0 @@
---
when:
- event: [pull_request, tag]
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
variables:
- &molecule_image quay.io/thegeeklab/ansible-dev-tools:1
- &molecule_base
depends_on: []
environment:
PY_COLORS: "1"
HCLOUD_TOKEN:
from_secret: molecule_hcloud_token
steps:
- name: molecule-default
image: *molecule_image
<<: *molecule_base
commands:
- molecule test -s default
depends_on:
- lint

20
.yamllint
View File

@ -1,20 +0,0 @@
---
extends: default
rules:
truthy:
allowed-values: ["True", "False"]
comments:
min-spaces-from-content: 1
comments-indentation: False
line-length: disable
braces:
min-spaces-inside: 0
max-spaces-inside: 1
brackets:
min-spaces-inside: 0
max-spaces-inside: 0
indentation: enable
octal-values:
forbid-implicit-octal: True
forbid-explicit-octal: True

21
LICENSE
View File

@ -1,21 +0,0 @@
MIT License
Copyright (c) 2022 Robert Kaussow <mail@thegeeklab.de>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished
to do so, subject to the following conditions:
The above copyright notice and this permission notice (including the next
paragraph) shall be included in all copies or substantial portions of the
Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

131
defaults/main.yml
View File

@ -1,131 +0,0 @@
---
# @var auditd_exclude_rule_stages:description: >
# There is a set of pre-defined rule stages you can exclude if needed. Availabe stages:
# 10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize
# @var auditd_exclude_rule_stages:example: $ ["10-start.rules", "90-finalize"]
auditd_exclude_rule_stages: []
# @var auditd_refuse_manual_stop:description: >
# This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead.
# For security reasons, this option should only be disabled for testing purposes.
auditd_refuse_manual_stop: True
auditd_reboot_on_change: False
# @var auditd_config_immutable:description: >
# The auditd daemon is configured to use the augenrules program to read audit rules during
# daemon startup (the default), use this option to make the auditd configuration immutable.
auditd_config_immutable: False
auditd_buffer_size: 8192
# @var auditd_failure_mode:description: >
# Possible values: 0 (silent) | 1 (printk, print a failure message) | 2 (panic, halt the system)
auditd_failure_mode: 1
# @var auditd_max_log_file:description: Maximum size of a single logfile (MB)
auditd_max_log_file: 10
# @var auditd_num_logs:description: Number of logs to keep
auditd_num_logs: 5
auditd_space_left_action: email
auditd_action_mail_acct: root
auditd_admin_space_left_action: halt
auditd_max_log_file_action: rotate
auditd_filter_rules_default:
- comment: Ignore current working directory records
rule: "-a always,exclude -F msgtype=CWD"
- comment: Ignore EOE records (End Of Event, not needed)
rule: "-a always,exclude -F msgtype=EOE"
- comment: Cron jobs fill the logs with stuff we normally don't want
rule:
- "-a never,user -F subj_type=crond_t"
- "-a exit,never -F subj_type=crond_t"
- comment: This is not very interesting and wastes a lot of space if the server is public facing
rule: "-a always,exclude -F msgtype=CRYPTO_KEY_USER"
- comment: High Volume Event Filter
rule:
- "-a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess"
- "-a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess"
- "-a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm"
- "-a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm"
# @var auditd_filter_rules_extra:example: >
# auditd_filter_rules_extra:
# - comment: Ignore current working directory records # defaults to not set
# rule: '-a always,exclude -F msgtype=CWD' # can be list or string
# state: present # defaults to present
auditd_filter_rules_extra: []
auditd_main_rules_default:
- comment: CIS 4.1.3.1 - Changes to system administration scope
rule:
- "-w /etc/sudoers -p wa -k actions"
- "-w /etc/sudoers.d/ -p wa -k actions"
- comment: CIS 4.1.3.4 - Events that modify date and time information
rule:
- "-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time_change"
- "-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time_change"
- "-w /etc/localtime -p wa -k time-change"
- comment: CIS 4.1.3.5 - Changes to the network environment
rule:
- "-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale"
- "-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale"
- "-w /etc/issue -p wa -k system-locale"
- "-w /etc/issue.net -p wa -k system-locale"
- "-w /etc/hosts -p wa -k system-locale"
- "-w /etc/sysconfig/network -p wa -k system-locale"
- "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale"
- comment: CIS 4.1.3.7 - Unsuccessful file access attempts
rule:
- "-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access"
- "-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access"
- "-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access"
- "-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access"
- comment: CIS 4.1.3.8 - Modify user/group information
rule:
- "-w /etc/group -p wa -k identity"
- "-w /etc/passwd -p wa -k identity"
- "-w /etc/gshadow -p wa -k identity"
- "-w /etc/shadow -p wa -k identity"
- "-w /etc/security/opasswd -p wa -k identity"
- comment: CIS 4.1.3.9 - Discretionary access control permission modifications
rule:
- "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod"
- "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod"
- "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod"
- "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod"
- "-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod"
- "-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod"
- comment: CIS 4.1.3.10 - Successful file system mounts
rule:
- "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
- "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
- comment: CIS 4.1.3.11 - Session initiation information
rule:
- "-w /var/run/utmp -p wa -k session"
- "-w /var/log/wtmp -p wa -k logins"
- "-w /var/log/btmp -p wa -k logins"
- comment: CIS 4.1.3.12 - Login and logout events
rule:
- "-w /var/log/lastlog -p wa -k logins"
- "-w /var/log/tallylog -p wa -k logins"
- "-w /var/run/faillock -p wa -k logins"
- comment: CIS 4.1.3.13 - File deletion events by users
rule:
- "-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete"
- "-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete"
- comment: CIS 4.1.3.14 - Changes to the Mandatory Access Controls
rule:
- "-w /etc/selinux/ -p wa -k MAC-policy"
- "-w /usr/share/selinux/ -p wa -k MAC-policy"
- comment: CIS 4.1.3.19 - Kernel module loading unloading and modification
rule:
- "-a always,exit -F arch=b64 -S finit_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules"
- "-a always,exit -F arch=b32 -S finit_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules"
- "-a always,exit -F arch=b64 -S init_module,delete_module -k kernel_modules"
- "-a always,exit -F arch=b32 -S init_module,delete_module -k kernel_modules"
- "-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules"
auditd_main_rules_extra: []
auditd_optional_rules_default: []
auditd_optional_rules_extra: []

