├── .ansible-lint ├── .github ├── FUNDING.yml ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md ├── pull_request_template.md ├── settings.yml └── workflows │ ├── galaxy.yml │ ├── molecule.yml │ ├── requirements2png.yml │ └── todo.yml ├── .gitignore ├── .gitlab-ci.yml ├── .pre-commit-config.yaml ├── .yamllint ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── SECURITY.md ├── defaults └── main.yml ├── handlers └── main.yml ├── meta ├── main.yml └── preferences.yml ├── molecule └── default │ ├── converge.yml │ ├── molecule.yml │ ├── prepare.yml │ └── verify.yml ├── requirements.txt ├── requirements.yml ├── tasks ├── assert.yml └── main.yml ├── templates ├── .gitkeep ├── auditd.conf.j2 └── custom.rules.j2 ├── tox.ini └── vars └── main.yml /.ansible-lint: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Ansible managed 4 | # 5 | exclude_paths: 6 | - meta/preferences.yml 7 | - molecule/default/prepare.yml 8 | - molecule/default/converge.yml 9 | - molecule/default/verify.yml 10 | - molecule/default/collections.yml 11 | - .tox 12 | - .cache 13 | - .github 14 | - requirements.yml 15 | 16 | enable_list: 17 | - name[prefix] 18 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | --- 2 | github: robertdebock 3 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help me improve 4 | 5 | --- 6 | 7 | # Describe the bug 8 | 9 | A clear and concise description of what the bug is. 10 | 11 | ## Playbook 12 | 13 | Please paste the playbook you are using. (Consider `requirements.yml` and 14 | optionally the command you've invoked.) 15 | 16 | ```yaml 17 | --- 18 | YOUR PLAYBOOK HERE 19 | ``` 20 | 21 | ## Output 22 | 23 | Show at least the error, possible related output, maybe just all the output. 24 | 25 | ## Environment 26 | 27 | - Control node OS: [e.g. Debian 9] (`cat /etc/os-release`) 28 | - Control node Ansible version: [e.g. 2.9.1] (`ansible --version`) 29 | - Managed node OS: [e.g. CentOS 7] (`cat /etc/os-release`) 30 | 31 | Please consider [sponsoring me](https://github.com/sponsors/robertdebock). 32 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | 5 | --- 6 | 7 | # Proposed feature 8 | 9 | A clear and concise description of what you want to happen. 10 | 11 | ## Rationale 12 | 13 | Why is this feature required? 14 | 15 | ## Additional context 16 | 17 | Add any other context about the feature request here. 18 | 19 | Please consider [sponsoring me](https://github.com/sponsors/robertdebock). 20 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Pull request 3 | about: Describe the proposed change 4 | 5 | --- 6 | 7 | **Describe the change** 8 | A clear and concise description of what the pull request is. 9 | 10 | **Testing** 11 | In case a feature was added, how were tests performed? 12 | -------------------------------------------------------------------------------- /.github/settings.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Ansible managed 4 | # 5 | repository: 6 | description: Install and configure auditd on your system. 7 | homepage: https://robertdebock.nl/ 8 | topics: auditd, system, monitoring, security, ansible, molecule, tox, playbook 9 | -------------------------------------------------------------------------------- /.github/workflows/galaxy.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Ansible managed 4 | # 5 | 6 | name: Release to Ansible Galaxy 7 | 8 | on: 9 | release: 10 | types: [created, edited, published, released] 11 | jobs: 12 | release: 13 | runs-on: ubuntu-latest 14 | steps: 15 | - name: galaxy 16 | uses: robertdebock/galaxy-action@1.2.1 17 | with: 18 | galaxy_api_key: ${{ secrets.galaxy_api_key }} 19 | -------------------------------------------------------------------------------- /.github/workflows/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Ansible managed 4 | # 5 | 6 | name: Ansible Molecule 7 | 8 | on: 9 | push: 10 | branches: 11 | - master 12 | pull_request: 13 | schedule: 14 | - cron: '1 1 1 * *' 15 | 16 | jobs: 17 | lint: 18 | runs-on: ubuntu-latest 19 | steps: 20 | - name: checkout 21 | uses: actions/checkout@v4 22 | - name: ansible-lint 23 | uses: ansible-community/ansible-lint-action@main 24 | 25 | molecule: 26 | needs: 27 | - lint 28 | runs-on: ubuntu-latest 29 | strategy: 30 | fail-fast: false 31 | matrix: 32 | distro: 33 | - image: "enterpriselinux" 34 | tag: "latest" 35 | - image: "debian" 36 | tag: "latest" 37 | - image: "debian" 38 | tag: "bullseye" 39 | - image: "fedora" 40 | tag: "40" 41 | - image: "fedora" 42 | tag: "latest" 43 | - image: "ubuntu" 44 | tag: "latest" 45 | - image: "ubuntu" 46 | tag: "jammy" 47 | - image: "ubuntu" 48 | tag: "focal" 49 | steps: 50 | - name: checkout 51 | uses: actions/checkout@v4 52 | with: 53 | path: ansible-role-auditd 54 | 55 | - name: Set up Python 56 | uses: actions/setup-python@v5 57 | with: 58 | python-version: "3.13" 59 | 60 | - name: Configure Docker for systemd 61 | run: | 62 | sudo mkdir -p /etc/docker 63 | echo '{ 64 | "features": { 65 | "buildkit": true 66 | }, 67 | "exec-opts": ["native.cgroupdriver=systemd"] 68 | }' | sudo tee /etc/docker/daemon.json 69 | sudo systemctl restart docker || true 70 | 71 | - name: Install Docker 72 | uses: docker/setup-buildx-action@v3 73 | 74 | - name: Install dependencies 75 | run: | 76 | python -m pip install --upgrade pip 77 | pip install ansible-lint molecule molecule-plugins[docker] ansible-core 78 | if [ -f ansible-role-auditd/requirements.txt ]; then pip install -r ansible-role-auditd/requirements.txt; fi 79 | if [ -f ansible-role-auditd/requirements.yml ]; then ansible-galaxy install -r ansible-role-auditd/requirements.yml; fi 80 | 81 | # Create proper role directory structure for molecule 82 | mkdir -p ~/.ansible/roles 83 | ln -s ${GITHUB_WORKSPACE}/ansible-role-auditd ~/.ansible/roles/robertdebock.auditd 84 | 85 | - name: Test with molecule 86 | run: | 87 | cd ansible-role-auditd 88 | molecule test 89 | env: 90 | PY_COLORS: 1 91 | ANSIBLE_FORCE_COLOR: 1 92 | ANSIBLE_ROLES_PATH: ~/.ansible/roles:${GITHUB_WORKSPACE}/ansible-role-auditd 93 | image: ${{ matrix.distro.image }} 94 | tag: ${{ matrix.distro.tag }} 95 | -------------------------------------------------------------------------------- /.github/workflows/requirements2png.