--- - name: system setup | auditd | ensure rsyslog is installed tags: auditd,hardening,system package: name: - rsyslog - rsyslog-gnutls # Required for TLS forwarding state: present - name: system setup | auditd | install auditd and audispd-plugins tags: auditd,hardening,system package: name: - auditd - audispd-plugins # Required for remote logging on Debian/Ubuntu state: present - name: system setup | auditd | configure rules to log all command executions tags: auditd,hardening,system copy: dest: /etc/audit/rules.d/99-execve.rules owner: root group: root mode: '0640' content: | # Log all execve syscalls (command executions) for both 64-bit and 32-bit. # This file is managed by Ansible. -a always,exit -F arch=b64 -S execve -k command_execution -a always,exit -F arch=b32 -S execve -k command_execution notify: restart auditd - name: system setup | auditd | configure remote logging plugin tags: auditd,hardening,system lineinfile: path: /etc/audit/plugins.d/syslog.conf regexp: '^active =' line: 'active = yes' create: true notify: restart auditd - name: system setup | auditd | configure rsyslog to forward audit logs tags: auditd,hardening,system copy: dest: /etc/rsyslog.d/60-audit.conf owner: root group: root mode: '0644' content: | # Forward all audit logs to a remote server via TLS # This file is managed by Ansible. # Define the CA certificate rsyslog should trust global(DefaultNetstreamDriverCAFile="{{ rsyslog_tls_ca_cert }}") # Define the forwarding rule if $programname == 'audisp-syslog' then { action(type="omfwd" target="{{ auditd_remote_log_server }}" port="6514" protocol="tcp" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name") } notify: restart rsyslog - name: system setup | auditd | ensure auditd service is running and enabled tags: auditd,hardening,system service: name: auditd state: started enabled: true