Compare commits
No commits in common. "main" and "docs" have entirely different histories.
11
.gitignore
vendored
11
.gitignore
vendored
@ -1,11 +0,0 @@
|
||||
# ---> Ansible
|
||||
*.retry
|
||||
plugins
|
||||
library
|
||||
|
||||
# ---> Python
|
||||
# Byte-compiled / optimized / DLL files
|
||||
__pycache__/
|
||||
*.py[cod]
|
||||
*$py.class
|
||||
|
@ -1,7 +0,0 @@
|
||||
---
|
||||
default: True
|
||||
MD013: False
|
||||
MD041: False
|
||||
MD024: False
|
||||
MD004:
|
||||
style: dash
|
@ -1 +0,0 @@
|
||||
LICENSE
|
@ -1,47 +0,0 @@
|
||||
---
|
||||
when:
|
||||
- event: [pull_request]
|
||||
- event: [push, manual]
|
||||
branch:
|
||||
- ${CI_REPO_DEFAULT_BRANCH}
|
||||
|
||||
steps:
|
||||
- name: generate
|
||||
image: quay.io/thegeeklab/ansible-doctor
|
||||
environment:
|
||||
ANSIBLE_DOCTOR_EXCLUDE_FILES: "['molecule/']"
|
||||
ANSIBLE_DOCTOR_RENDERER__FORCE_OVERWRITE: "true"
|
||||
ANSIBLE_DOCTOR_LOGGING__LEVEL: info
|
||||
ANSIBLE_DOCTOR_ROLE__NAME: ${CI_REPO_NAME}
|
||||
ANSIBLE_DOCTOR_TEMPLATE__NAME: readme
|
||||
|
||||
- name: format
|
||||
image: quay.io/thegeeklab/alpine-tools
|
||||
commands:
|
||||
- prettier -w README.md
|
||||
|
||||
- name: diff
|
||||
image: quay.io/thegeeklab/alpine-tools
|
||||
commands:
|
||||
- git diff --color=always README.md
|
||||
|
||||
- name: publish
|
||||
image: quay.io/thegeeklab/wp-git-action
|
||||
settings:
|
||||
action:
|
||||
- commit
|
||||
- push
|
||||
author_email: ci-bot@rknet.org
|
||||
author_name: ci-bot
|
||||
branch: main
|
||||
message: "[skip ci] automated docs update"
|
||||
netrc_machine: gitea.rknet.org
|
||||
netrc_password:
|
||||
from_secret: gitea_token
|
||||
when:
|
||||
- event: [push, manual]
|
||||
branch:
|
||||
- ${CI_REPO_DEFAULT_BRANCH}
|
||||
|
||||
depends_on:
|
||||
- test
|
@ -1,30 +0,0 @@
|
||||
---
|
||||
when:
|
||||
- event: [pull_request, tag]
|
||||
- event: [push, manual]
|
||||
branch:
|
||||
- ${CI_REPO_DEFAULT_BRANCH}
|
||||
|
||||
steps:
|
||||
- name: ansible-lint
|
||||
image: quay.io/thegeeklab/ansible-dev-tools:1
|
||||
commands:
|
||||
- ansible-lint
|
||||
environment:
|
||||
FORCE_COLOR: "1"
|
||||
|
||||
- name: python-format
|
||||
image: docker.io/python:3.12
|
||||
commands:
|
||||
- pip install -qq ruff
|
||||
- ruff format --check --diff .
|
||||
environment:
|
||||
PY_COLORS: "1"
|
||||
|
||||
- name: python-lint
|
||||
image: docker.io/python:3.12
|
||||
commands:
|
||||
- pip install -qq ruff
|
||||
- ruff check .