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Ansible managed 4 | # 5 | 6 | on: 7 | - push 8 | 9 | name: Ansible Graphviz 10 | 11 | jobs: 12 | build: 13 | runs-on: ubuntu-latest 14 | permissions: 15 | contents: write 16 | steps: 17 | - name: checkout 18 | uses: actions/checkout@v4 19 | with: 20 | path: ${{ github.repository }} 21 | - name: create png 22 | uses: robertdebock/graphviz-action@1.0.7 23 | - name: Commit files 24 | run: | 25 | cd ${{ github.repository }} 26 | git config --local user.email "github-actions[bot]@users.noreply.github.com" 27 | git config --local user.name "github-actions[bot]" 28 | git add requirements.dot requirements.png 29 | git commit -m "Add generated files" 30 | - name: save to png branch 31 | uses: ad-m/github-push-action@master 32 | with: 33 | directory: ${{ github.repository }} 34 | force: true 35 | branch: png 36 | -------------------------------------------------------------------------------- /.github/workflows/todo.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Ansible managed 4 | # 5 | 6 | name: "TODO 2 Issue" 7 | 8 | on: 9 | push: 10 | 11 | jobs: 12 | build: 13 | runs-on: "ubuntu-latest" 14 | steps: 15 | - uses: actions/checkout@v4 16 | - name: "TODO to Issue" 17 | uses: "alstr/todo-to-issue-action@v4" 18 | id: "todo" 19 | with: 20 | TOKEN: ${{ secrets.GITHUB_TOKEN }} 21 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .molecule 2 | *.log 3 | *.swp 4 | .tox 5 | .cache 6 | .DS_Store 7 | .ansible 8 | -------------------------------------------------------------------------------- /.gitlab-ci.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | variables: 4 | DEBIAN_FRONTEND: noninteractive 5 | 6 | molecule: 7 | image: python:3.13 8 | script: 9 | - apt-get update -qq 10 | - apt-get -y -qq install yamllint docker.io 11 | # Configure Docker for systemd 12 | - mkdir -p /etc/docker 13 | - echo '{"features":{"buildkit":true},"exec-opts":["native.cgroupdriver=systemd"]}' > /etc/docker/daemon.json 14 | - service docker restart || true 15 | # Install dependencies and run tests 16 | - pip install --no-cache-dir ansible-lint molecule molecule-plugins[docker] ansible-core 17 | - if [ -f requirements.txt ]; then pip install -r requirements.txt; fi 18 | - if [ -f requirements.yml ]; then ansible-galaxy install -r requirements.yml; fi 19 | # Create proper role directory structure for molecule 20 | - mkdir -p ~/.ansible/roles 21 | - ln -s $CI_PROJECT_DIR ~/.ansible/roles/robertdebock.auditd 22 | # Run molecule tests 23 | - cd $CI_PROJECT_DIR 24 | - ANSIBLE_ROLES_PATH=~/.ansible/roles:$CI_PROJECT_DIR molecule test 25 | rules: 26 | - if: $CI_COMMIT_REF_NAME == "master" 27 | parallel: 28 | matrix: 29 | - image: "enterpriselinux" 30 | tag: "latest" 31 | - image: "debian" 32 | tag: "latest" 33 | - image: "debian" 34 | tag: "bullseye" 35 | - image: "fedora" 36 | tag: "40" 37 | - image: "fedora" 38 | tag: "latest" 39 | - image: "ubuntu" 40 | tag: "latest" 41 | - image: "ubuntu" 42 | tag: "jammy" 43 | - image: "ubuntu" 44 | tag: "focal" 45 | 46 | galaxy: 47 | image: python:3.13 48 | script: 49 | - apt-get update -qq 50 | - apt-get -y -qq install ansible-core 51 | - ansible-galaxy role import --api-key ${GALAXY_API_KEY} robertdebock ${CI_PROJECT_NAME} 52 | rules: 53 | - if: $CI_COMMIT_TAG != null 54 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | repos: 3 | - repo: https://github.com/pre-commit/pre-commit-hooks 4 | rev: v4.4.0 5 | hooks: 6 | - id: trailing-whitespace 7 | - id: end-of-file-fixer 8 | - id: check-added-large-files 9 | 10 | - repo: https://github.com/adrienverge/yamllint 11 | rev: v1.32.0 12 | hooks: 13 | - id: yamllint 14 | args: 15 | - -c=.yamllint 16 | 17 | - repo: https://github.com/robertdebock/pre-commit 18 | rev: v1.5.2 19 | hooks: 20 | - id: ansible_role_find_unused_variable 21 | - id: ansible_role_find_empty_files 22 | - id: ansible_role_find_empty_directories 23 | - id: ansible_role_find_undefined_handlers 24 | - id: ansible_role_find_unquoted_values 25 | - id: ansible_role_find_horizontal_when 26 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | --- 2 | extends: default 3 | 4 | rules: 5 | braces: 6 | max-spaces-inside: 1 7 | level: error 8 | brackets: 9 | max-spaces-inside: 1 10 | level: error 11 | line-length: disable 12 | truthy: 13 | check-keys: false 14 | 15 | ignore: | 16 | .tox/ 17 | .cache/ 18 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. 6 | 7 | ## Our Standards 8 | 9 | Examples of behaviour that contributes to creating a positive environment include: 10 | 11 | * Using welcoming and inclusive language 12 | * Being respectful of differing viewpoints and experiences 13 | * Gracefully accepting constructive criticism 14 | * Focusing on what is best for the community 15 | * Showing empathy towards other community members 16 | 17 | Examples of unacceptable behaviour by participants include: 18 | 19 | * The use of sexualized language or imagery and unwelcome sexual attention or advances 20 | * Trolling, insulting/derogatory comments, and personal or political attacks 21 | * Public or private harassment 22 | * Publishing others' private information, such as a physical or electronic address, without explicit permission 23 | * Other conduct which could reasonably be considered inappropriate in a professional setting 24 | 25 | ## Our Responsibilities 26 | 27 | Project maintainers are responsible for clarifying the standards of acceptable behaviour and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behaviour. 