added logging via auditd and rsyslog

2025-10-02 08:59:21 +02:00
parent 00f7f43ebd
commit 5c69d87209
4 changed files with 72 additions and 1 deletions
--- a/roles/bastionhost/handlers/main.yml
+++ b/roles/bastionhost/handlers/main.yml
@@ -1,4 +1,14 @@
 ---
 - name: reload ufw
  command: ufw reload
-  listen: "reload ufw firewall"
+  listen: "reload ufw firewall"
+
+- name: restart auditd
+  service:
+    name: auditd
+    state: restarted
+
+- name: restart rsyslog
+  service:
+    name: rsyslog
+    state: restarted
--- a/roles/bastionhost/tasks/main.yml
+++ b/roles/bastionhost/tasks/main.yml
@@ -15,6 +15,7 @@
  - import_tasks: system_setup/user_hardening.yml
  - import_tasks: system_setup/aide.yml
  - import_tasls: system_setup/ntfy_alerts.yml
+  - import_tasks: system_setup/auditd_logging.yml

  rescue:
    - set_fact: task_failed=true
--- a/roles/bastionhost/tasks/system_setup/auditd_logging.yml
+++ b/roles/bastionhost/tasks/system_setup/auditd_logging.yml
@@ -0,0 +1,57 @@
+---
+- name: system setup | auditd | ensure rsyslog is installed
+  tags: auditd,hardening,system
+  package:
+    name: rsyslog
+    state: present
+
+- name: system setup | auditd | install auditd and audispd-plugins
+  tags: auditd,hardening,system
+  package:
+    name:
+      - auditd
+      - audispd-plugins # Required for remote logging on Debian/Ubuntu
+    state: present
+
+- name: system setup | auditd | configure rules to log all command executions
+  tags: auditd,hardening,system
+  copy:
+    dest: /etc/audit/rules.d/99-execve.rules
+    owner: root
+    group: root
+    mode: '0640'
+    content: |
+      # Log all execve syscalls (command executions) for both 64-bit and 32-bit.
+      # This file is managed by Ansible.
+      -a always,exit -F arch=b64 -S execve -k command_execution
+      -a always,exit -F arch=b32 -S execve -k command_execution
+  notify: restart auditd
+
+- name: system setup | auditd | configure remote logging plugin
+  tags: auditd,hardening,system
+  lineinfile:
+    path: /etc/audisp/plugins.d/syslog.conf
+    regexp: '^active ='
+    line: 'active = yes'
+    create: true
+  notify: restart auditd
+
+- name: system setup | auditd | configure rsyslog to forward audit logs
+  tags: auditd,hardening,system
+  copy:
+    dest: /etc/rsyslog.d/60-audit.conf
+    owner: root
+    group: root
+    mode: '0644'
+    content: |
+      # Forward all audit logs to a remote server
+      # This file is managed by Ansible.
+      if $programname == 'audit' then @{{ auditd_remote_log_server }}:514
+  notify: restart rsyslog
+
+- name: system setup | auditd | ensure auditd service is running and enabled
+  tags: auditd,hardening,system
+  service:
+    name: auditd
+    state: started
+    enabled: true
--- a/roles/bastionhost/vars/main.yml
+++ b/roles/bastionhost/vars/main.yml
@@ -2,3 +2,6 @@
 # Variables for ntfy alerts
 ntfy_url: "https://ntfy.sh/YOUR_TOPIC_HERE"
 ntfy_ssh_login_message: "SSH login on $(hostname) for user $USER from $(echo $SSH_CONNECTION | cut -d ' ' -f 1)"
+
+# Variable for remote auditd logging
+auditd_remote_log_server: "192.168.1.142" # IP deines Log-Servers