|
||||
environment:
|
||||
PY_COLORS: "1"
|
@ -1,26 +0,0 @@
|
||||
---
|
||||
when:
|
||||
- event: [tag]
|
||||
- event: [push, manual]
|
||||
branch:
|
||||
- ${CI_REPO_DEFAULT_BRANCH}
|
||||
|
||||
runs_on: [success, failure]
|
||||
|
||||
steps:
|
||||
- name: matrix
|
||||
image: quay.io/thegeeklab/wp-matrix
|
||||
settings:
|
||||
homeserver:
|
||||
from_secret: matrix_homeserver
|
||||
room_id:
|
||||
from_secret: matrix_room_id
|
||||
user_id:
|
||||
from_secret: matrix_user_id
|
||||
access_token:
|
||||
from_secret: matrix_access_token
|
||||
when:
|
||||
- status: [failure]
|
||||
|
||||
depends_on:
|
||||
- docs
|
@ -1,25 +0,0 @@
|
||||
---
|
||||
when:
|
||||
- event: [pull_request, tag]
|
||||
- event: [push, manual]
|
||||
branch:
|
||||
- ${CI_REPO_DEFAULT_BRANCH}
|
||||
|
||||
variables:
|
||||
- &molecule_image quay.io/thegeeklab/ansible-dev-tools:1
|
||||
- &molecule_base
|
||||
depends_on: []
|
||||
environment:
|
||||
PY_COLORS: "1"
|
||||
HCLOUD_TOKEN:
|
||||
from_secret: molecule_hcloud_token
|
||||
|
||||
steps:
|
||||
- name: molecule-default
|
||||
image: *molecule_image
|
||||
<<: *molecule_base
|
||||
commands:
|
||||
- molecule test -s default
|
||||
|
||||
depends_on:
|
||||
- lint
|
20
.yamllint
20
.yamllint
@ -1,20 +0,0 @@
|
||||
---
|
||||
extends: default
|
||||
|
||||
rules:
|
||||
truthy:
|
||||
allowed-values: ["True", "False"]
|
||||
comments:
|
||||
min-spaces-from-content: 1
|
||||
comments-indentation: False
|
||||
line-length: disable
|
||||
braces:
|
||||
min-spaces-inside: 0
|
||||
max-spaces-inside: 1
|
||||
brackets:
|
||||
min-spaces-inside: 0
|
||||
max-spaces-inside: 0
|
||||
indentation: enable
|
||||
octal-values:
|
||||
forbid-implicit-octal: True
|
||||
forbid-explicit-octal: True
|
21
LICENSE
21
LICENSE
@ -1,21 +0,0 @@
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2022 Robert Kaussow <mail@thegeeklab.de>
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is furnished
|
||||
to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice (including the next
|
||||
paragraph) shall be included in all copies or substantial portions of the
|
||||
Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
||||
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
|
||||
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
|
||||
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
|
||||
OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
@ -1,131 +0,0 @@
|
||||
---
|
||||
# @var auditd_exclude_rule_stages:description: >
|
||||
# There is a set of pre-defined rule stages you can exclude if needed. Availabe stages:
|
||||
# 10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize
|
||||
# @var auditd_exclude_rule_stages:example: $ ["10-start.rules", "90-finalize"]
|
||||
auditd_exclude_rule_stages: []