28 | 29 | Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviours that they deem inappropriate, threatening, offensive, or harmful. 30 | 31 | ## Scope 32 | 33 | This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. 34 | 35 | ## Enforcement 36 | 37 | Instances of abusive, harassing, or otherwise unacceptable behaviour may be reported by contacting the project team at robert@meinit.nl. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. 38 | 39 | Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. 40 | 41 | ## Attribution 42 | 43 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version] 44 | 45 | [homepage]: http://contributor-covenant.org 46 | [version]: http://contributor-covenant.org/version/1/4/ 47 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # [Please contribute](#please-contribute) 2 | 3 | You can really make a difference by: 4 | 5 | - [Making an issue](https://help.github.com/articles/creating-an-issue/). A well described issue helps a lot. (Have a look at the [known issues](https://github.com/search?q=user%3Arobertdebock+is%3Aissue+state%3Aopen).) 6 | - [Making a pull request](https://services.github.com/on-demand/github-cli/open-pull-request-github) when you see the error in code. 7 | 8 | I'll try to help and take every contribution seriously. 9 | 10 | It's a great opportunity for me to learn how you use the role and also an opportunity to get into the habit of contributing to open source software. 11 | 12 | ## [Step by step](#step-by-step) 13 | 14 | Here is how you can help, a lot of steps are related to GitHub, not specifically my roles. 15 | 16 | ### [1. Make an issue.](#1-make-an-issue) 17 | 18 | When you spot an issue, [create an issue](https://github.com/robertdebock/ansible-role-auditd/issues). 19 | 20 | Making the issue help me and others to find similar problems in the future. 21 | 22 | ### [2. Fork the project.](#2-fork-the-project) 23 | 24 | On the top right side of [the repository on GitHub](https://github.com/robertdebock/ansible-role-auditd), click `fork`. This copies everything to your GitHub namespace. 25 | 26 | ### [3. Make the changes](#3-make-the-changes) 27 | 28 | In you own GitHub namespace, make the required changes. 29 | 30 | I typically do that by cloning the repository (in your namespace) locally: 31 | 32 | ```shell 33 | git clone git@github.com:YOURNAMESPACE/ansible-role-auditd.git 34 | ``` 35 | 36 | Now you can start to edit on your laptop. 37 | 38 | ### [4. Optionally: test your changes](#4-optionally-test-your-changes) 39 | 40 | Install [molecule](https://molecule.readthedocs.io/en/stable/) and [Tox](https://tox.readthedocs.io/): 41 | 42 | ```shell 43 | pip install molecule tox ansible-lint docker 44 | ``` 45 | 46 | And run `molecule test`. If you want to test a specific distribution, set `image` and optionally `tag`: 47 | 48 | ```shell 49 | image=centos tag=7 molecule test 50 | ``` 51 | 52 | Once it start to work, you can test multiple version of Ansible: 53 | 54 | ```shell 55 | image=centos tag=7 tox 56 | ``` 57 | 58 | ### [5. Optionally: Regenerate all dynamic content](#5-optionally-regenerate-all-dynamic-content) 59 | 60 | You can use [Ansible Generator](https://github.com/robertdebock/ansible-generator) to regenerate all dynamic content. 61 | 62 | If you don't do it, I'll do it later for you. 63 | 64 | ### [6. Make a pull request](#6-make-a-pull-request) 65 | 66 | [GitHub](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork) on pull requests. 67 | 68 | In the comment-box, you can [refer to the issue number](https://help.github.com/en/github/writing-on-github/autolinked-references-and-urls) by using #123, where 123 is the issue number. 69 | 70 | ### [7. Wait](#7-wait) 71 | 72 | Now I'll get a message that you've added some code. Thank you, really. 73 | 74 | CI starts to test your changes. You can follow the progress on Travis. 75 | 76 | Please consider [sponsoring me](https://github.com/sponsors/robertdebock). 77 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright 2025 Robert de Bock (robert@meinit.nl) 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # [Ansible role auditd](#auditd) 2 | 3 | Install and configure auditd on your system. 4 | 5 | |GitHub|GitLab|Downloads|Version| 6 | |------|------|---------|-------| 7 | |[![github](https://github.com/robertdebock/ansible-role-auditd/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-auditd/actions)|[![gitlab](https://gitlab.com/robertdebock-iac/ansible-role-auditd/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/ansible-role-auditd)|[![downloads](https://img.shields.io/ansible/role/d/robertdebock/auditd)](https://galaxy.ansible.com/robertdebock/auditd)|[![Version](https://img.shields.io/github/release/robertdebock/ansible-role-auditd.svg)](https://github.com/robertdebock/ansible-role-auditd/releases/)| 8 | 9 | ## [Example Playbook](#example-playbook) 10 | 11 | This example is taken from [`molecule/default/converge.yml`](https://github.com/robertdebock/ansible-role-auditd/blob/master/molecule/default/converge.yml) and is tested on each push, pull request and release. 12 | 13 | ```yaml 14 | --- 15 | - name: Converge 16 | hosts: all 17 | become: true 18 | gather_facts: true 19 | 20 | roles: 21 | - role: ansible-role-auditd 22 | auditd_start_service: false 23 | auditd_local_events: "no" 24 | auditd_rules: 25 | - file: /var/log/audit/ 26 | keyname: auditlog 27 | - file: /etc/audit/ 28 | permissions: 29 | - write 30 | - attribute_change 31 | keyname: auditconfig 32 | - file: /etc/libaudit.conf 33 | permissions: 34 | - write 35 | - attribute_change 36 | keyname: auditconfig 37 | - file: /etc/audisp/ 38 | permissions: 39 | - write 40 | - attribute_change 41 | keyname: audispconfig 42 | - file: /sbin/auditctl 43 | permissions: 44 | - execute 45 | keyname: audittools 46 | - file: /sbin/auditd 47 | permissions: 48 | - execute 49 | keyname: audittools 50 | - syscall: open 51 | action: always 52 | filter: exit 53 | filters: 54 | - auid!