forked from juju4/ansible-auditd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathauditd.yml
176 lines (154 loc) · 5.38 KB
/
auditd.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
---
- name: Not in container
when:
- not (ansible_virtualization_type is defined and
(ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")
)
- not osquery_process_auditing | bool
tags: auditd
block:
# https://github.com/lxc/lxd/issues/2004, only on xenial?
- name: Ensure auditd package is present
ansible.builtin.package:
name: "{{ auditd_pkg }}"
state: present
update_cache: yes
register: pkg_result
until: pkg_result is success
- name: Retrieve suid/sgid files list # noqa no-free-form
ansible.builtin.command: >
find / ! \( -path {{ ' -prune -o -path '.join(auditd_sugid_ignored_paths) }} -prune \)
-a -perm /u=s,g=s -type f
register: sugid_files
ignore_errors: true
changed_when: false
check_mode: no
- name: Check if /etc/puppet/ssl exists
ansible.builtin.stat:
path: /etc/puppet/ssl
register: etcpuppet
- name: Check if /etc/chef exists
ansible.builtin.stat:
path: /etc/chef
register: etcchef
- name: Check if /opt/BESClient exists
ansible.builtin.stat:
path: /opt/BESClient
register: besclient
- name: Check if /etc/clustershell/clush.conf exists
ansible.builtin.stat:
path: /etc/clustershell/clush.conf
register: clush
- name: Check if /usr/bin/kubelet exists
ansible.builtin.stat:
path: /usr/bin/kubelet
register: kubelet
- name: "Create auditd rules directory - {{ auditd_confdir }}"
ansible.builtin.file:
path: "{{ auditd_confdir }}"
state: directory
mode: '0750'
- name: Check only manage configuration files
when: auditd_manage_configuration_directory
block:
- name: List files in configuration dir
ansible.builtin.command: "ls {{ auditd_confdir }}"
failed_when: no
changed_when: no
check_mode: no
register: confdir_files
tags: files
- name: Delete not managed files in configuration directory
ansible.builtin.file:
name: "{{ auditd_confdir }}/{{ item }}"
state: absent
loop: "{{ confdir_files.stdout_lines }}"
when: item.replace('.rules', '') not in auditd_rules_templates
tags: files
- name: Check is augenrules is present
ansible.builtin.stat:
path: "/sbin/augenrules"
register: augenrules_file
changed_when: false
- name: Configure audit system
ansible.builtin.template:
src: "{{ item }}.rules.j2"
dest: "{{ auditd_confdir }}/{{ item }}.rules"
mode: '0644'
backup: "{{ auditd_backup | default(false) }}"
with_items: "{{ auditd_rules_templates }}"
notify:
- Augenrules
- Restart auditd
- Restart auditd - rhel7+
- Restart auditd - suse
# /sbin/augenrules isn't present to generate /etc/audit/audit.rules
- name: Assemble rules into a single file
ansible.builtin.assemble:
src: "{{ auditd_confdir }}"
dest: /etc/audit/audit.rules
mode: '0644'
when: not augenrules_file.stat.exists
- name: Configure /etc/audit/auditd.conf
ansible.builtin.lineinfile:
dest: /etc/audit/auditd.conf
regexp: "{{ item.re }}"
line: "{{ item.l }}"
mode: '0640'
with_items: "{{ auditd_conf_lineinfile | default([]) }}"
notify:
- Restart auditd
- Restart auditd - rhel7+
- Restart auditd - suse
- name: Check if grub is present
ansible.builtin.stat:
path: /etc/default/grub
register: hasgrub
- name: Grub auditd
when:
- hasgrub.stat is defined and hasgrub.stat.exists
- auditd_grub_enable|bool
block:
- name: Check if auditing present in grub config # noqa no-free-form
ansible.builtin.command: "egrep '^GRUB_CMDLINE_LINUX=\".*audit=1.*\"' /etc/default/grub"
changed_when: false
register: auditgrub
ignore_errors: true
check_mode: no
- name: Enable Auditing in grub for Processes That Start Prior to auditd - CIS
ansible.builtin.replace:
dest: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX="(.*)"'
replace: 'GRUB_CMDLINE_LINUX="\1 audit=1 audit_backlog_limit=8192"'
when: not auditgrub.stdout
- name: Enable and start auditd
ansible.builtin.service:
name: auditd
state: started
enabled: yes
- name: Import reporting
ansible.builtin.import_tasks: reporting.yml
when: auditd_reporting
- name: Set fact for monit
ansible.builtin.set_fact:
monit_auditd: true
- name: Osquery auditd
when: osquery_process_auditing | bool
block:
- name: Disable auditd as osquery present with process auditing configured
ansible.builtin.service:
name: auditd
state: stopped
enabled: no
- name: Set fact for monit
ansible.builtin.set_fact:
monit_auditd: false
- name: Debug | audisp_syslog_enable
ansible.builtin.debug:
var: audisp_syslog_enable
- name: Import rsyslog-audisp
ansible.builtin.import_tasks: rsyslog-audisp.yml
when: audisp_syslog_enable | bool
- name: Import laurel
ansible.builtin.import_tasks: laurel.yml
when: auditd_laurel_enable | bool and ansible_architecture == 'x86_64'