added logging via auditd and rsyslog

roles/bastionhost/tasks/system_setup/auditd_logging.yml

@@ -0,0 +1,57 @@
+---
+- name: system setup | auditd | ensure rsyslog is installed
+  tags: auditd,hardening,system
+  package:
+    name: rsyslog
+    state: present
+
+- name: system setup | auditd | install auditd and audispd-plugins
+  tags: auditd,hardening,system
+  package:
+    name:
+      - auditd
+      - audispd-plugins # Required for remote logging on Debian/Ubuntu
+    state: present
+
+- name: system setup | auditd | configure rules to log all command executions
+  tags: auditd,hardening,system
+  copy:
+    dest: /etc/audit/rules.d/99-execve.rules
+    owner: root
+    group: root
+    mode: '0640'
+    content: |
+      # Log all execve syscalls (command executions) for both 64-bit and 32-bit.
+      # This file is managed by Ansible.
+      -a always,exit -F arch=b64 -S execve -k command_execution
+      -a always,exit -F arch=b32 -S execve -k command_execution
+  notify: restart auditd
+
+- name: system setup | auditd | configure remote logging plugin
+  tags: auditd,hardening,system
+  lineinfile:
+    path: /etc/audisp/plugins.d/syslog.conf
+    regexp: '^active ='
+    line: 'active = yes'
+    create: true
+  notify: restart auditd
+
+- name: system setup | auditd | configure rsyslog to forward audit logs
+  tags: auditd,hardening,system
+  copy:
+    dest: /etc/rsyslog.d/60-audit.conf
+    owner: root
+    group: root
+    mode: '0644'
+    content: |
+      # Forward all audit logs to a remote server
+      # This file is managed by Ansible.
+      if $programname == 'audit' then @{{ auditd_remote_log_server }}:514
+  notify: restart rsyslog
+
+- name: system setup | auditd | ensure auditd service is running and enabled
+  tags: auditd,hardening,system
+  service:
+    name: auditd
+    state: started
+    enabled: true