=4294967295 55 | - auid!=unset 56 | keyname: my_keyname 57 | arch: b32 58 | - syscall: adjtimex 59 | action: always 60 | filter: exit 61 | keyname: time_change 62 | - syscall: settimeofday 63 | action: always 64 | filter: exit 65 | keyname: time_change 66 | - action: always 67 | filter: exit 68 | filters: 69 | - path=/bin/ping 70 | - perm=x 71 | - auid>=500 72 | - auid!=4294967295 73 | keyname: privileged 74 | ``` 75 | 76 | The machine needs to be prepared. In CI this is done using [`molecule/default/prepare.yml`](https://github.com/robertdebock/ansible-role-auditd/blob/master/molecule/default/prepare.yml): 77 | 78 | ```yaml 79 | --- 80 | - name: Prepare 81 | hosts: all 82 | become: true 83 | gather_facts: false 84 | 85 | roles: 86 | - role: robertdebock.bootstrap 87 | ``` 88 | 89 | Also see a [full explanation and example](https://robertdebock.nl/how-to-use-these-roles.html) on how to use these roles. 90 | 91 | ## [Role Variables](#role-variables) 92 | 93 | The default values for the variables are set in [`defaults/main.yml`](https://github.com/robertdebock/ansible-role-auditd/blob/master/defaults/main.yml): 94 | 95 | ```yaml 96 | --- 97 | # defaults file for auditd 98 | 99 | # Below variables are docuemented in the man page for auditd.conf 100 | # https://linux.die.net/man/5/auditd.conf 101 | auditd_buffer_size: 32768 102 | auditd_fail_mode: 1 103 | auditd_maximum_rate: 60 104 | auditd_enable_flag: 1 105 | auditd_local_events: "yes" 106 | auditd_write_logs: "yes" 107 | auditd_log_file: /var/log/audit/audit.log 108 | auditd_log_group: root 109 | auditd_log_format: RAW 110 | auditd_flush: incremental_async 111 | auditd_freq: 50 112 | auditd_max_log_file: 8 113 | auditd_num_logs: 5 114 | auditd_priority_boost: 4 115 | auditd_disp_qos: lossy 116 | auditd_dispatcher: /sbin/audispd 117 | auditd_name_format: none 118 | auditd_max_log_file_action: rotate 119 | auditd_space_left: "75" # This can be a number ('25') or a percentage. ('25%') 120 | auditd_space_left_action: syslog 121 | auditd_verify_email: "yes" 122 | auditd_action_mail_acct: root 123 | auditd_admin_space_left: 50 124 | auditd_admin_space_left_action: suspend 125 | auditd_disk_full_action: suspend 126 | auditd_disk_error_action: suspend 127 | auditd_use_libwrap: "yes" 128 | auditd_tcp_listen_queue: 5 129 | auditd_tcp_max_per_addr: 1 130 | auditd_tcp_client_max_idle: 0 131 | auditd_enable_krb5: "no" 132 | auditd_krb5_principal: auditd 133 | auditd_distribute_network: "no" 134 | 135 | # You can opt to manage the rules with this role or not. 136 | # Setting auditd_manage_rules to false will not manage the rules. 137 | auditd_manage_rules: true 138 | 139 | # Some rules require a specific architecture to be set. 140 | auditd_default_arch: b64 141 | 142 | 143 | # You can opt to start the auditd service or not. 144 | # Mostly useful in CI, to avoid starting the service. 145 | auditd_start_service: true 146 | ``` 147 | 148 | ## [Requirements](#requirements) 149 | 150 | - pip packages listed in [requirements.txt](https://github.com/robertdebock/ansible-role-auditd/blob/master/requirements.txt). 151 | 152 | ## [State of used roles](#state-of-used-roles) 153 | 154 | The following roles are used to prepare a system. You can prepare your system in another way. 155 | 156 | | Requirement | GitHub | GitLab | 157 | |-------------|--------|--------| 158 | |[robertdebock.bootstrap](https://galaxy.ansible.com/robertdebock/bootstrap)|[![Build Status GitHub](https://github.com/robertdebock/ansible-role-bootstrap/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-bootstrap/actions)|[![Build Status GitLab](https://gitlab.com/robertdebock-iac/ansible-role-bootstrap/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/ansible-role-bootstrap)| 159 | 160 | ## [Context](#context) 161 | 162 | This role is a part of many compatible roles. Have a look at [the documentation of these roles](https://robertdebock.nl/) for further information. 163 | 164 | Here is an overview of related roles: 165 | ![dependencies](https://raw.githubusercontent.com/robertdebock/ansible-role-auditd/png/requirements.png "Dependencies") 166 | 167 | ## [Compatibility](#compatibility) 168 | 169 | This role has been tested on these [container images](https://hub.docker.com/u/robertdebock): 170 | 171 | |container|tags| 172 | |---------|----| 173 | |[EL](https://hub.docker.com/r/robertdebock/enterpriselinux)|9| 174 | |[Debian](https://hub.docker.com/r/robertdebock/debian)|all| 175 | |[Fedora](https://hub.docker.com/r/robertdebock/fedora)|all| 176 | |[Ubuntu](https://hub.docker.com/r/robertdebock/ubuntu)|all| 177 | 178 | The minimum version of Ansible required is 2.12, tests have been done to: 179 | 180 | - The previous version. 181 | - The current version. 182 | - The development version. 183 | 184 | If you find issues, please register them in [GitHub](https://github.com/robertdebock/ansible-role-auditd/issues). 185 | 186 | ## [License](#license) 187 | 188 | [Apache-2.0](https://github.com/robertdebock/ansible-role-auditd/blob/master/LICENSE). 189 | 190 | ## [Author Information](#author-information) 191 | 192 | [robertdebock](https://robertdebock.nl/) 193 | 194 | Please consider [sponsoring me](https://github.com/sponsors/robertdebock). 195 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # [Security Policy](#security-policy) 2 | 3 | This software implements other software, it's not very likely that this software introduces new vulnerabilities. 4 | 5 | ## [Supported Versions](#supported-versions) 6 | 7 | These version of [ansible](https://pypi.org/project/ansible/) are supported: 8 | 9 | | Version | Supported | 10 | | ------- | ------------------ | 11 | | 7 | :white_check_mark: | 12 | | 6 | :white_check_mark: | 13 | | 5 | :white_check_mark: | 14 | 15 | ## [Reporting a Vulnerability](#reporting-a-vulnarability) 16 | 17 | Please [open an issue](https://github.com/robertdebock/ansible-role-auditd/issues) describing the vulnerability. 