{"id":39742750,"url":"https://github.com/rolehippie/auditbeat","last_synced_at":"2026-01-18T11:16:56.602Z","repository":{"id":35327489,"uuid":"198417506","full_name":"rolehippie/auditbeat","owner":"rolehippie","description":"Ansible role to install and configure auditbeat","archived":false,"fork":false,"pushed_at":"2026-01-12T09:56:24.000Z","size":304,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2026-01-12T18:05:16.303Z","etag":null,"topics":["ansible","ansible-role","hacktoberfest","role"],"latest_commit_sha":null,"homepage":"","language":"Nix","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rolehippie.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-07-23T11:33:28.000Z","updated_at":"2026-01-12T09:56:28.000Z","dependencies_parsed_at":"2023-02-12T02:46:23.074Z","dependency_job_id":"98d4d600-dff5-49ed-a9ab-f9fd5a037110","html_url":"https://github.com/rolehippie/auditbeat","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/rolehippie/auditbeat","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rolehippie%2Fauditbeat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rolehippie%2Fauditbeat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rolehippie%2Fauditbeat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rolehippie%2Fauditbeat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rolehippie","download_url":"https://codeload.github.com/rolehippie/auditbeat/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rolehippie%2Fauditbeat/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28535161,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-18T10:13:46.436Z","status":"ssl_error","status_checked_at":"2026-01-18T10:13:11.045Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-role","hacktoberfest","role"],"created_at":"2026-01-18T11:16:54.863Z","updated_at":"2026-01-18T11:16:56.588Z","avatar_url":"https://github.com/rolehippie.png","language":"Nix","funding_links":[],"categories":[],"sub_categories":[],"readme":"# auditbeat\n\n[![Source Code](https://img.shields.io/badge/github-source%20code-blue?logo=github\u0026logoColor=white)](https://github.com/rolehippie/auditbeat)\n[![General Workflow](https://github.com/rolehippie/auditbeat/actions/workflows/general.yml/badge.svg)](https://github.com/rolehippie/auditbeat/actions/workflows/general.yml)\n[![Readme Workflow](https://github.com/rolehippie/auditbeat/actions/workflows/docs.yml/badge.svg)](https://github.com/rolehippie/auditbeat/actions/workflows/docs.yml)\n[![Galaxy Workflow](https://github.com/rolehippie/auditbeat/actions/workflows/galaxy.yml/badge.svg)](https://github.com/rolehippie/auditbeat/actions/workflows/galaxy.yml)\n[![License: Apache-2.0](https://img.shields.io/github/license/rolehippie/auditbeat)](https://github.com/rolehippie/auditbeat/blob/master/LICENSE)\n[![Ansible Role](https://img.shields.io/badge/role-rolehippie.auditbeat-blue)](https://galaxy.ansible.com/rolehippie/auditbeat)\n\nAnsible role to install and configure auditbeat.\n\n## Sponsor\n\nBuilding and improving this Ansible role have been sponsored by my current and previous employers like **[Cloudpunks GmbH](https://cloudpunks.de)** and **[Proact Deutschland GmbH](https://www.proact.eu)**.\n\n## Table of contents\n\n- [Requirements](#requirements)\n- [Default Variables](#default-variables)\n  - [auditbeat_console_enabled](#auditbeat_console_enabled)\n  - [auditbeat_default_modules](#auditbeat_default_modules)\n  - [auditbeat_default_processors](#auditbeat_default_processors)\n  - [auditbeat_default_rules](#auditbeat_default_rules)\n  - [auditbeat_group_modules](#auditbeat_group_modules)\n  - [auditbeat_group_processors](#auditbeat_group_processors)\n  - [auditbeat_group_rules](#auditbeat_group_rules)\n  - [auditbeat_host_modules](#auditbeat_host_modules)\n  - [auditbeat_host_processors](#auditbeat_host_processors)\n  - [auditbeat_host_rules](#auditbeat_host_rules)\n  - [auditbeat_keyring](#auditbeat_keyring)\n  - [auditbeat_logging_level](#auditbeat_logging_level)\n  - [auditbeat_logging_selectors](#auditbeat_logging_selectors)\n  - [auditbeat_logstash_enabled](#auditbeat_logstash_enabled)\n  - [auditbeat_logstash_hosts](#auditbeat_logstash_hosts)\n  - [auditbeat_major_version](#auditbeat_major_version)\n  - [auditbeat_name](#auditbeat_name)\n  - [auditbeat_rules_path](#auditbeat_rules_path)\n  - [auditbeat_service_enabled](#auditbeat_service_enabled)\n  - [auditbeat_suid_guid_rule_enabled](#auditbeat_suid_guid_rule_enabled)\n  - [auditbeat_suid_guid_rule_files](#auditbeat_suid_guid_rule_files)\n  - [auditbeat_tags](#auditbeat_tags)\n  - [auditbeat_test_config_command](#auditbeat_test_config_command)\n- [Discovered Tags](#discovered-tags)\n- [Dependencies](#dependencies)\n- [License](#license)\n- [Author](#author)\n\n---\n\n## Requirements\n\n- Minimum Ansible version: `2.10`\n\n## Default Variables\n\n### auditbeat_console_enabled\n\n#### Default value\n\n```YAML\nauditbeat_console_enabled: false\n```\n\n### auditbeat_default_modules\n\nList of default modules, gets directly transformed to yaml\n\n#### Default value\n\n```YAML\nauditbeat_default_modules:\n  - module: auditd\n    audit_rule_files:\n      - '{{ auditbeat_rules_path }}/*.conf'\n  - module: file_integrity\n    paths:\n      - /bin\n      - /usr/bin\n      - /sbin\n      - /usr/sbin\n      - /etc\n  - module: system\n    datasets:\n      - package\n    period: 10m\n  - module: system\n    datasets:\n      - host\n      - login\n      - process\n      - socket\n      - user\n    state.period: 12h\n    user.detect_password_changes: true\n    login.wtmp_file_pattern: /var/log/wtmp*\n    login.btmp_file_pattern: /var/log/btmp*\n```\n\n### auditbeat_default_processors\n\nList of default processors, gets directly transformed to yaml\n\n#### Default value\n\n```YAML\nauditbeat_default_processors:\n  - add_host_metadata:\n  - add_cloud_metadata:\n  - add_docker_metadata:\n```\n\n### auditbeat_default_rules\n\nList of default rules, gets written to separate files\n\n#### Default value\n\n```YAML\nauditbeat_default_rules:\n  - name: current-dir\n    comment: Ignore current working directory records\n    rule:\n      - -a always,exclude -F msgtype=CWD\n  - name: ignore-eoe\n    comment: Ignore EOE records (End Of Event, not needed)\n    rule:\n      - -a always,exclude -F msgtype=EOE\n  - name: high-volume\n    comment: High Volume Event Filter\n    rule:\n      - -a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess\n      - -a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess\n      - -a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm\n      - -a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm\n  - name: ignore-cron\n    comment: Cron jobs fill the logs useless stuff\n    rule:\n      - -a never,user -F subj_type=crond_t\n      - -a exit,never -F subj_type=crond_t\n  - name: cis-4_1_4\n    weight: 20\n    comment: CIS 4.1.4 - Changes to the time\n    rule:\n      - -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n      - -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k \n        time-change\n      - -a always,exit -F arch=b64 -S clock_settime -k time-change\n      - -a always,exit -F arch=b32 -S clock_settime -k time-change\n      - -w /etc/localtime -p wa -k time-change\n  - name: cis-4_1_5\n    weight: 20\n    comment: CIS 4.1.5 - Changes to user/group information\n    rule:\n      - -w /etc/group -p wa -k identity\n      - -w /etc/passwd -p wa -k identity\n      - -w /etc/gshadow -p wa -k identity\n      - -w /etc/shadow -p wa -k identity\n      - -w /etc/security/opasswd -p wa -k identity\n  - name: cis-4_1_6\n    weight: 20\n    comment: CIS 4.1.6 - Changes to the network environment\n    rule:\n      - -a exit,always -F arch=b64 -S sethostname -S setdomainname -k \n        system-locale\n      - -a exit,always -F arch=b32 -S