audit.yml

---
# Some documentation available at https://github.com/pyllyukko/harden.sh/wiki/audit
# ANSSI-BP-028 R73 - Logging the system activity with auditd
- name: Install auditing
  become: true
  block:
    - name: Install necessary software for auditing (Debian)
      ansible.builtin.apt:
        name: ['auditd', 'libcap-ng-utils', 'make']
        update_cache: true
      when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
      tags:
        - packages
        - debian

    # Rules
    - name: mkdir /etc/audit/rules.d
      ansible.builtin.file:
        path: /etc/audit/rules.d
        state: directory
        owner: root
        group: root
        mode: '0700'
    - name: Copy audit rules
      ansible.builtin.get_url:
        url: https://raw.githubusercontent.com/linux-audit/audit-userspace/master/rules/{{ item }}
        dest: /etc/audit/rules.d/{{ item }}
        owner: root
        group: root
        mode: '0600'
      with_items:
        - 10-base-config.rules
        - 11-loginuid.rules
        - 12-ignore-error.rules
        - 20-dont-audit.rules
        - 30-stig.rules
        - 42-injection.rules
        # These are covered in modules.rules.new
        #- 43-module-load.rules
        - 99-finalize.rules
    #- name: Fix 10-base-config.rules for CentOS 7
    #  ansible.builtin.replace:
    #    path: /etc/audit/rules.d/10-base-config.rules
    #    regexp: "^(--backlog_wait_time [0-9]+)$"
    #    replace: '#\1'
    #  when: (ansible_distribution == "CentOS" and ansible_distribution_major_version == "7") or (ansible_distribution == "Slackware" and ansible_distribution_version == "14.2") # noqa yaml[line-length]
    #  tags: centos
    #- name: Remove 11-loginuid.rules for Slackware 14.2
    #  ansible.builtin.file:
    #    path: /etc/audit/rules.d/11-loginuid.rules
    #    state: absent
    #  when: ansible_distribution == "Slackware" and ansible_distribution_version == "14.2"
    #  tags:
    #    - slackware
    - name: Modify 20-dont-audit.rules
      block:
        - name: Uncomment few exclusions in 20-dont-audit.rules
          ansible.builtin.replace:
            path: /etc/audit/rules.d/20-dont-audit.rules
            regexp: "^#?({{ item }})$"
            replace: '\1'
          with_items:
            - -a always,exclude -F msgtype=CRYPTO_KEY_USER
            # https://listman.redhat.com/archives/linux-audit/2009-November/006296.html
            - -a never,user -F subj_type=crond_t
        - name: Exclude some noisy and irrelevant events
          ansible.builtin.blockinfile:
            path: /etc/audit/rules.d/20-dont-audit.rules
            block: |
              -a always,exclude -F msgtype=CRYPTO_SESSION
              -a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=ntp -F subj_type=ntpd_t
    - name: Modify 30-stig.rules
      block:
        - name: Disable noisy STIG rules
          ansible.builtin.replace:
            path: /etc/audit/rules.d/30-stig.rules
            regexp: "^(-.+-F key={{ item }})$"
            replace: '#\1'
          with_items:
            - perm_mod
            - delete
        # CIS Distribution Independent Linux v2.0.0 - 07-16-2019 4.1.16  Ensure changes to system administration scope (sudoers) is collected
        # CIS Debian Linux 12 Benchmark v1.1.0 - 09-26-2024      6.2.3.1 Ensure changes to system administration scope (sudoers) is collected
        - name: Rename sudoers rules to scope
          ansible.builtin.replace:
            path: /etc/audit/rules.d/30-stig.rules
            regexp: "^(-a always,exit -F arch=b(32|64) -F (path=/etc/sudoers|dir=/etc/sudoers.d/) -F perm=wa -F )key=actions$"
            replace: '\g<1>key=scope'
        # CIS Distribution Independent Linux v2.0.0 - 07-16-2019 4.1.14 Ensure successful file system mounts are collected
        # CIS Debian Linux 12 Benchmark v1.1.0 - 09-26-2024      6.2.3.10 Ensure successful file system mounts are collected
        - name: Rename mount rules from export to mounts
          ansible.builtin.replace:
            path: /etc/audit/rules.d/30-stig.rules
            regexp: '^(-a\s+always,exit\s+-F\s+arch=b(32|64)\s+-S\s+mount\s+-F\s+auid>=1000\s+-F\s+auid!=unset\s+-F\s+)key=export$'
            replace: '\g<1>key=mounts'
        # CIS Debian Linux 12 Benchmark v1.1.0 - 09-26-2024      6.2.3.12 Ensure login and logout events are collected
        # CIS Distribution Independent Linux v2.0.0 - 07-16-2019 4.1.9    Ensure login and logout events are collected
        - name: Enable few rules from 30-stig.rules
          ansible.builtin.replace:
            path: /etc/audit/rules.d/30-stig.rules
            regexp: '^#(-a\s+always,exit\s+-F\s+arch=b(32|64)\s+-F\s+path=/var/(run/faillock|log/lastlog)\s+-F\s+perm=wa\s+-F\s+key=logins)$'
            replace: '\g<1>'
    - name: Generated rules
      block:
        - name: Create temp dir
          ansible.builtin.tempfile:
            state: directory
            suffix: temp
          register: tempdir_1
        - name: Copy Makefile
          ansible.builtin.copy:
            src: "{{ playbook_dir }}/Makefile"
            dest: "{{ tempdir_1.path }}/"
            mode: '0600'
        - name: Generate {31-privileged,40-authorized_keys}.rules.new
          community.general.make:
            chdir: "{{ tempdir_1.path }}"
            target: /etc/audit/rules.d/{{ item }}.rules.new
          with_items:
            - 31-privileged
            - 40-authorized_keys
        - name: Copy generated rules into place
          ansible.builtin.copy:
            src: /etc/audit/rules.d/{{ item }}.rules.new
            dest: /etc/audit/rules.d/{{ item }}.rules
            mode: '0600'
            remote_src: true
            backup: true
          with_items:
            - 31-privileged
            - 40-authorized_keys
        - name: Remove {31-privileged,40-authorized_keys}.rules.new
          ansible.builtin.file:
            path: /etc/audit/rules.d/{{ item }}.rules.new
            state: absent
          with_items:
            - 31-privileged
            - 40-authorized_keys
        - name: Remove temp dir
          ansible.builtin.file:
            path: "{{ tempdir_1.path }}"
            state: absent
          when: tempdir_1.path is defined
    - name: Remove unnecessary file
      ansible.builtin.file:
        state: absent
        path: /etc/audit/rules.d/audit.rules
    - name: Create few custom audit rules
      ansible.builtin.assemble:
        remote_src: false
        src: "{{ playbook_dir }}/newconfs/rules.d"
        dest: /etc/audit/rules.d/40-local.rules
        owner: root
        group: root
        mode: '0600'
    - name: Make the audit configuration immutable
      ansible.builtin.replace:
        path: /etc/audit/rules.d/99-finalize.rules
        regexp: "^#?(-e 2)$"
        replace: '\1'
    - name: Load the audit rules
      ansible.builtin.command: /sbin/augenrules --load
      register: result
      changed_when:
        - '"/sbin/augenrules: No change" not in result.stdout'
        - '"/sbin/augenrules: Audit system is in immutable mode - exiting with no changes" not in result.stdout'
      tags: configuration
    - name: Configure auditd.conf
      ansible.builtin.replace:
        path: /etc/audit/auditd.conf
        regexp: '^({{ item.key }}) = .*$'
        replace: '\1 = {{ item.value }}'
      with_dict:
        space_left_action: email
        action_mail_acct: '{{ alert_email }}'
        max_log_file_action: keep_logs
      tags: configuration
    - name: Start & enable auditing
      ansible.builtin.service:
        name: auditd
        state: started
        enabled: true
      when: ansible_distribution != "Slackware"
      tags:
        - services
        - configuration

