mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-11-22 05:01:27 +00:00
Merge pull request #576 from danielkubat/auditd
auditd moved to separate tasks file
This commit is contained in:
commit
3379f4d1eb
@ -16,8 +16,3 @@
|
|||||||
|
|
||||||
- name: regenerate_auditd_rules
|
- name: regenerate_auditd_rules
|
||||||
command: /sbin/augenrules
|
command: /sbin/augenrules
|
||||||
|
|
||||||
- name: restart_auditd
|
|
||||||
service:
|
|
||||||
name: auditd
|
|
||||||
state: restarted
|
|
||||||
|
@ -33,6 +33,9 @@
|
|||||||
- name: Configure PAM
|
- name: Configure PAM
|
||||||
import_tasks: tasks/authentication.yml
|
import_tasks: tasks/authentication.yml
|
||||||
|
|
||||||
|
- name: Configure auditd
|
||||||
|
include: tasks/auditd.yml
|
||||||
|
|
||||||
post_tasks:
|
post_tasks:
|
||||||
- name: Touching run file that ansible has ran here
|
- name: Touching run file that ansible has ran here
|
||||||
file:
|
file:
|
||||||
|
35
ansible/playbooks/tasks/auditd.yml
Normal file
35
ansible/playbooks/tasks/auditd.yml
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure auditd is installed
|
||||||
|
package:
|
||||||
|
name: audit
|
||||||
|
state: present
|
||||||
|
tags:
|
||||||
|
- harden
|
||||||
|
|
||||||
|
- name: Ensure auditd is enabled
|
||||||
|
service:
|
||||||
|
name: auditd
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
- name: Ensure auditd buffer is OK
|
||||||
|
replace:
|
||||||
|
path: /etc/audit/rules.d/audit.rules
|
||||||
|
regexp: '-b \d+'
|
||||||
|
replace: '-b {{ audit_buffer }}'
|
||||||
|
notify:
|
||||||
|
- regenerate_auditd_rules
|
||||||
|
tags:
|
||||||
|
- harden
|
||||||
|
|
||||||
|
- name: Ensure collection audit rules are available
|
||||||
|
template:
|
||||||
|
src: "etc/audit/rules.d/collection.rules.j2"
|
||||||
|
dest: "/etc/audit/rules.d/collection.rules"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0600'
|
||||||
|
backup: true
|
||||||
|
notify:
|
||||||
|
- regenerate_auditd_rules
|
||||||
|
tags:
|
||||||
|
- harden
|
@ -151,39 +151,6 @@
|
|||||||
tags:
|
tags:
|
||||||
- harden
|
- harden
|
||||||
|
|
||||||
- name: Auditd
|
|
||||||
block:
|
|
||||||
- name: Ensure auditd is installed
|
|
||||||
package:
|
|
||||||
name: audit
|
|
||||||
state: present
|
|
||||||
tags:
|
|
||||||
- harden
|
|
||||||
|
|
||||||
- name: Ensure auditd buffer is OK
|
|
||||||
replace:
|
|
||||||
path: /etc/audit/rules.d/audit.rules
|
|
||||||
regexp: '-b \d+'
|
|
||||||
replace: '-b {{ audit_buffer }}'
|
|
||||||
notify:
|
|
||||||
- regenerate_auditd_rules
|
|
||||||
tags:
|
|
||||||
- harden
|
|
||||||
|
|
||||||
- name: Ensure collection audit rules are available
|
|
||||||
template:
|
|
||||||
src: "etc/audit/rules.d/collection.rules.j2"
|
|
||||||
dest: "/etc/audit/rules.d/collection.rules"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '0600'
|
|
||||||
backup: true
|
|
||||||
notify:
|
|
||||||
- regenerate_auditd_rules
|
|
||||||
- restart_auditd
|
|
||||||
tags:
|
|
||||||
- harden
|
|
||||||
|
|
||||||
- name: Disable Services
|
- name: Disable Services
|
||||||
service:
|
service:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
|
Loading…
Reference in New Issue
Block a user