44 lines
1 KiB
YAML
44 lines
1 KiB
YAML
---
|
|
- name: Ensure auditd is installed
|
|
ansible.builtin.package:
|
|
name: audit
|
|
state: present
|
|
tags:
|
|
- harden
|
|
|
|
- name: Ensure auditd is enabled
|
|
ansible.builtin.service:
|
|
name: auditd
|
|
enabled: true
|
|
|
|
- name: Ensure auditd buffer is OK
|
|
ansible.builtin.replace:
|
|
path: /etc/audit/rules.d/audit.rules
|
|
regexp: '-b \d+'
|
|
replace: '-b {{ audit_buffer }}'
|
|
notify:
|
|
- regenerate_auditd_rules
|
|
tags:
|
|
- harden
|
|
|
|
- name: Collect specific executables for dynamic list
|
|
ansible.builtin.command: "find /usr/bin /usr/sbin /usr/lib /usr/libexec -xdev -perm /6000 -type f"
|
|
register: exec_find_output
|
|
|
|
- name: Set variable for above collection
|
|
ansible.builtin.set_fact:
|
|
audit_suid_list: "{{ exec_find_output.stdout_lines }}"
|
|
|
|
- name: Ensure collection audit rules are available
|
|
ansible.builtin.template:
|
|
src: "etc/audit/rules.d/collection.rules.j2"
|
|
dest: "/etc/audit/rules.d/collection.rules"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
backup: true
|
|
notify:
|
|
- regenerate_auditd_rules
|
|
tags:
|
|
- harden
|
|
...
|