sethostname -S setdomainname -k \n        system-locale\n      - -w /etc/issue -p wa -k system-locale\n      - -w /etc/issue.net -p wa -k system-locale\n      - -w /etc/hosts -p wa -k system-locale\n      - -w /etc/network -p wa -k system-locale\n  - name: cis-4_1_7\n    weight: 20\n    comment: CIS 4.1.7 - Changes to system's Mandatory Access Controls\n    rule:\n      - -w /etc/apparmor/ -p wa -k MAC-policy\n      - -w /etc/apparmor.d/ -p wa -k MAC-policy\n  - name: cis-4_1_8\n    weight: 20\n    comment: CIS 4.1.8 - Log login/logout events\n    rule:\n      - -w /var/log/faillog -p wa -k logins\n      - -w /var/log/lastlog -p wa -k logins\n      - -w /var/log/tallylog -p wa -k logins\n  - name: cis-4_1_9\n    weight: 20\n    comment: CIS 4.1.9 - Log session initiation information\n    rule:\n      - -w /var/run/utmp -p wa -k session\n      - -w /var/log/wtmp -p wa -k logins\n      - -w /var/log/btmp -p wa -k logins\n  - name: cis-4_1_10\n    weight: 20\n    comment: CIS 4.1.10 - Log Discretionary Access Control modifications\n    rule:\n      - -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid\u003e=1000 \n        -F auid!=4294967295 -k perm_mod\n      - -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid\u003e=1000 \n        -F auid!=4294967295 -k perm_mod\n      - -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F \n        auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n      - -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F \n        auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n      - -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S \n        removexattr -S lremovexattr -S fremovexattr -F auid\u003e=1000 -F \n        auid!=4294967295 -k perm_mod\n      - -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S \n        removexattr -S lremovexattr -S fremovexattr -F auid\u003e=1000 -F \n        auid!=4294967295 -k perm_mod\n  - name: cis-4_1_11\n    weight: 20\n    comment: CIS 4.1.11 - Log unsuccessful unauthorized file access attempts\n    rule:\n      - -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S \n        ftruncate -F exit=-EACCES -F auid\u003e=1000 -F auid!=4294967295 -k access\n      - -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S \n        ftruncate -F exit=-EACCES -F auid\u003e=1000 -F auid!=4294967295 -k access\n      - -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S \n        ftruncate -F exit=-EPERM -F auid\u003e=1000 -F auid!=4294967295 -k access\n      - -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S \n        ftruncate -F exit=-EPERM -F auid\u003e=1000 -F auid!=4294967295 -k access\n  - name: cis-4_1_12\n    weight: 20\n    comment: CIS 4.1.12 - Log use of privileged commands\n    rule: |\n      {% for file in auditbeat_suid_guid_rule_files %}\n      -a always,exit -F path={{ file }} -F perm=x -F auid\u003e=1000 -F auid!=4294967295 -k privileged\n      {% endfor %}\n    state: \"{{ 'present' if auditbeat_suid_guid_rule_files | length \u003e 0 else 'absent'\n      }}\"\n  - name: cis-4_1_13\n    weight: 20\n    comment: CIS 4.1.13 - Log successful file system mounts\n    rule:\n      - -a always,exit -F arch=b64 -S mount -F auid\u003e=1000 -F auid!=4294967295 -k\n        mounts\n      - -a always,exit -F arch=b32 -S mount -F auid\u003e=1000 -F auid!=4294967295 -k\n        mounts\n  - name: cis-4_1_14\n    weight: 20\n    comment: CIS 4.1.14 - Log file deletion Events by User\n    rule:\n      - -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat \n        -F auid\u003e=1000 -F auid!=4294967295 -k delete\n      - -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat \n        -F auid\u003e=1000 -F auid!