guidugli.audit

Panoramica Versioni Approfondimenti

Ansible Role: Audit

This is an Ansible role that installs and sets up auditing on RHEL/CentOS, Fedora, and Debian/Ubuntu systems.

Default rules follow the security guidelines from CIS for RedHat, Ubuntu, and Debian, as well as information from this GitHub repository: Neo23x0/auditd.

Disclaimer: I'm not a security expert. Before using this role, you should understand how auditing works and the rules it sets up. The security of your servers is YOUR responsibility!

Requirements

You need to run this on a physical server or a virtual machine. In container systems, only one auditd process can run, usually on the host system. This role will not start the auditd service in containers.

Role Variables

Here are the variables you can customize, along with their default values (check defaults/main.yml):

  • audit_local_events: true
    Controls whether to include local events. The default is true, as you generally want local events. Set to false if you only want network events.

  • audit_log_file: /var/log/audit/audit.log
    The path to the log file for audit records. It must be a regular file.

  • audit_write_logs: true
    Decides if logs should be written to disk. Default is true.

  • audit_log_format: ENRICHED
    Defines how log information is stored. Options are raw or enriched.

  • audit_log_group: root
    Sets the group for the log file permissions. Default is root.

  • audit_priority_boost: 4
    A number indicating the priority boost for the audit daemon. Default is 4.

  • audit_flush: INCREMENTAL_ASYNC
    Options for flushing logs: none, incremental, incremental_async, data, sync.

  • audit_freq: 50
    Specifies how many log records to write before flushing to disk. This works with incremental flush settings.

  • audit_num_logs: 5
    Number of log files to keep when rotating. Must be 999 or less. Logs are not rotated if less than 2.

There are many more variables related to email notifications, disk space monitoring, plugin management, and networking, which you can adjust based on your needs.

Some variables in vars/main.yml do not need to be changed for common systems:

  • audit_packages: ['audit', 'audit-libs']
    These are the packages needed for different Linux distributions.

  • audit_config_path: /etc/audit/auditd.conf
    Location of the auditd configuration file.

  • audit_rulesd_path: /etc/audit/rules.d
    Location for the rules directory.

  • audit_rules_files: Various rule files
    Files for specific audit rules provided by this role. You can use these or create your own.

Dependencies

There are no dependencies for this role.

Example Playbook

- hosts: servers
  vars_files:
    - vars/main.yml
  roles:
     - { role: guidugli.audit }

License

MIT / BSD

Author Information

This role was created in 2020 by Carlos Guidugli.

Informazioni sul progetto

Install and configure audit on linux

role audit auditd aureport
Installa
ansible-galaxy install guidugli.audit
GitHub repository
0 stelle
0 fork
0 problemi aperti
Licenza
mit
Download
116
Proprietario