https://github.com/devops-works/ansible-auditd
Auditd ansible role
https://github.com/devops-works/ansible-auditd
Last synced: 10 months ago
JSON representation
Auditd ansible role
- Host: GitHub
- URL: https://github.com/devops-works/ansible-auditd
- Owner: devops-works
- Created: 2025-06-27T07:44:10.000Z (10 months ago)
- Default Branch: master
- Last Pushed: 2025-06-27T07:51:42.000Z (10 months ago)
- Last Synced: 2025-06-27T08:39:23.471Z (10 months ago)
- Language: Jinja
- Size: 0 Bytes
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# ansible-auditd
Installs auditd
## Variables
- `auditd_local_rulesets`: install a local (i.e. include in role) ruleset; see
`*.rules.j2`files in the [templates](./templates/) directory
- `auditd_source_rulesets`: install rulesets provided in auditd source; see
https://github.com/linux-audit/audit-userspace/tree/master/rules for a list
- `auditd_custom_rules`: custom rules to set in /etc/auditd/rules.d/98-custom.conf
Note that `/etc/auditd/rules.d/98-custom.conf` is always generated. If you
change this file it will be overwritten by this role.
## Testing
You can test this role using molecule and the docker driver
(e.g. `molecule test`)
## Examples
```yaml
---
- name: Run
hosts: all
gather_facts: yes
roles:
- role: ansible-auditd
auditd_local_rulesets: ["38-anssi","39-neo23x0"]
auditd_source_rulesets: ["30-stig","41-containers"]
auditd_custom_rules:
- "-a exit,always -F arch=b64 -S unlink -S rmdir -S rename -k fschange"
- "-a exit,always -F arch=b64 -S creat -S open -S openat -F exit=-EACCES -k fschange"
- "-a exit,always -F arch=b64 -S truncate -S ftruncate -F exit=-EACCES -k fschange"
```