=4294967295 -k delete\n  - name: cis-4_1_15\n    weight: 20\n    comment: CIS 4.1.15 - Log changes to sudoers\n    rule:\n      - -w /etc/sudoers -p wa -k scope\n      - -w /etc/sudoers.d/ -p wa -k scope\n  - name: cis-4_1_16\n    weight: 20\n    comment: CIS 4.1.16 - Log sudolog\n    rule:\n      - -w /var/log/sudo.log -p wa -k actions\n  - name: cis-4_1_17\n    weight: 20\n    comment: CIS 4.1.17 - Log kernel module actions\n    rule:\n      - -w /sbin/insmod -p x -k modules\n      - -w /sbin/rmmod -p x -k modules\n      - -w /sbin/modprobe -p x -k modules\n      - -a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n```\n\n#### Example usage\n\n```YAML\nauditbeat_default_rules:\n  - name: workingdir\n    comment: Ignore current working directory records\n    rule: |\n      -a always,exclude -F msgtype=CWD\n  - name: eventfilter\n    comment: High Volume Event Filter\n    rule:\n      - '-a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess'\n  - name: foobar\n    state: absent\n```\n\n### auditbeat_group_modules\n\nList of group modules, merged with auditbeat_default_modules\n\n#### Default value\n\n```YAML\nauditbeat_group_modules: []\n```\n\n### auditbeat_group_processors\n\nList of group processors, merged with auditbeat_default_processors\n\n#### Default value\n\n```YAML\nauditbeat_group_processors: []\n```\n\n### auditbeat_group_rules\n\nList of group rules, merged with auditbeat_default_rules\n\n#### Default value\n\n```YAML\nauditbeat_group_rules: []\n```\n\n### auditbeat_host_modules\n\nList of host modules, merged with auditbeat_default_modules\n\n#### Default value\n\n```YAML\nauditbeat_host_modules: []\n```\n\n### auditbeat_host_processors\n\nList of group processors, merged with auditbeat_default_processors\n\n#### Default value\n\n```YAML\nauditbeat_host_processors: []\n```\n\n### auditbeat_host_rules\n\nList of host rules, merged with auditbeat_default_rules\n\n#### Default value\n\n```YAML\nauditbeat_host_rules: []\n```\n\n### auditbeat_keyring\n\nPath for the repository keyring\n\n#### Default value\n\n```YAML\nauditbeat_keyring: /usr/share/keyrings/elastic-archive-keyring.gpg\n```\n\n### auditbeat_logging_level\n\nDefine logging level\n\n#### Default value\n\n```YAML\nauditbeat_logging_level: info\n```\n\n### auditbeat_logging_selectors\n\nDefine logging selectors, like beat, publish, service\n\n#### Default value\n\n```YAML\nauditbeat_logging_selectors: []\n```\n\n### auditbeat_logstash_enabled\n\n#### Default value\n\n```YAML\nauditbeat_logstash_enabled: true\n```\n\n### auditbeat_logstash_hosts\n\n#### Default value\n\n```YAML\nauditbeat_logstash_hosts: []\n```\n\n### auditbeat_major_version\n\nMajor version to install, used for the APT repository\n\n#### Default value\n\n```YAML\nauditbeat_major_version: 9\n```\n\n### auditbeat_name\n\nName of the shipper within the output\n\n#### Default value\n\n```YAML\nauditbeat_name: '{{ ansible_hostname }}'\n```\n\n### auditbeat_rules_path\n\nPath to store the defined rules\n\n#### Default value\n\n```YAML\nauditbeat_rules_path: /etc/auditbeat/audit.rules.d\n```\n\n### auditbeat_service_enabled\n\nEnable the console output\n\n### auditbeat_suid_guid_rule_enabled\n\nSearch suid/guid programs on disk\n\n#### Default value\n\n```YAML\nauditbeat_suid_guid_rule_enabled: false\n```\n\n### auditbeat_suid_guid_rule_files\n\nDefine a default list of suid/guid files\n\n#### Default value\n\n```YAML\nauditbeat_suid_guid_rule_files: []\n```\n\n### auditbeat_tags\n\nList of tags to assign for the shipper\n\n#### Default value\n\n```YAML\nauditbeat_tags: []\n```\n\n### auditbeat_test_config_command\n\nCommand to test the configuration\n\n#### Default value\n\n```YAML\nauditbeat_test_config_command: auditbeat test config -d -c %s\n```\n\n## Discovered Tags\n\n**_auditbeat_**\n\n## Dependencies\n\n- None\n\n## License\n\nApache-2.0\n\n## Author\n\n[Thomas Boerger](https://github.com/tboerger)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frolehippie%2Fauditbeat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frolehippie%2Fauditbeat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frolehippie%2Fauditbeat/lists"}