auditd rsyslog changed to tls

roles/bastionhost/tasks/system_setup/auditd_logging.yml

@@ -2,7 +2,9 @@
 - name: system setup | auditd | ensure rsyslog is installed
   tags: auditd,hardening,system
   package:
-    name: rsyslog
+    name:
+      - rsyslog
+      - rsyslog-gnutls # Required for TLS forwarding
     state: present
 
 - name: system setup | auditd | install auditd and audispd-plugins
@@ -30,7 +32,7 @@
 - name: system setup | auditd | configure remote logging plugin
   tags: auditd,hardening,system
   lineinfile:
-    path: /etc/audisp/plugins.d/syslog.conf
+    path: /etc/audit/plugins.d/syslog.conf
     regexp: '^active ='
     line: 'active = yes'
     create: true
@@ -44,9 +46,22 @@
     group: root
     mode: '0644'
     content: |
-      # Forward all audit logs to a remote server
+      # Forward all audit logs to a remote server via TLS
       # This file is managed by Ansible.
-      if $programname == 'audit' then @{{ auditd_remote_log_server }}:514
+
+      # Define the CA certificate rsyslog should trust
+      global(DefaultNetstreamDriverCAFile="{{ rsyslog_tls_ca_cert }}")
+
+      # Define the forwarding rule
+      if $programname == 'audisp-syslog' then {
+        action(type="omfwd"
+              target="{{ auditd_remote_log_server }}"
+              port="6514"
+              protocol="tcp"
+              StreamDriver="gtls"
+              StreamDriverMode="1"
+              StreamDriverAuthMode="x509/name")
+      }
   notify: restart rsyslog
 
 - name: system setup | auditd | ensure auditd service is running and enabled