|
||||
|
||||
# @var auditd_refuse_manual_stop:description: >
|
||||
# This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead.
|
||||
# For security reasons, this option should only be disabled for testing purposes.
|
||||
auditd_refuse_manual_stop: True
|
||||
auditd_reboot_on_change: False
|
||||
|
||||
# @var auditd_config_immutable:description: >
|
||||
# The auditd daemon is configured to use the augenrules program to read audit rules during
|
||||
# daemon startup (the default), use this option to make the auditd configuration immutable.
|
||||
auditd_config_immutable: False
|
||||
|
||||
auditd_buffer_size: 8192
|
||||
# @var auditd_failure_mode:description: >
|
||||
# Possible values: 0 (silent) | 1 (printk, print a failure message) | 2 (panic, halt the system)
|
||||
auditd_failure_mode: 1
|
||||
|
||||
# @var auditd_max_log_file:description: Maximum size of a single logfile (MB)
|
||||
auditd_max_log_file: 10
|
||||
# @var auditd_num_logs:description: Number of logs to keep
|
||||
auditd_num_logs: 5
|
||||
|
||||
auditd_space_left_action: email
|
||||
auditd_action_mail_acct: root
|
||||
auditd_admin_space_left_action: halt
|
||||
auditd_max_log_file_action: rotate
|
||||
|
||||
auditd_filter_rules_default:
|
||||
- comment: Ignore current working directory records
|
||||
rule: "-a always,exclude -F msgtype=CWD"
|
||||
- comment: Ignore EOE records (End Of Event, not needed)
|
||||
rule: "-a always,exclude -F msgtype=EOE"
|
||||
- comment: Cron jobs fill the logs with stuff we normally don't want
|
||||
rule:
|
||||
- "-a never,user -F subj_type=crond_t"
|
||||
- "-a exit,never -F subj_type=crond_t"
|
||||
- comment: This is not very interesting and wastes a lot of space if the server is public facing
|
||||
rule: "-a always,exclude -F msgtype=CRYPTO_KEY_USER"
|
||||
- comment: High Volume Event Filter
|
||||
rule:
|
||||
- "-a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess"
|
||||
- "-a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess"
|
||||
- "-a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm"
|
||||
- "-a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm"
|
||||
|
||||
# @var auditd_filter_rules_extra:example: >
|
||||
# auditd_filter_rules_extra:
|
||||
# - comment: Ignore current working directory records # defaults to not set
|
||||
# rule: '-a always,exclude -F msgtype=CWD' # can be list or string
|
||||
# state: present # defaults to present
|
||||
auditd_filter_rules_extra: []
|
||||
|
||||
auditd_main_rules_default:
|
||||
- comment: CIS 4.1.3.1 - Changes to system administration scope
|
||||
rule:
|
||||
- "-w /etc/sudoers -p wa -k actions"
|
||||
- "-w /etc/sudoers.d/ -p wa -k actions"
|
||||
- comment: CIS 4.1.3.4 - Events that modify date and time information
|
||||
rule:
|
||||
- "-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time_change"
|
||||
- "-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time_change"
|
||||
- "-w /etc/localtime -p wa -k time-change"
|
||||
- comment: CIS 4.1.3.5 - Changes to the network environment
|
||||
rule:
|
||||
- "-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale"
|
||||
- "-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale"
|
||||
- "-w /etc/issue -p wa -k system-locale"
|
||||
- "-w /etc/issue.net -p wa -k system-locale"
|
||||
- "-w /etc/hosts -p wa -k system-locale"
|
||||
- "-w /etc/sysconfig/network -p wa -k system-locale"
|
||||
- "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale"
|
||||
- comment: CIS 4.1.3.7 - Unsuccessful file access attempts
|
||||
rule:
|
||||
- "-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access"
|
||||
- "-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access"
|
||||
- "-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access"
|
||||
- "-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access"
|
||||
- comment: CIS 4.1.3.8 - Modify user/group information
|
||||
rule:
|
||||
- "-w /etc/group -p wa -k identity"
|
||||
- "-w /etc/passwd -p wa -k identity"
|
||||
- "-w /etc/gshadow -p wa -k identity"
|
||||
- "-w /etc/shadow -p wa -k identity"
|
||||
- "-w /etc/security/opasswd -p wa -k identity"
|
||||
- comment: CIS 4.1.3.9 - Discretionary access control permission modifications
|
||||
rule:
|
||||
- "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod"
|
||||