18 | 19 | Tell them where to go, how often they can expect to get an update on a 20 | reported vulnerability, what to expect if the vulnerability is accepted or 21 | declined, etc. 22 | 23 | Please consider [sponsoring me](https://github.com/sponsors/robertdebock). 24 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for auditd 3 | 4 | # Below variables are docuemented in the man page for auditd.conf 5 | # https://linux.die.net/man/5/auditd.conf 6 | auditd_buffer_size: 32768 7 | auditd_fail_mode: 1 8 | auditd_maximum_rate: 60 9 | auditd_enable_flag: 1 10 | auditd_local_events: "yes" 11 | auditd_write_logs: "yes" 12 | auditd_log_file: /var/log/audit/audit.log 13 | auditd_log_group: root 14 | auditd_log_format: RAW 15 | auditd_flush: incremental_async 16 | auditd_freq: 50 17 | auditd_max_log_file: 8 18 | auditd_num_logs: 5 19 | auditd_priority_boost: 4 20 | auditd_disp_qos: lossy 21 | auditd_dispatcher: /sbin/audispd 22 | auditd_name_format: none 23 | auditd_max_log_file_action: rotate 24 | auditd_space_left: "75" # This can be a number ('25') or a percentage. ('25%') 25 | auditd_space_left_action: syslog 26 | auditd_verify_email: "yes" 27 | auditd_action_mail_acct: root 28 | auditd_admin_space_left: 50 29 | auditd_admin_space_left_action: suspend 30 | auditd_disk_full_action: suspend 31 | auditd_disk_error_action: suspend 32 | auditd_use_libwrap: "yes" 33 | auditd_tcp_listen_queue: 5 34 | auditd_tcp_max_per_addr: 1 35 | auditd_tcp_client_max_idle: 0 36 | auditd_enable_krb5: "no" 37 | auditd_krb5_principal: auditd 38 | auditd_distribute_network: "no" 39 | 40 | # You can opt to manage the rules with this role or not. 41 | # Setting auditd_manage_rules to false will not manage the rules. 42 | auditd_manage_rules: true 43 | 44 | # Some rules require a specific architecture to be set. 45 | auditd_default_arch: b64 46 | 47 | 48 | # You can opt to start the auditd service or not. 49 | # Mostly useful in CI, to avoid starting the service. 50 | auditd_start_service: true 51 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for auditd 3 | 4 | - name: Run augenrules 5 | ansible.builtin.command: 6 | cmd: augenrules 7 | changed_when: true 8 | notify: 9 | - Load rules 10 | 11 | - name: Load rules 12 | ansible.builtin.command: 13 | cmd: augenrules --load 14 | changed_when: true 15 | when: 16 | - ansible_connection not in [ "container", "docker", "community.docker.docker" ] 17 | 18 | - name: Restart auditd 19 | ansible.builtin.service: 20 | name: "{{ auditd_service }}" 21 | state: restarted 22 | use: service # systemctl can't restart auditd, service can: https://access.redhat.com/solutions/2664811 23 | when: 24 | - auditd_start_service 25 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | author: robertdebock 4 | role_name: auditd 5 | description: Install and configure auditd on your system. 6 | license: Apache-2.0 7 | company: none 8 | min_ansible_version: "2.12" 9 | 10 | platforms: 11 | - name: EL 12 | versions: 13 | - "9" 14 | - name: Debian 15 | versions: 16 | - all 17 | - name: Fedora 18 | versions: 19 | - all 20 | - name: Ubuntu 21 | versions: 22 | - all 23 | 24 | galaxy_tags: 25 | - auditd 26 | - system 27 | - monitoring 28 | - security 29 | 30 | dependencies: [] 31 | -------------------------------------------------------------------------------- /meta/preferences.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | matrix_overrides: 4 | amazonlinux: 5 | python: 6 | - python:3.9 7 | - python:3.10 8 | -------------------------------------------------------------------------------- /molecule/default/converge.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Converge 3 | hosts: all 4 | become: true 5 | gather_facts: true 6 | 7 | roles: 8 | - role: ansible-role-auditd 9 | auditd_start_service: false 10 | auditd_local_events: "no" 11 | auditd_rules: 12 | - file: /var/log/audit/ 13 | keyname: auditlog 14 | - file: /etc/audit/ 15 | permissions: 16 | - write 17 | - attribute_change 18 | keyname: auditconfig 19 | - file: /etc/libaudit.conf 20 | permissions: 21 | - write 22 | - attribute_change 23 | keyname: auditconfig 24 | - file: /etc/audisp/ 25 | permissions: 26 | - write 27 | - attribute_change 28 | keyname: audispconfig 29 | - file: /sbin/auditctl 30 | permissions: 31 | - execute 32 | keyname: audittools 33 | - file: /sbin/auditd 34 | permissions: 35 | - execute 36 | keyname: audittools 37 | - syscall: open 38 | action: always 39 | filter: exit 40 | filters: 41 | - auid!=4294967295 42 | - auid!=unset 43 | keyname: my_keyname 44 | arch: b32 45 | - syscall: adjtimex 46 | action: always 47 | filter: exit 48 | keyname: time_change 49 | - syscall: settimeofday 50 | action: always 51 | filter: exit 52 | keyname: time_change 53 | - action: always 54 | filter: exit 55 | filters: 56 | - path=/bin/ping 57 | - perm=x 58 | - auid>=500 59 | - auid!=4294967295 60 | keyname: privileged 61 | -------------------------------------------------------------------------------- /molecule/default/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Ansible managed 4 | # 5 | dependency: 6 | name: galaxy 7 | options: 8 | role-file: requirements.yml 9 | requirements-file: requirements.yml 10 | lint: | 11 | set -e 12 | yamllint . 13 | ansible-lint 14 | driver: 15 | name: docker 16 | platforms: 17 | - name: "auditd-${image:-fedora}-${tag:-latest}${TOX_ENVNAME}" 18 | image: "${namespace:-robertdebock}/${image:-fedora}:${tag:-latest}" 19 | command: /sbin/init 20 | cgroupns_mode: host 21 | volumes: 22 | - /sys/fs/cgroup:/sys/fs/cgroup:rw 23 | privileged: true 24 | pre_build_image: true 25 | provisioner: 26 | name: ansible 27 | verifier: 28 | name: ansible 29 | -------------------------------------------------------------------------------- /molecule/default/prepare.