    # Bootloaders
    - name: Configure GRUB for auditing
      ansible.builtin.replace:
        path: /etc/default/grub
        regexp: '^(GRUB_CMDLINE_LINUX="(?!.*\b{{ item }}\b).*)"$'
        replace: '\1 {{ item }}"'
      with_items:
        - audit=1
        - audit_backlog_limit=8192
      when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_os_family == "RedHat" or ansible_distribution == "Ubuntu"
      tags: configuration
      notify: "Run update-grub"
      register: result
      failed_when:
        - result.failed == true
        - '"does not exist !" not in result.msg'
    - name: Add audit=1 to /boot/cmdline.txt (Raspberry Pi OS)
      ansible.builtin.replace:
        path: /boot/cmdline.txt
        regexp: '^(.(?!.*\baudit=1\b).*)$'
        replace: '\1 audit=1'
      when: ansible_distribution == "Debian"
      tags:
        - debian
        - configuration
      register: result
      failed_when:
        - result.failed == true
        - '"does not exist !" not in result.msg'

    # AUDISP-REMOTE(8): "you should edit auditd.conf to set the name_format to something meaningful and the log_format to enriched
    #- name: Configure auditd.conf for audisp
    #  ansible.builtin.replace:
    #    path: /etc/audit/auditd.conf
    #    regexp: '^({{ item.key }}) = .*$'
    #    replace: '\1 = {{ item.value }}'
    #  with_dict:
    #    log_format: ENRICHED
    #    name_format: HOSTNAME