- "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod"
|
||||
- "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod"
|
||||
- "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod"
|
||||
- "-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod"
|
||||
- "-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod"
|
||||
- comment: CIS 4.1.3.10 - Successful file system mounts
|
||||
rule:
|
||||
- "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
|
||||
- "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
|
||||
- comment: CIS 4.1.3.11 - Session initiation information
|
||||
rule:
|
||||
- "-w /var/run/utmp -p wa -k session"
|
||||
- "-w /var/log/wtmp -p wa -k logins"
|
||||
- "-w /var/log/btmp -p wa -k logins"
|
||||
- comment: CIS 4.1.3.12 - Login and logout events
|
||||
rule:
|
||||
- "-w /var/log/lastlog -p wa -k logins"
|
||||
- "-w /var/log/tallylog -p wa -k logins"
|
||||
- "-w /var/run/faillock -p wa -k logins"
|
||||
- comment: CIS 4.1.3.13 - File deletion events by users
|
||||
rule:
|
||||
- "-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete"
|
||||
- "-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete"
|
||||
- comment: CIS 4.1.3.14 - Changes to the Mandatory Access Controls
|
||||
rule:
|
||||
- "-w /etc/selinux/ -p wa -k MAC-policy"
|
||||
- "-w /usr/share/selinux/ -p wa -k MAC-policy"
|
||||
- comment: CIS 4.1.3.19 - Kernel module loading unloading and modification
|
||||
rule:
|
||||
- "-a always,exit -F arch=b64 -S finit_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules"
|
||||
- "-a always,exit -F arch=b32 -S finit_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules"
|
||||
- "-a always,exit -F arch=b64 -S init_module,delete_module -k kernel_modules"
|
||||
- "-a always,exit -F arch=b32 -S init_module,delete_module -k kernel_modules"
|
||||
- "-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules"
|
||||
auditd_main_rules_extra: []
|
||||
|
||||
auditd_optional_rules_default: []
|
||||
auditd_optional_rules_extra: []
|
@ -1,17 +0,0 @@
|
||||
---
|
||||
- name: Restart auditd
|
||||
ansible.builtin.service:
|
||||
name: auditd
|
||||
daemon_reload: True
|
||||
enabled: True
|
||||
state: started
|
||||
when: not auditd_refuse_manual_stop | bool
|
||||
listen: __auditd_restart
|
||||
|
||||
- name: Reboot server
|
||||
ansible.builtin.reboot:
|
||||
reboot_timeout: 600
|
||||
when:
|
||||
- auditd_reboot_on_change | bool
|
||||
- auditd_refuse_manual_stop | bool
|
||||
listen: __auditd_restart
|
@ -1,13 +1,14 @@
|
||||
# xoxys.auditd
|
||||
---
|
||||
title: auditd
|
||||
type: docs
|
||||
---
|
||||
|
||||
[![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.auditd/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.auditd)
|
||||
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.auditd/src/branch/main/LICENSE)
|
||||
[![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.auditd) [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.auditd?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.auditd) [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.auditd/src/branch/main/LICENSE)
|
||||
|
||||
Setup the Linux Auditing System.
|
||||
|
||||
## Table of content
|
||||
<!--more-->
|
||||
|
||||
- [Requirements](#requirements)
|
||||
- [Default Variables](#default-variables)
|
||||
- [auditd_action_mail_acct](#auditd_action_mail_acct)
|
||||
- [auditd_admin_space_left_action](#auditd_admin_space_left_action)
|
||||
@ -28,15 +29,9 @@ Setup the Linux Auditing System.
|
||||
- [auditd_refuse_manual_stop](#auditd_refuse_manual_stop)
|
||||
- [auditd_space_left_action](#auditd_space_left_action)
|
||||
- [Dependencies](#dependencies)
|
||||
- [License](#license)
|
||||
- [Author](#author)
|
||||
|
||||
---
|
||||
|
||||
## Requirements
|
||||
|
||||
- Minimum Ansible version: `2.10`
|
||||
|
||||
## Default Variables
|
||||
|
||||
### auditd_action_mail_acct
|
||||
@ -65,8 +60,7 @@ auditd_buffer_size: 8192
|
||||
|
||||
### auditd_config_immutable
|
||||
|
||||
The auditd daemon is configured to use the augenrules program to read audit rules during
|
||||
daemon startup (the default), use this option to make the auditd configuration immutable.
|
||||
The auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), use this option to make the auditd configuration immutable.
