auditd

Install and configure auditd on your system.

GitHub	GitLab	Quality	Downloads	Version

Example Playbook

This example is taken from molecule/default/converge.yml and is tested on each push, pull request and release.

---
- name: converge
  hosts: all
  become: yes
  gather_facts: yes

  roles:
    - role: robertdebock.auditd
      auditd_local_events: "no"
      auditd_rules:
        - file: /var/log/audit/
          keyname: auditlog
        - file: /etc/audit/
          permissions:
            - write
            - attribute_change
          keyname: auditconfig
        - file: /etc/libaudit.conf
          permissions:
            - write
            - attribute_change
          keyname: auditconfig
        - file: /etc/audisp/
          permissions:
            - write
            - attribute_change
          keyname: audispconfig
        - file: /sbin/auditctl
          permissions:
            - execute
          keyname: audittools
        - file: /sbin/auditd
          permissions:
            - execute
          keyname: audittools
        - syscall: open
          action: always
          filter: exit
          filters:
            - auid!=4294967295
            - auid!=unset
          keyname: my_keyname
          arch: b32
        - syscall: adjtimex
          action: always
          filter: exit
          keyname: time_change
        - syscall: settimeofday
          action: always
          filter: exit
          keyname: time_change
        - action: always
          filter: exit
          filters:
            - path=/bin/ping
            - perm=x
            - auid>=500
            - auid!=4294967295
          keyname: privileged

The machine needs to be prepared. In CI this is done using molecule/default/prepare.yml:

---
- name: prepare
  hosts: all
  become: yes
  gather_facts: no

  roles:
    - role: robertdebock.bootstrap

Also see a full explanation and example on how to use these roles.

Role Variables

The default values for the variables are set in defaults/main.yml:

---
# defaults file for auditd

auditd_buffer_size: 32768
auditd_fail_mode: 1
auditd_maximum_rate: 60
auditd_enable_flag: 1

auditd_local_events: "yes"
auditd_write_logs: "yes"
auditd_log_file: /var/log/audit/audit.log
auditd_log_group: root
auditd_log_format: RAW
auditd_flush: incremental_async
auditd_freq: 50
auditd_max_log_file: 8
auditd_num_logs: 5
auditd_priority_boost: 4
auditd_disp_qos: lossy
auditd_dispatcher: /sbin/audispd
auditd_name_format: none
auditd_max_log_file_action: rotate
auditd_space_left: 75
auditd_space_left_action: syslog
auditd_verify_email: "yes"
auditd_action_mail_acct: root
auditd_admin_space_left: 50
auditd_admin_space_left_action: suspend
auditd_disk_full_action: suspend
auditd_disk_error_action: suspend
auditd_use_libwrap: "yes"
auditd_tcp_listen_queue: 5
auditd_tcp_max_per_addr: 1
auditd_tcp_client_max_idle: 0
auditd_enable_krb5: "no"
auditd_krb5_principal: auditd
auditd_distribute_network: "no"

auditd_manage_rules: yes

auditd_default_arch: b64

Requirements

pip packages listed in requirements.txt.

Status of used roles

The following roles are used to prepare a system. You can prepare your system in another way.

Requirement	GitHub	GitLab
robertdebock.bootstrap

Context

This role is a part of many compatible roles. Have a look at the documentation of these roles for further information.

Here is an overview of related roles:

Compatibility

This role has been tested on these container images:

container	tags
el	8
debian	all
fedora	all
opensuse	all
ubuntu	all

The minimum version of Ansible required is 2.10, tests have been done to:

The previous version.
The current version.
The development version.

Exceptions

Some roles can't run on a specific distribution or version. Here are some exceptions.

variation	reason
alpine	auditd start-stop-daemon: /sbin/auditd does not exist
amazonlinux:1	/etc/init.d/auditd: line 32: /etc/init.d/functions: No such file or directory

If you find issues, please register them in GitHub

License

Apache-2.0

Author Information

Robert de Bock

Please consider sponsoring me.

Name		Name	Last commit message	Last commit date
Latest commit History 258 Commits
.github		.github
defaults		defaults
handlers		handlers
meta		meta
molecule/default		molecule/default
tasks		tasks
templates		templates
vars		vars
.ansible-lint		.ansible-lint
.gitignore		.gitignore
.gitlab-ci.yml		.gitlab-ci.yml
.later.yml		.later.yml
.pre-commit-config.yaml		.pre-commit-config.yaml
.travis.yml		.travis.yml
.yamllint		.yamllint
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
README.md		README.md
SECURITY.md		SECURITY.md
requirements.txt		requirements.txt
requirements.yml		requirements.yml
tox.ini		tox.ini

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

auditd

Example Playbook

Role Variables

Requirements

Status of used roles

Context

Compatibility

Exceptions

License

Author Information

About

Releases

Packages

Languages

License

Cloud-Temple/ansible-role-auditd

Folders and files

Latest commit

History

Repository files navigation

About

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Languages