Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/robertdebock/ansible-role-auditd

Install and configure auditd on your system.
https://github.com/robertdebock/ansible-role-auditd

ansible auditd molecule monitoring playbook security system tox

Last synced: 5 days ago
JSON representation

Install and configure auditd on your system.

Host: GitHub
URL: https://github.com/robertdebock/ansible-role-auditd
Owner: robertdebock
License: apache-2.0
Created: 2019-06-18T13:53:52.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2024-09-12T13:12:37.000Z (2 months ago)
Last Synced: 2024-09-13T01:12:16.531Z (2 months ago)
Topics: ansible, auditd, molecule, monitoring, playbook, security, system, tox
Language: Jinja
Homepage: https://robertdebock.nl/
Size: 215 KB
Stars: 14
Watchers: 3
Forks: 16
Open Issues: 10
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md

Awesome Lists containing this project

README

        # [Ansible role auditd](#auditd)

Install and configure auditd on your system.

|GitHub|GitLab|Downloads|Version|

|------|------|---------|-------|

|[![github](https://github.com/robertdebock/ansible-role-auditd/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-auditd/actions)|[![gitlab](https://gitlab.com/robertdebock-iac/ansible-role-auditd/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/ansible-role-auditd)|[![downloads](https://img.shields.io/ansible/role/d/robertdebock/auditd)](https://galaxy.ansible.com/robertdebock/auditd)|[![Version](https://img.shields.io/github/release/robertdebock/ansible-role-auditd.svg)](https://github.com/robertdebock/ansible-role-auditd/releases/)|

## [Example Playbook](#example-playbook)

This example is taken from [`molecule/default/converge.yml`](https://github.com/robertdebock/ansible-role-auditd/blob/master/molecule/default/converge.yml) and is tested on each push, pull request and release.

```yaml

---

- name: Converge

  hosts: all

  become: true

  gather_facts: true

  roles:

    - role: robertdebock.auditd

      auditd_start_service: false

      auditd_local_events: "no"

      auditd_rules:

        - file: /var/log/audit/

          keyname: auditlog

        - file: /etc/audit/

          permissions:

            - write

            - attribute_change

          keyname: auditconfig

        - file: /etc/libaudit.conf

          permissions:

            - write

            - attribute_change

          keyname: auditconfig

        - file: /etc/audisp/

          permissions:

            - write

            - attribute_change

          keyname: audispconfig

        - file: /sbin/auditctl

          permissions:

            - execute

          keyname: audittools

        - file: /sbin/auditd

          permissions:

            - execute

          keyname: audittools

        - syscall: open

          action: always

          filter: exit

          filters:

            - auid!=4294967295

            - auid!=unset

          keyname: my_keyname

          arch: b32

        - syscall: adjtimex

          action: always

          filter: exit

          keyname: time_change

        - syscall: settimeofday

          action: always

          filter: exit

          keyname: time_change

        - action: always

          filter: exit

          filters:

            - path=/bin/ping

            - perm=x

            - auid>=500

            - auid!=4294967295

          keyname: privileged

```

The machine needs to be prepared. In CI this is done using [`molecule/default/prepare.yml`](https://github.com/robertdebock/ansible-role-auditd/blob/master/molecule/default/prepare.yml):

```yaml

---

- name: Prepare

  hosts: all

  become: true

  gather_facts: false

  roles:

    - role: robertdebock.bootstrap

```

Also see a [full explanation and example](https://robertdebock.nl/how-to-use-these-roles.html) on how to use these roles.

## [Role Variables](#role-variables)

The default values for the variables are set in [`defaults/main.yml`](https://github.com/robertdebock/ansible-role-auditd/blob/master/defaults/main.yml):

```yaml

---

# defaults file for auditd

# Below variables are docuemented in the man page for auditd.conf

# https://linux.die.net/man/5/auditd.conf

auditd_buffer_size: 32768

auditd_fail_mode: 1

auditd_maximum_rate: 60

auditd_enable_flag: 1

auditd_local_events: "yes"

auditd_write_logs: "yes"

auditd_log_file: /var/log/audit/audit.log

auditd_log_group: root

auditd_log_format: RAW

auditd_flush: incremental_async

auditd_freq: 50

auditd_max_log_file: 8

auditd_num_logs: 5

auditd_priority_boost: 4

auditd_disp_qos: lossy

auditd_dispatcher: /sbin/audispd

auditd_name_format: none

auditd_max_log_file_action: rotate

auditd_space_left: "75"  # This can be a number ('25') or a percentage. ('25%')

auditd_space_left_action: syslog

auditd_verify_email: "yes"

auditd_action_mail_acct: root

auditd_admin_space_left: 50

auditd_admin_space_left_action: suspend

auditd_disk_full_action: suspend

auditd_disk_error_action: suspend

auditd_use_libwrap: "yes"

auditd_tcp_listen_queue: 5

auditd_tcp_max_per_addr: 1

auditd_tcp_client_max_idle: 0

auditd_enable_krb5: "no"

auditd_krb5_principal: auditd

auditd_distribute_network: "no"

# You can opt to manage the rules with this role or not.

# Setting auditd_manage_rules to false will not manage the rules.

auditd_manage_rules: true

# Some rules require a specific architecture to be set.

auditd_default_arch: b64

# You can opt to start the auditd service or not.

# Mostly useful in CI, to avoid starting the service.

auditd_start_service: true

```

## [Requirements](#requirements)

- pip packages listed in [requirements.txt](https://github.com/robertdebock/ansible-role-auditd/blob/master/requirements.txt).

## [State of used roles](#state-of-used-roles)

The following roles are used to prepare a system. You can prepare your system in another way.

| Requirement | GitHub | GitLab |

|-------------|--------|--------|

|[robertdebock.bootstrap](https://galaxy.ansible.com/robertdebock/bootstrap)|[![Build Status GitHub](https://github.com/robertdebock/ansible-role-bootstrap/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-bootstrap/actions)|[![Build Status GitLab](https://gitlab.com/robertdebock-iac/ansible-role-bootstrap/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/ansible-role-bootstrap)|

## [Context](#context)

This role is a part of many compatible roles. Have a look at [the documentation of these roles](https://robertdebock.nl/) for further information.

Here is an overview of related roles:

![dependencies](https://raw.githubusercontent.com/robertdebock/ansible-role-auditd/png/requirements.png "Dependencies")

## [Compatibility](#compatibility)

This role has been tested on these [container images](https://hub.docker.com/u/robertdebock):

|container|tags|

|---------|----|

|[EL](https://hub.docker.com/r/robertdebock/enterpriselinux)|9|

|[Debian](https://hub.docker.com/r/robertdebock/debian)|all|

|[Fedora](https://hub.docker.com/r/robertdebock/fedora)|all|

|[Ubuntu](https://hub.docker.com/r/robertdebock/ubuntu)|all|

The minimum version of Ansible required is 2.12, tests have been done to:

- The previous version.

- The current version.

- The development version.

If you find issues, please register them in [GitHub](https://github.com/robertdebock/ansible-role-auditd/issues).

## [License](#license)

[Apache-2.0](https://github.com/robertdebock/ansible-role-auditd/blob/master/LICENSE).

## [Author Information](#author-information)

[robertdebock](https://robertdebock.nl/)

Please consider [sponsoring me](https://github.com/sponsors/robertdebock).