rene/ansible-pull
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added logging via auditd and rsyslog

Browse Source
This commit is contained in:
Rene Mewissen
2025-10-02 08:59:21 +02:00
parent 00f7f43ebd
commit 5c69d87209
4 changed files with 72 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
roles/bastionhost/handlers/main.yml
View File

@@ -2,3 +2,13 @@
- name: reload ufw - name: reload ufw
command: ufw reload command: ufw reload
listen: "reload ufw firewall" listen: "reload ufw firewall"
- name: restart auditd
service:
name: auditd
state: restarted
- name: restart rsyslog
service:
name: rsyslog
state: restarted

1
roles/bastionhost/tasks/main.yml
View File

@@ -15,6 +15,7 @@
- import_tasks: system_setup/user_hardening.yml - import_tasks: system_setup/user_hardening.yml
- import_tasks: system_setup/aide.yml - import_tasks: system_setup/aide.yml
- import_tasls: system_setup/ntfy_alerts.yml - import_tasls: system_setup/ntfy_alerts.yml
- import_tasks: system_setup/auditd_logging.yml
rescue: rescue:
- set_fact: task_failed=true - set_fact: task_failed=true

57
roles/bastionhost/tasks/system_setup/auditd_logging.yml Normal file
View File

@@ -0,0 +1,57 @@
---
- name: system setup | auditd | ensure rsyslog is installed
tags: auditd,hardening,system
package:
name: rsyslog
state: present
- name: system setup | auditd | install auditd and audispd-plugins
tags: auditd,hardening,system
package:
name:
- auditd
- audispd-plugins # Required for remote logging on Debian/Ubuntu
state: present
- name: system setup | auditd | configure rules to log all command executions
tags: auditd,hardening,system
copy:
dest: /etc/audit/rules.d/99-execve.rules
owner: root
group: root
mode: '0640'
content: |
# Log all execve syscalls (command executions) for both 64-bit and 32-bit.
# This file is managed by Ansible.
-a always,exit -F arch=b64 -S execve -k command_execution
-a always,exit -F arch=b32 -S execve -k command_execution
notify: restart auditd
- name: system setup | auditd | configure remote logging plugin
tags: auditd,hardening,system
lineinfile:
path: /etc/audisp/plugins.d/syslog.conf
regexp: '^active ='
line: 'active = yes'
create: true
notify: restart auditd
- name: system setup | auditd | configure rsyslog to forward audit logs
tags: auditd,hardening,system
copy:
dest: /etc/rsyslog.d/60-audit.conf
owner: root
group: root
mode: '0644'
content: |
# Forward all audit logs to a remote server
# This file is managed by Ansible.
if $programname == 'audit' then @{{ auditd_remote_log_server }}:514
notify: restart rsyslog
- name: system setup | auditd | ensure auditd service is running and enabled
tags: auditd,hardening,system
service:
name: auditd
state: started
enabled: true

3
roles/bastionhost/vars/main.yml
View File

@@ -2,3 +2,6 @@
# Variables for ntfy alerts # Variables for ntfy alerts
ntfy_url: "https://ntfy.sh/YOUR_TOPIC_HERE" ntfy_url: "https://ntfy.sh/YOUR_TOPIC_HERE"
ntfy_ssh_login_message: "SSH login on $(hostname) for user $USER from $(echo $SSH_CONNECTION | cut -d ' ' -f 1)" ntfy_ssh_login_message: "SSH login on $(hostname) for user $USER from $(echo $SSH_CONNECTION | cut -d ' ' -f 1)"
# Variable for remote auditd logging
auditd_remote_log_server: "192.168.1.142" # IP deines Log-Servers