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Prepare 3 | hosts: all 4 | become: true 5 | gather_facts: false 6 | 7 | roles: 8 | - role: robertdebock.bootstrap 9 | -------------------------------------------------------------------------------- /molecule/default/verify.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Verify 3 | hosts: all 4 | become: true 5 | gather_facts: false 6 | 7 | tasks: 8 | - name: Check if connection still works 9 | ansible.builtin.ping: 10 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | molecule 2 | molecule-plugins[docker] 3 | paramiko 4 | -------------------------------------------------------------------------------- /requirements.yml: -------------------------------------------------------------------------------- 1 | --- 2 | roles: 3 | - name: robertdebock.bootstrap 4 | collections: 5 | - name: community.general 6 | -------------------------------------------------------------------------------- /tasks/assert.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: assert | Test auditd_buffer_size 4 | ansible.builtin.assert: 5 | that: 6 | - auditd_buffer_size is defined 7 | - auditd_buffer_size is number 8 | - auditd_buffer_size >= 0 9 | - auditd_buffer_size <= 65000 10 | quiet: true 11 | 12 | - name: assert | Test auditd_fail_mode 13 | ansible.builtin.assert: 14 | that: 15 | - auditd_fail_mode is defined 16 | - auditd_fail_mode is number 17 | - auditd_fail_mode in [ 0, 1, 2 ] 18 | quiet: true 19 | 20 | - name: assert | Test auditd_maximum_rate 21 | ansible.builtin.assert: 22 | that: 23 | - auditd_maximum_rate is defined 24 | - auditd_maximum_rate is number 25 | - auditd_maximum_rate >= 0 26 | quiet: true 27 | 28 | - name: assert | Test auditd_enable_flag 29 | ansible.builtin.assert: 30 | that: 31 | - auditd_enable_flag is defined 32 | - auditd_enable_flag is number 33 | - auditd_enable_flag in [ 0, 1, 2 ] 34 | quiet: true 35 | 36 | - name: assert | Test auditd_local_events 37 | ansible.builtin.assert: 38 | that: 39 | - auditd_local_events is defined 40 | - auditd_local_events is string 41 | - auditd_local_events in [ "yes", "no" ] 42 | quiet: true 43 | 44 | - name: assert | Test auditd_write_logs 45 | ansible.builtin.assert: 46 | that: 47 | - auditd_write_logs is defined 48 | - auditd_write_logs is string 49 | - auditd_write_logs in [ "yes", "no" ] 50 | quiet: true 51 | 52 | - name: assert | Test auditd_log_file 53 | ansible.builtin.assert: 54 | that: 55 | - auditd_log_file is defined 56 | - auditd_log_file is string 57 | - auditd_log_file is not none 58 | quiet: true 59 | 60 | - name: assert | Test auditd_log_group 61 | ansible.builtin.assert: 62 | that: 63 | - auditd_log_group is defined 64 | - auditd_log_group is string 65 | - auditd_log_group is not none 66 | quiet: true 67 | 68 | - name: assert | Test auditd_log_format 69 | ansible.builtin.assert: 70 | that: 71 | - auditd_log_format is defined 72 | - auditd_log_format is string 73 | - auditd_log_format in [ "ENRICHED", "NOLOG", "RAW" ] 74 | quiet: true 75 | 76 | - name: assert | Test auditd_flush 77 | ansible.builtin.assert: 78 | that: 79 | - auditd_flush is defined 80 | - auditd_flush is string 81 | - auditd_flush in [ "none", "incremental", "incremental_async", "data", "sync" ] 82 | quiet: true 83 | 84 | - name: assert | Test auditd_freq 85 | ansible.builtin.assert: 86 | that: 87 | - auditd_freq is defined 88 | - auditd_freq is number 89 | - auditd_freq >= 0 90 | quiet: true 91 | 92 | - name: assert | Test auditd_max_log_file 93 | ansible.builtin.assert: 94 | that: 95 | - auditd_max_log_file is defined 96 | - auditd_max_log_file is number 97 | - auditd_max_log_file > 0 98 | quiet: true 99 | 100 | - name: assert | Test auditd_num_logs 101 | ansible.builtin.assert: 102 | that: 103 | - auditd_num_logs is defined 104 | - auditd_num_logs is number 105 | - auditd_num_logs > 0 106 | - auditd_num_logs < 99 107 | quiet: true 108 | 109 | - name: assert | Test auditd_priority_boost 110 | ansible.builtin.assert: 111 | that: 112 | - auditd_priority_boost is defined 113 | - auditd_priority_boost is number 114 | - auditd_priority_boost in [ 0, 1, 2, 3, 4 ] 115 | quiet: true 116 | 117 | - name: assert | Test auditd_name_format 118 | ansible.builtin.assert: 119 | that: 120 | - auditd_name_format is defined 121 | - auditd_name_format is string 122 | - auditd_name_format in [ "none", "hostname", "fqd", "numeric", "user" ] 123 | quiet: true 124 | 125 | - name: assert | Test auditd_max_log_file_action 126 | ansible.builtin.assert: 127 | that: 128 | - auditd_max_log_file_action is defined 129 | - auditd_max_log_file_action is string 130 | - auditd_max_log_file_action in [ "ignore", "syslog", "suspend", "rotate" ] 131 | quiet: true 132 | 133 | - name: assert | Test auditd_space_left 134 | ansible.builtin.assert: 135 | that: 136 | - auditd_space_left is defined 137 | quiet: true 138 | 139 | - name: assert | Test auditd_space_left_action 140 | ansible.builtin.assert: 141 | that: 142 | - auditd_space_left_action is defined 143 | - auditd_space_left_action is string 144 | - auditd_space_left_action in [ "ignore", "syslog", "rotate", "email", "exec", "suspend", "single", "halt" ] 145 | quiet: true 146 | 147 | - name: assert | Test auditd_verify_email 148 | ansible.builtin.assert: 149 | that: 150 | - auditd_verify_email is defined 151 | - auditd_verify_email is string 152 | - auditd_verify_email in [ "yes", "no" ] 153 | quiet: true 154 | 155 | - name: assert | Test auditd_action_mail_acct 156 | ansible.builtin.assert: 157 | that: 158 | - auditd_action_mail_acct is defined 159 | - auditd_action_mail_acct is string 160 | - auditd_action_mail_acct is not none 161 | quiet: true 162 | 163 | - name: assert | Test auditd_admin_space_left 164 | ansible.builtin.assert: 165 | that: 166 | - auditd_admin_space_left is defined 167 | - auditd_admin_space_left is number 168 | - auditd_admin_space_left >= 0 169 | - auditd_admin_space_left <= 100 170 | quiet: true 171 | 172 | - name: assert | Test auditd_admin_space_left_action 173 | ansible.builtin.assert: 174 | that: 175 | - auditd_admin_space_left_action is defined 176 | - auditd_admin_space_left_action is string 177 | - auditd_admin_space_left_action in [ "ignore", "syslog", "rotate", "email", "exec", "suspend", "single", "halt" ] 178 | quiet: true 179 | 180 | - name: assert | Test auditd_disk_full_action 181 | ansible.builtin.assert: 182 | that: 183 | - auditd_disk_full_action is defined 184 | - auditd_disk_full_action is string 185 | - auditd_disk_full_action in [ "ignore", "syslog", "rotate", "exec", "suspend", "single", "halt" ] 186 | quiet: true 187 | 188 | - name: assert | Test auditd_disk_error_action 189 | ansible.builtin.assert: 190 | that: 191 | - auditd_disk_error_action is defined 192 | - auditd_disk_error_action is string 193 | - auditd_disk_error_action in [ "ignore", "syslog", "rotate", "exec", "suspend", "single", "halt" ] 194 | quiet: true 195 | 196 | - name: assert | Test auditd_use_libwrap 197 | ansible.builtin.assert: 198 | that: 199 | - auditd_use_libwrap is defined 200 | - auditd_use_libwrap is string 201 | - auditd_use_libwrap in [ "yes", "no" ] 202 | quiet: true 203 | 204 | - name: assert | Test auditd_tcp_listen_queue 205 | ansible.builtin.assert: 206 | that: 207 | - auditd_tcp_listen_queue is defined 208 | - auditd_tcp_listen_queue is number 209 | - auditd_tcp_listen_queue >= 0 210 | quiet: true 211 | 212 | - name: assert | Test auditd_tcp_max_per_addr 213 | ansible.builtin.assert: 214 | that: 215 | - auditd_tcp_max_per_addr is defined 216 | - auditd_tcp_max_per_addr is number 217 | - auditd_tcp_max_per_addr >= 0 218 | - auditd_tcp_max_per_addr <= 1024 219 | quiet: true 220 | 221 | - name: assert | Test auditd_tcp_client_max_idle 222 | ansible.builtin.assert: 223 | that: 224 | - auditd_tcp_client_max_idle is defined 225 | - auditd_tcp_client_max_idle is number 226 | - auditd_tcp_client_max_idle >= 0 227 | quiet: true 228 | 229 | - name: assert | Test auditd_enable_krb5 230 | ansible.builtin.assert: 231 | that: 232 | - auditd_enable_krb5 is defined 233 | - auditd_enable_krb5 is string 234 | - auditd_enable_krb5 in [ "yes", "no" ] 235 | quiet: true 236 | 237 | - name: assert | Test auditd_krb5_principal 238 | ansible.builtin.assert: 239 | that: 240 | - auditd_krb5_principal is defined 241 | - auditd_krb5_principal is string 242 | - auditd_krb5_principal is not none 243 | quiet: true 244 | 245 | - name: assert | Test auditd_distribute_network 246 | ansible.builtin.assert: 247 | that: 248 | - auditd_distribute_network is defined 249 | - auditd_distribute_network is string 250 | - auditd_distribute_network in [ "yes", "no" ] 251 | quiet: true 252 | 253 | - name: assert | Test auditd_manage_rules 254 | ansible.builtin.assert: 255 | that: 256 | - auditd_manage_rules is defined 257 | - auditd_manage_rules is boolean 258 | quiet: true 259 | 260 | - name: assert | Test auditd_rules 261 | ansible.builtin.assert: 262 | that: 263 | - auditd_rules is iterable 264 | quiet: true 265 | when: 266 | - auditd_rules is defined 267 | 268 | - name: assert | Test item.file in auditd_rules 269 | ansible.builtin.assert: 270 | that: 271 | - item.keyname is defined 272 | - item.keyname is string 273 | - item.keyname is not none 274 | quiet: true 275 | loop: "{{ auditd_rules }}" 276 | loop_control: 277 | label: "{{ item.file | default('none') }}" 278 | when: 279 | - auditd_rules is defined 280 | - item.file is defined 281 | 282 | - name: assert | Test item.permission in auditd_rules 283 | ansible.builtin.assert: 284 | that: 285 | - item.permission in [ "attribute_change", "execute", "read", "write" ] 286 | quiet: true 287 | loop: "{{ auditd_rules }}" 288 | loop_control: 289 | label: "{{ item.file | default('none') }}" 290 | when: 291 | - auditd_rules is defined 292 | - auditd_rules is string 293 | - item.permission is defined 294 | - item.permission is string 295 | 296 | - name: assert | Test item in auditd_rules 297 | ansible.builtin.assert: 298 | that: 299 | - item.action is defined 300 | - item.action is string 301 | - item.action in [ "always", "never" ] 302 | - item.filter is defined 303 | - item.filter is string 304 | - item.filter in [ "exclude", "exit", "user" ] 305 | quiet: true 306 | loop: "{{ auditd_rules }}" 307 | loop_control: 308 | label: "{{ item.syscall | default('none') }}" 309 | when: 310 | - auditd_rules is defined 311 | - auditd_rules is string 312 | - item.syscall is defined 313 | - item.syscall is string 314 | 315 | - name: assert | Test item.filters in auditd_rules 316 | ansible.builtin.assert: 317 | that: 318 | - item.filters is iterable 319 | quiet: true 320 | loop: "{{ auditd_rules }}" 321 | loop_control: 322 | label: "{{ item.file | default('none') }}" 323 | when: 324 | - auditd_rules is defined 325 | - auditd_rules is string 326 | - item.filters is defined 327 | - item.filters is string 328 | 329 | - name: assert | Test auditd_disp_qos 330 | ansible.builtin.assert: 331 | that: 332 | - auditd_disp_qos is defined 333 | - auditd_disp_qos is string 334 | - auditd_disp_qos in [ "lossy", "lossless" ] 335 | fail_msg: "auditd_disp_qos must be one of 'lossy', 'lossless'." 