|
||||
|
||||
#### Default value
|
||||
|
||||
@ -76,8 +70,7 @@ auditd_config_immutable: false
|
||||
|
||||
### auditd_exclude_rule_stages
|
||||
|
||||
There is a set of pre-defined rule stages you can exclude if needed. Availabe stages:
|
||||
10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize
|
||||
There is a set of pre-defined rule stages you can exclude if needed. Availabe stages: 10-start.rules, 11-self-audit.rules, 12-filter.rules, 30-main.rules, 50-optional.rules, 90-finalize
|
||||
|
||||
#### Default value
|
||||
|
||||
@ -299,8 +292,7 @@ auditd_reboot_on_change: false
|
||||
|
||||
### auditd_refuse_manual_stop
|
||||
|
||||
This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead.
|
||||
For security reasons, this option should only be disabled for testing purposes.
|
||||
This option prevents auditd from performing change/restart actions at runtime and requires a reboot instead. For security reasons, this option should only be disabled for testing purposes.
|
||||
|
||||
#### Default value
|
||||
|
||||
@ -316,14 +308,8 @@ auditd_refuse_manual_stop: true
|
||||
auditd_space_left_action: email
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Dependencies
|
||||
|
||||
None.
|
||||
|
||||
## License
|
||||
|
||||
MIT
|
||||
|
||||
## Author
|
||||
|
||||
[Robert Kaussow](https://gitea.rknet.org/xoxys)
|
@ -1,21 +0,0 @@
|
||||
---
|
||||
galaxy_info:
|
||||
# @meta author:value: [Robert Kaussow](https://gitea.rknet.org/xoxys)
|
||||
author: "Robert Kaussow <mail@thegeeklab.de>"
|
||||
namespace: xoxys
|
||||
role_name: auditd
|
||||
# @meta description: >
|
||||
# [![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.auditd/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.auditd)
|
||||
# [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.auditd/src/branch/main/LICENSE)
|
||||
#
|
||||
# Setup the Linux Auditing System.
|
||||
# @end
|
||||
description: Setup the Linux Auditing System
|
||||
license: MIT
|
||||
min_ansible_version: "2.10"
|
||||
platforms:
|
||||
- name: EL
|
||||
versions:
|
||||
- "9"
|
||||
galaxy_tags: []
|
||||
dependencies: []
|
@ -1,7 +0,0 @@
|
||||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
vars:
|
||||
auditd_refuse_manual_stop: False
|
||||
roles:
|
||||
- role: xoxys.auditd
|
@ -1,17 +0,0 @@
|
||||
---
|
||||
driver:
|
||||
name: molecule_hetznercloud
|
||||
dependency:
|
||||
name: galaxy
|
||||
options:
|
||||
role-file: requirements.yml
|
||||
requirements-file: requirements.yml
|
||||
platforms:
|
||||
- name: "rocky9-auditd"
|
||||
server_type: "cx22"
|
||||
image: "rocky-9"
|
||||
provisioner:
|
||||
name: ansible
|
||||
log: False
|
||||
verifier:
|
||||
name: testinfra
|
@ -1,11 +0,0 @@
|
||||
---
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
gather_facts: False
|
||||
tasks:
|
||||
- name: Bootstrap Python for Ansible
|
||||
ansible.builtin.raw: |
|
||||
command -v python3 python ||
|
||||
((test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
|
||||
echo "Warning: Python not boostrapped due to unknown platform.")
