robertdebock.auditd
Ansible Role Auditd
This role helps you install and set up auditd on your system.
| GitHub | GitLab | Downloads | Version |
|---|---|---|---|
 |
 |
 |
 |
Example Playbook
Here’s a sample playbook from molecule/default/converge.yml that is tested with each code change.
---
- name: Converge
hosts: all
become: true
gather_facts: true
roles:
- role: robertdebock.auditd
auditd_start_service: false
auditd_local_events: "no"
auditd_rules:
- file: /var/log/audit/
keyname: auditlog
- file: /etc/audit/
permissions:
- write
- attribute_change
keyname: auditconfig
- file: /etc/libaudit.conf
permissions:
- write
- attribute_change
keyname: auditconfig
- file: /etc/audisp/
permissions:
- write
- attribute_change
keyname: audispconfig
- file: /sbin/auditctl
permissions:
- execute
keyname: audittools
- file: /sbin/auditd
permissions:
- execute
keyname: audittools
- syscall: open
action: always
filter: exit
filters:
- auid!=4294967295
- auid!=unset
keyname: my_keyname
arch: b32
- syscall: adjtimex
action: always
filter: exit
keyname: time_change
- syscall: settimeofday
action: always
filter: exit
keyname: time_change
- action: always
filter: exit
filters:
- path=/bin/ping
- perm=x
- auid>=500
- auid!=4294967295
keyname: privileged
Before running, ensure your machine is prepared, which in CI is done using molecule/default/prepare.yml:
---
- name: Prepare
hosts: all
become: true
gather_facts: false
roles:
- role: robertdebock.bootstrap
See this link for a full guide on using these roles.
Role Variables
Default values for the variables are defined in defaults/main.yml:
---
# Default configuration for auditd
# Documentation for these variables can be found in auditd.conf's man page
# https://linux.die.net/man/5/auditd.conf
auditd_buffer_size: 32768
auditd_fail_mode: 1
auditd_maximum_rate: 60
auditd_enable_flag: 1
auditd_local_events: "yes"
auditd_write_logs: "yes"
auditd_log_file: /var/log/audit/audit.log
auditd_log_group: root
auditd_log_format: RAW
auditd_flush: incremental_async
auditd_freq: 50
auditd_max_log_file: 8
auditd_num_logs: 5
auditd_priority_boost: 4
auditd_disp_qos: lossy
auditd_dispatcher: /sbin/audispd
auditd_name_format: none
auditd_max_log_file_action: rotate
auditd_space_left: "75" # Can be a number ('25') or a percentage ('25%')
auditd_space_left_action: syslog
auditd_verify_email: "yes"
auditd_action_mail_acct: root
auditd_admin_space_left: 50
auditd_admin_space_left_action: suspend
auditd_disk_full_action: suspend
auditd_disk_error_action: suspend
auditd_use_libwrap: "yes"
auditd_tcp_listen_queue: 5
auditd_tcp_max_per_addr: 1
auditd_tcp_client_max_idle: 0
auditd_enable_krb5: "no"
auditd_krb5_principal: auditd
auditd_distribute_network: "no"
# You can control whether to manage rules with this role.
# Setting auditd_manage_rules to false will stop managing the rules.
auditd_manage_rules: true
# Some rules may require a specific architecture to be set.
auditd_default_arch: b64
# You can choose to start the auditd service or not.
# Useful mainly in CI to prevent starting the service.
auditd_start_service: true
Requirements
- Python packages listed in requirements.txt.
State of Used Roles
The following roles help in preparing your system. You can prepare it differently if needed.
| Requirement | GitHub | GitLab |
|---|---|---|
| robertdebock.bootstrap |  |
 |
Context
This role is part of various roles that work together. For more details, check the documentation of these roles.
Overview of related roles:
Compatibility
This role has been tested with these container images:
| Container | Tags |
|---|---|
| EL | 9 |
| Debian | all |
| Fedora | all |
| Ubuntu | all |
You need at least Ansible version 2.12. Tests have been conducted on:
- The previous version.
- The current version.
- The latest development version.
If you find any issues, please report them on GitHub.
License
Author Information
If you like my work, please consider sponsoring me.
Install and configure auditd on your system.
ansible-galaxy install robertdebock.auditd