17
handlers/main.yml
View File

@ -1,17 +0,0 @@
---
- name: Restart auditd
ansible.builtin.service:
name: auditd
daemon_reload: True
enabled: True
state: started
when: not auditd_refuse_manual_stop | bool
listen: __auditd_restart
- name: Reboot server
ansible.builtin.reboot:
reboot_timeout: 600
when:
- auditd_reboot_on_change | bool
- auditd_refuse_manual_stop | bool
listen: __auditd_restart

36
README.md → index.md
View File

@ -1,13 +1,14 @@
# xoxys.auditd ---
title: auditd
type: docs
---
[![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.auditd/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.auditd) [![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.auditd) [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.auditd?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.auditd) [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.auditd/src/branch/main/LICENSE)
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.auditd/src/branch/main/LICENSE)
Setup the Linux Auditing System. Setup the Linux Auditing System.
## Table of content <!--more-->
- [Requirements](#requirements)
- [Default Variables](#default-variables) - [Default Variables](#default-variables)
- [auditd_action_mail_acct](#auditd_action_mail_acct) - [auditd_action_mail_acct](#auditd_action_mail_acct)
- [auditd_admin_space_left_action](#auditd_admin_space_left_action) - [auditd_admin_space_left_action](#auditd_admin_space_left_action)
@ -28,15 +29,9 @@ Setup the Linux Auditing System.
- [auditd_refuse_manual_stop](#auditd_refuse_manual_stop) - [auditd_refuse_manual_stop](#auditd_refuse_manual_stop)
- [auditd_space_left_action](#auditd_space_left_action) - [auditd_space_left_action](#auditd_space_left_action)
- [Dependencies](#dependencies) - [Dependencies](#dependencies)
- [License](#license)
- [Author](#author)
--- ---
## Requirements
- Minimum Ansible version: `2.10`
## Default Variables ## Default Variables
### auditd_action_mail_acct ### auditd_action_mail_acct
@ -65,8 +60,7 @@ auditd_buffer_size: 8192
### auditd_config_immutable ### auditd_config_immutable
The auditd daemon is configured to use the augenrules program to read audit rules during The auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), use this option to make the auditd configuration immutable.
daemon startup (the default), use this option to make the auditd configuration immutable.
#### Default value #### Default value
@ -76,8 +70,7 @@ auditd_config_immutable: false
### auditd_exclude_rule_stages ### auditd_exclude_rule_stages
There is a set of pre-defined rule stages you can exclude if needed. Availabe stages: There is a set of pre-defined rule stages you can exclude if needed. Availabe stages: 10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize
10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize
#### Default value #### Default value
@ -299,8 +292,7 @@ auditd_reboot_on_change: false
### auditd_refuse_manual_stop ### auditd_refuse_manual_stop
This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead. This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead. For security reasons, this option should only be disabled for testing purposes.
For security reasons, this option should only be disabled for testing purposes.
#### Default value #### Default value
@ -316,14 +308,8 @@ auditd_refuse_manual_stop: true
auditd_space_left_action: email auditd_space_left_action: email
``` ```
## Dependencies ## Dependencies
None. None.
## License
MIT
## Author
[Robert Kaussow](https://gitea.rknet.org/xoxys)

21
meta/main.yml
View File

@ -1,21 +0,0 @@
---
galaxy_info:
# @meta author:value: [Robert Kaussow](https://gitea.rknet.org/xoxys)
author: "Robert Kaussow <mail@thegeeklab.de>"
namespace: xoxys
role_name: auditd
# @meta description: >
# [![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.auditd/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.auditd)
# [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.auditd/src/branch/main/LICENSE)
#
# Setup the Linux Auditing System.
# @end
description: Setup the Linux Auditing System
license: MIT
min_ansible_version: "2.10"
platforms:
- name: EL
versions:
- "9"
galaxy_tags: []
dependencies: []

7
molecule/default/converge.yml
View File

@ -1,7 +0,0 @@
---
- name: Converge
hosts: all
vars:
auditd_refuse_manual_stop: False
roles:
- role: xoxys.auditd

17
molecule/default/molecule.yml
View File

@ -1,17 +0,0 @@
---
driver:
name: molecule_hetznercloud
dependency:
name: galaxy
options:
role-file: requirements.yml
requirements-file: requirements.yml
platforms:
- name: "rocky9-auditd"
server_type: "cx22"
image: "rocky-9"
provisioner:
name: ansible
log: False
verifier:
name: testinfra

11
molecule/default/prepare.yml
View File

@ -1,11 +0,0 @@
---
- name: Prepare
hosts: all
gather_facts: False
tasks:
- name: Bootstrap Python for Ansible
ansible.builtin.raw: |
command -v python3 python ||
((test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
echo "Warning: Python not boostrapped due to unknown platform.")
changed_when: False

13
molecule/default/tests/test_default.py
View File

@ -1,13 +0,0 @@
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
def test_auditd_running_and_enabled(host):
auditd = host.service("auditd")
assert auditd.is_running
assert auditd.is_enabled

17
pyproject.toml
View File

@ -1,17 +0,0 @@
[tool.ruff]
exclude = [".git", "__pycache__"]
line-length = 99
indent-width = 4
[tool.ruff.lint]
ignore = ["W191", "E111", "E114", "E117", "S101", "S105"]
select = ["F", "E", "I", "W", "S"]
[tool.ruff.format]
quote-style = "double"
indent-style = "space"
line-ending = "lf"
[tool.pytest.ini_options]
filterwarnings = ["ignore::FutureWarning", "ignore::DeprecationWarning"]

4
requirements.yml
View File

@ -1,4 +0,0 @@
---
collections: []
roles: []

74
tasks/main.yml
View File

@ -1,74 +0,0 @@
---
- name: Install required packages
loop:
- audit
- audispd-plugins
ansible.builtin.package:
name: "{{ item }}"
state: present
- name: Create folders
ansible.builtin.file:
name: "{{ item }}"
state: directory
owner: root
group: root
mode: "0750"
loop:
- /etc/audit/rules.d/
- /etc/systemd/system/auditd.service.d/
- name: Create systemd override
ansible.builtin.template:
src: etc/systemd/system/auditd.service.d/override.conf.j2
dest: "/etc/systemd/system/auditd.service.d/override.conf"
owner: root
group: root
mode: "0644"
notify: __auditd_restart
- name: Create config file
ansible.builtin.template:
src: etc/audit/auditd.conf.j2
dest: "/etc/audit/auditd.conf"
owner: root
group: root
mode: "0640"
notify: __auditd_restart
- name: Create rules files
ansible.builtin.template:
src: "etc/audit/rules.d/{{ item }}.j2"
dest: "/etc/audit/rules.d/{{ item }}"
owner: root
group: root
mode: "0640"
loop: "{{ __auditd_rule_templates }}"
loop_control:
label: "/etc/audit/rules.d/{{ item }}"
when: item not in auditd_exclude_rule_stages
notify: __auditd_restart
- name: Register rules files
ansible.builtin.find:
paths: /etc/audit/rules.d/
file_type: file
patterns: "*.rules"
register: __auditd_rules_active
changed_when: False
failed_when: False
- name: Remove unmanaged rules files
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop: "{{ __auditd_rules_active.files | map(attribute='path') | list }}"
notify: __auditd_restart
when: item | basename not in __auditd_rule_templates