336 | quiet: true 337 | 338 | - name: assert | Test auditd_dispatcher 339 | ansible.builtin.assert: 340 | that: 341 | - auditd_dispatcher is defined 342 | - auditd_dispatcher is string 343 | - auditd_dispatcher is not none 344 | quiet: true 345 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for auditd 3 | 4 | - name: Import assert.yml 5 | ansible.builtin.import_tasks: 6 | file: assert.yml 7 | run_once: true 8 | delegate_to: localhost 9 | 10 | - name: Install requirements 11 | ansible.builtin.package: 12 | name: bash 13 | state: present 14 | 15 | - name: Install audit 16 | ansible.builtin.package: 17 | name: "{{ auditd_packages }}" 18 | state: present 19 | 20 | - name: Configure auditd 21 | ansible.builtin.template: 22 | src: "{{ auditd_config_file }}.j2" 23 | dest: "{{ auditd_config_directory }}/{{ auditd_config_file }}" 24 | mode: "0640" 25 | notify: 26 | - Restart auditd 27 | 28 | - name: Create rules.d directory 29 | ansible.builtin.file: 30 | path: "{{ auditd_config_directory }}/rules.d" 31 | state: directory 32 | mode: "0750" 33 | 34 | - name: Place custom.rules 35 | ansible.builtin.template: 36 | src: custom.rules.j2 37 | dest: "{{ auditd_config_directory }}/rules.d/custom.rules" 38 | mode: "0664" 39 | notify: 40 | - Run augenrules 41 | when: 42 | - auditd_manage_rules 43 | 44 | - name: Start and enable auditd 45 | ansible.builtin.service: 46 | name: "{{ auditd_service }}" 47 | state: started 48 | enabled: true 49 | when: 50 | - auditd_start_service 51 | -------------------------------------------------------------------------------- /templates/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robertdebock/ansible-role-auditd/cd941096f69cf325df666a9d62bfaff769a812af/templates/.gitkeep -------------------------------------------------------------------------------- /templates/auditd.conf.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | 3 | local_events = {{ auditd_local_events }} 4 | write_logs = {{ auditd_write_logs }} 5 | log_file = {{ auditd_log_file }} 6 | log_group = {{ auditd_log_group }} 7 | log_format = {{ auditd_log_format }} 8 | flush = {{ auditd_flush }} 9 | freq = {{ auditd_freq }} 10 | max_log_file = {{ auditd_max_log_file }} 11 | num_logs = {{ auditd_num_logs }} 12 | priority_boost = {{ auditd_priority_boost }} 13 | disp_qos = {{ auditd_disp_qos }} 14 | dispatcher = {{ auditd_dispatcher }} 15 | name_format = {{ auditd_name_format }} 16 | max_log_file_action = {{ auditd_max_log_file_action }} 17 | space_left = {{ auditd_space_left | int }} 18 | space_left_action = {{ auditd_space_left_action }} 19 | verify_email = {{ auditd_verify_email }} 20 | action_mail_acct = {{ auditd_action_mail_acct }} 21 | admin_space_left = {{ auditd_admin_space_left }} 22 | admin_space_left_action = {{ auditd_admin_space_left_action }} 23 | disk_full_action = {{ auditd_disk_full_action }} 24 | disk_error_action = {{ auditd_disk_error_action }} 25 | use_libwrap = {{ auditd_use_libwrap }} 26 | tcp_listen_queue = {{ auditd_tcp_listen_queue }} 27 | tcp_max_per_addr = {{ auditd_tcp_max_per_addr }} 28 | tcp_client_max_idle = {{ auditd_tcp_client_max_idle }} 29 | enable_krb5 = {{ auditd_enable_krb5 }} 30 | krb5_principal = {{ auditd_krb5_principal }} 31 | distribute_network = {{ auditd_distribute_network }} 32 | -------------------------------------------------------------------------------- /templates/custom.rules.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | 3 | # Delete all previous rules 4 | -D 5 | # Set buffer size 6 | -b {{ auditd_buffer_size }} 7 | # Set failure behavior 8 | -f {{ auditd_fail_mode }} 9 | # Set the maximum amount of messages per second 10 | -r {{ auditd_maximum_rate }} 11 | # Set enable flag (0=disable, 1=enable, 2=locked, requires reboot to unlock) 12 | -e {{ auditd_enable_flag }} 13 | 14 | {% if auditd_rules is defined %} 15 | {% for rule in auditd_rules %} 16 | {% if rule.file is defined %} 17 | -w {{ rule.file }}{% if rule.filters is defined %}{% for filter in rule.filters %} -F {{ filter }}{% endfor %}{% endif %}{% if rule.permissions is defined %} -p {% for permission in rule.permissions %}{{ _auditd_permissions[permission] }}{% endfor %}{% endif %} -k {{ rule.keyname }} 18 | {% endif %} 19 | {% if rule.syscall is defined %} 20 | -a {{ rule.action }},{{ rule.filter }} -F arch={{ rule.arch | default(auditd_default_arch) }} -S {{ rule.syscall }}{% if rule.filters is defined %}{% for filter in rule.filters %} -F {{ filter }}{% endfor %}{% endif %} -k {{ rule.keyname }} 21 | {% endif %} 22 | {% if rule.action is defined and rule.file is not defined and rule.syscall is not defined %} 23 | -a {{ rule.action }},{{ rule.filter }}{% for filter in rule.filters %} -F {{ filter }}{% endfor %} -k {{ rule.keyname }} 24 | {% endif %} 25 | {% endfor %} 26 | {% endif %} 27 | -------------------------------------------------------------------------------- /tox.ini: -------------------------------------------------------------------------------- 1 | [tox] 2 | envlist = ansible-2.{15,16,17,18} 3 | skipsdist = true 4 | 5 | [testenv] 6 | commands = molecule test 7 | 8 | setenv = 9 | TOX_ENVNAME={envname} 10 | PY_COLORS=1 11 | ANSIBLE_FORCE_COLOR=1 12 | ANSIBLE_ROLES_PATH=../ 13 | 14 | passenv = * 15 | 16 | # Test supported releases of ansible-core. See: 17 | # https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix 18 | 19 | [testenv:ansible-2.15] 20 | basepython = python3.9 21 | deps = 22 | -rrequirements.txt 23 | ansible-core==2.15.* 24 | ansible-lint==6.* 25 | 26 | [testenv:ansible-2.16] 27 | basepython = python3.10 28 | deps = 29 | -rrequirements.txt 30 | ansible-core==2.16.* 31 | ansible-lint==24.* 32 | 33 | [testenv:ansible-2.17] 34 | basepython = python3.10 35 | deps = 36 | -rrequirements.txt 37 | ansible-core==2.17.* 38 | ansible-lint==24.* 39 | 40 | [testenv:ansible-2.18] 41 | basepython = python3.13 42 | deps = 43 | -rrequirements.txt 44 | ansible-core==2.18.* 45 | ansible-lint==24.* 46 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for auditd 3 | 4 | _auditd_packages: 5 | default: 6 | - audit 7 | Debian: 8 | - auditd 9 | 10 | auditd_packages: "{{ _auditd_packages[ansible_os_family] | default(_auditd_packages['default']) }}" 11 | 12 | auditd_config_directory: /etc/audit 13 | 14 | auditd_config_file: auditd.conf 15 | 16 | auditd_service: auditd 17 | 18 | _auditd_permissions: 19 | read: r 20 | write: w 21 | execute: x 22 | attribute_change: a 23 | --------------------------------------------------------------------------------