Linux auditd Ansible Role

This Ansible role helps you set up and configure Linux auditd.

You can also check out this visualization with R for better understanding.

Requirements & Dependencies

Ansible

Tested on these versions:

• 2.2
• 2.5
• 2.10

Operating Systems

It works with:

• Ubuntu 16.04, 18.04, 20.04
• CentOS 7, 8
• SUSE 12.x, 15.x

Example Playbook

To use this role, just add it to your playbook. For example:

- hosts: all
  roles:
    - juju4.auditd

Variables

Currently, there are no specific variables needed.

Continuous Integration

This role includes basic tests with Travis (for GitHub) and more advanced testing using Kitchen and a Vagrantfile (found in test/vagrant).

The default Kitchen configuration (.kitchen.yml) is LXD-based, and the Vagrant configuration (.kitchen.vagrant.yml) is for Vagrant/VirtualBox.

To test everything, make sure you have the necessary roles and run the following commands:

$ gem install kitchen-ansible kitchen-lxd_cli kitchen-sync kitchen-vagrant
$ cd /path/to/roles/juju4.auditd
$ kitchen verify
$ kitchen login
$ KITCHEN_YAML=".kitchen.vagrant.yml" kitchen verify

Alternatively, you can use Vagrant:

$ cd /path/to/roles/juju4.auditd/test/vagrant
$ vagrant up
$ vagrant ssh

Troubleshooting & Known Issues

• Since auditd depends on the kernel, this role won't make changes when run inside containers.

• Errors like watchdog: BUG: soft lockup - CPU#0 stuck for Xs! [kauditd:22], audit: backlog limit exceeded, and audit: kauditd hold queue overflow may occur, even with the setting audit_backlog_limit=8192.

A new variable, auditd_grub_enable, is added (default: false). Use it with caution. More info:

• kauditd hold queue overflow in 4.11, Sep 2017
• Event overflow during boot, May 2017

References

• Red Hat Enterprise Linux Security Guide - System Auditing
• Red Hat Enterprise Linux Security Guide - Starting the Audit Service
• Auditd Attack Repository
• Auditd Repository

License

This work is licensed under BSD 2-clause.