- name: Ensure audit service is up and running
ansible.builtin.service:
name: auditd
daemon_reload: True
enabled: True
state: started

38
templates/etc/audit/auditd.conf.j2
View File

@ -1,38 +0,0 @@
#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }}
local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = {{ auditd_max_log_file }}
num_logs = {{ auditd_num_logs }}
priority_boost = 4
name_format = NONE
##name = mydomain
max_log_file_action = {{ auditd_max_log_file_action }}
space_left = 75
space_left_action = {{ auditd_space_left_action }}
verify_email = yes
action_mail_acct = {{ auditd_action_mail_acct }}
admin_space_left = 50
admin_space_left_action = {{ auditd_admin_space_left_action }}
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
transport = TCP
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
q_depth = 1200
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d
end_of_event_timeout = 2

13
templates/etc/audit/rules.d/10-start.rules.j2
View File

@ -1,13 +0,0 @@
## Make the loginuid immutable. This prevents tampering with the auid.
--loginuid-immutable
## Remove any existing rules
-D
## Buffer Size
# Feel free to increase this if the machine panic's
-b {{ auditd_buffer_size }}
## Failure Mode
# Possible values: 0 (silent), 1 (printk, print a failure message), 2 (panic, halt the system)
-f {{ auditd_failure_mode }}

11
templates/etc/audit/rules.d/20-selfaudit.rules.j2
View File

@ -1,11 +0,0 @@
## Audit the audit logs
-w /var/log/audit/ -k auditlog
## Auditd configuration
-w /etc/audit/ -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp/ -p wa -k audispconfig
## Monitor for use of audit management tools
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools

15
templates/etc/audit/rules.d/30-filter.rules.j2
View File

@ -1,15 +0,0 @@
{% for item in (auditd_filter_rules_default + auditd_filter_rules_extra )%}
{% if item.state | default("present") == "present" %}
{% if item.comment is defined and item.comment %}
## {{ item.comment }}
{% endif %}
{% if not item.rule is string and item.rule is iterable %}
{% for rule in item.rule %}
{{ rule }}
{% endfor %}
{% else %}
{{ item.rule }}
{% endif %}
{% endif %}
{% endfor %}

13
templates/etc/audit/rules.d/40-main.rules.j2
View File

@ -1,13 +0,0 @@
{% for item in (auditd_main_rules_default + auditd_main_rules_extra) %}
{% if item.comment is defined and item.comment %}
## {{ item.comment }}
{% endif %}
{% if not item.rule is string and item.rule is iterable %}
{% for rule in item.rule %}
{{ rule }}
{% endfor %}
{% else %}
{{ item.rule }}
{% endif %}
{% endfor %}

13
templates/etc/audit/rules.d/50-optional.rules.j2
View File

@ -1,13 +0,0 @@
{% for item in (auditd_optional_rules_default + auditd_optional_rules_extra) %}
{% if item.comment is defined and item.comment %}
## {{ item.comment }}
{% endif %}
{% if not item.rule is string and item.rule is iterable %}
{% for rule in item.rule %}
{{ rule }}
{% endfor %}
{% else %}
{{ item.rule }}
{% endif %}
{% endfor %}

4
templates/etc/audit/rules.d/90-finalize.rules.j2
View File

@ -1,4 +0,0 @@
{% if auditd_config_immutable | bool %}
## Make the configuration immutable
-e 2
{% endif %}

9
templates/etc/systemd/system/auditd.service.d/override.conf.j2
View File

@ -1,9 +0,0 @@
#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }}
{% if not auditd_refuse_manual_stop | bool %}
[Unit]
RefuseManualStop=no
{% endif %}
[Service]
ExecStartPost=-/sbin/augenrules --load

8
vars/main.yml
View File

@ -1,8 +0,0 @@
---
__auditd_rule_templates:
- 10-start.rules
- 20-selfaudit.rules
- 30-filter.rules
- 40-main.rules
- 50-optional.rules
- 90-finalize.rules