|
||||
changed_when: False
|
@ -1,13 +0,0 @@
|
||||
import os
|
||||
|
||||
import testinfra.utils.ansible_runner
|
||||
|
||||
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
|
||||
os.environ["MOLECULE_INVENTORY_FILE"]
|
||||
).get_hosts("all")
|
||||
|
||||
|
||||
def test_auditd_running_and_enabled(host):
|
||||
auditd = host.service("auditd")
|
||||
assert auditd.is_running
|
||||
assert auditd.is_enabled
|
@ -1,17 +0,0 @@
|
||||
[tool.ruff]
|
||||
exclude = [".git", "__pycache__"]
|
||||
|
||||
line-length = 99
|
||||
indent-width = 4
|
||||
|
||||
[tool.ruff.lint]
|
||||
ignore = ["W191", "E111", "E114", "E117", "S101", "S105"]
|
||||
select = ["F", "E", "I", "W", "S"]
|
||||
|
||||
[tool.ruff.format]
|
||||
quote-style = "double"
|
||||
indent-style = "space"
|
||||
line-ending = "lf"
|
||||
|
||||
[tool.pytest.ini_options]
|
||||
filterwarnings = ["ignore::FutureWarning", "ignore::DeprecationWarning"]
|
@ -1,4 +0,0 @@
|
||||
---
|
||||
collections: []
|
||||
|
||||
roles: []
|
@ -1,74 +0,0 @@
|
||||
---
|
||||
- name: Install required packages
|
||||
loop:
|
||||
- audit
|
||||
- audispd-plugins
|
||||
ansible.builtin.package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
|
||||
- name: Create folders
|
||||
ansible.builtin.file:
|
||||
name: "{{ item }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0750"
|
||||
loop:
|
||||
- /etc/audit/rules.d/
|
||||
- /etc/systemd/system/auditd.service.d/
|
||||
|
||||
- name: Create systemd override
|
||||
ansible.builtin.template:
|
||||
src: etc/systemd/system/auditd.service.d/override.conf.j2
|
||||
dest: "/etc/systemd/system/auditd.service.d/override.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: __auditd_restart
|
||||
|
||||
- name: Create config file
|
||||
ansible.builtin.template:
|
||||
src: etc/audit/auditd.conf.j2
|
||||
dest: "/etc/audit/auditd.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
notify: __auditd_restart
|
||||
|
||||
- name: Create rules files
|
||||
ansible.builtin.template:
|
||||
src: "etc/audit/rules.d/{{ item }}.j2"
|
||||
dest: "/etc/audit/rules.d/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
loop: "{{ __auditd_rule_templates }}"
|
||||
loop_control:
|
||||
label: "/etc/audit/rules.d/{{ item }}"
|
||||
when: item not in auditd_exclude_rule_stages
|
||||
notify: __auditd_restart
|
||||
|
||||
- name: Register rules files
|
||||
ansible.builtin.find:
|
||||
paths: /etc/audit/rules.d/
|
||||
file_type: file
|
||||
patterns: "*.rules"
|
||||
register: __auditd_rules_active
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
|
||||
- name: Remove unmanaged rules files
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ __auditd_rules_active.files | map(attribute='path') | list }}"
|
||||
notify: __auditd_restart
|
||||
when: item | basename not in __auditd_rule_templates
|
||||
|
||||
- name: Ensure audit service is up and running
|
||||
ansible.builtin.service:
|
||||
name: auditd
|
||||
daemon_reload: True
|
||||
enabled: True
|
||||
state: started
|
@ -1,38 +0,0 @@
|
||||
#jinja2: lstrip_blocks: True
|
||||
{{ ansible_managed | comment }}
|
||||
local_events = yes
|
||||
write_logs = yes
|
||||
log_file = /var/log/audit/audit.log
|
||||
log_group = root
|
||||
log_format = ENRICHED
|
||||
flush = INCREMENTAL_ASYNC
|
||||
freq = 50
|
||||
max_log_file = {{ auditd_max_log_file }}
|
||||
num_logs = {{ auditd_num_logs }}
|
||||
priority_boost = 4
|
||||
name_format = NONE
|
||||
##name = mydomain
|
||||
max_log_file_action = {{ auditd_max_log_file_action }}
|
||||
space_left = 75
|
||||
space_left_action = {{ auditd_space_left_action }}
|
||||
verify_email = yes
|
||||
action_mail_acct = {{ auditd_action_mail_acct }}
|
||||
admin_space_left = 50
|
||||
admin_space_left_action = {{ auditd_admin_space_left_action }}
|
||||
disk_full_action = SUSPEND
|
||||
disk_error_action = SUSPEND
|
||||
use_libwrap = yes
|
||||
##tcp_listen_port = 60
|
||||
tcp_listen_queue = 5
|
||||
tcp_max_per_addr = 1
|
||||
##tcp_client_ports = 1024-65535
|
||||
tcp_client_max_idle = 0
|
||||
transport = TCP
|
||||
krb5_principal = auditd
|
||||
##krb5_key_file = /etc/audit/audit.key
|
||||
distribute_network = no
|
||||
q_depth = 1200
|
||||
overflow_action = SYSLOG
|
||||
max_restarts = 10
|
||||
plugin_dir = /etc/audit/plugins.d
|
||||
end_of_event_timeout = 2
|
@ -1,13 +0,0 @@
|
||||
## Make the loginuid immutable. This prevents tampering with the auid.
|
||||
--loginuid-immutable
|
||||
|
||||
## Remove any existing rules
|
||||
-D
|
||||
|
||||
## Buffer Size
|
||||
# Feel free to increase this if the machine panic's
|
||||
-b {{ auditd_buffer_size }}
|
||||
|
||||
## Failure Mode
|
||||
# Possible values: 0 (silent), 1 (printk, print a failure message), 2 (panic, halt the system)
|
||||
-f {{ auditd_failure_mode }}
|
@ -1,11 +0,0 @@
|
||||
## Audit the audit logs
|
||||
-w /var/log/audit/ -k auditlog
|
||||
|
||||
## Auditd configuration
|
||||
-w /etc/audit/ -p wa -k auditconfig
|
||||
-w /etc/libaudit.conf -p wa -k auditconfig
|
||||
-w /etc/audisp/ -p wa -k audispconfig
|
||||
|
||||
## Monitor for use of audit management tools
|
||||
-w /sbin/auditctl -p x -k audittools
|
||||
-w /sbin/auditd -p x -k audittools
|
@ -1,15 +0,0 @@
|
||||
{% for item in (auditd_filter_rules_default + auditd_filter_rules_extra )%}
|
||||
{% if item.state | default("present") == "present" %}
|
||||
{% if item.comment is defined and item.comment %}
|
||||
## {{ item.comment }}
|
||||
{% endif %}
|
||||
{% if not item.rule is string and item.rule is iterable %}
|
||||
{% for rule in item.rule %}
|
||||
{{ rule }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
{{ item.rule }}
|
||||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
@ -1,13 +0,0 @@
|
||||
{% for item in (auditd_main_rules_default + auditd_main_rules_extra) %}
|
||||
{% if item.comment is defined and item.comment %}
|
||||
## {{ item.comment }}
|
||||
{% endif %}
|
||||
{% if not item.rule is string and item.rule is iterable %}
|
||||
{% for rule in item.rule %}
|
||||
{{ rule }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
{{ item.rule }}
|
||||
{% endif %}
|
||||
|
||||
{% endfor %}
|
@ -1,13 +0,0 @@
|
||||
{% for item in (auditd_optional_rules_default + auditd_optional_rules_extra) %}
|
||||
{% if item.comment is defined and item.comment %}
|
||||
## {{ item.comment }}
|
||||
{% endif %}
|
||||
{% if not item.rule is string and item.rule is iterable %}
|
||||
{% for rule in item.rule %}
|
||||
{{ rule }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
{{ item.rule }}
|
||||
{% endif %}
|
||||
|
||||
{% endfor %}
|
@ -1,4 +0,0 @@
|
||||
{% if auditd_config_immutable | bool %}
|
||||
## Make the configuration immutable
|
||||
-e 2
|
||||
{% endif %}
|
@ -1,9 +0,0 @@
|
||||
#jinja2: lstrip_blocks: True
|
||||
{{ ansible_managed | comment }}
|
||||
{% if not auditd_refuse_manual_stop | bool %}
|
||||
[Unit]
|
||||
RefuseManualStop=no
|
||||
|
||||
{% endif %}
|
||||
[Service]
|
||||
ExecStartPost=-/sbin/augenrules --load
|
@ -1,8 +0,0 @@
|
||||
---
|
||||
__auditd_rule_templates:
|
||||
- 10-start.rules
|
||||
- 20-selfaudit.rules
|
||||
- 30-filter.rules
|
||||
- 40-main.rules
|
||||
- 50-optional.rules
|
||||
- 90-finalize.rules
|
Loading…
Reference in New Issue
Block a user