ansible-pull/roles/bastionhost/tasks/system_setup/auditd_logging.yml

---
- name: system setup | auditd | ensure rsyslog is installed
  tags: auditd,hardening,system
  package:
    name: rsyslog
    state: present

- name: system setup | auditd | install auditd and audispd-plugins
  tags: auditd,hardening,system
  package:
    name:
      - auditd
      - audispd-plugins # Required for remote logging on Debian/Ubuntu
    state: present

- name: system setup | auditd | configure rules to log all command executions
  tags: auditd,hardening,system
  copy:
    dest: /etc/audit/rules.d/99-execve.rules
    owner: root
    group: root
    mode: '0640'
    content: |
      # Log all execve syscalls (command executions) for both 64-bit and 32-bit.
      # This file is managed by Ansible.
      -a always,exit -F arch=b64 -S execve -k command_execution
      -a always,exit -F arch=b32 -S execve -k command_execution
  notify: restart auditd

- name: system setup | auditd | configure remote logging plugin
  tags: auditd,hardening,system
  lineinfile:
    path: /etc/audisp/plugins.d/syslog.conf
    regexp: '^active ='
    line: 'active = yes'
    create: true
  notify: restart auditd

- name: system setup | auditd | configure rsyslog to forward audit logs
  tags: auditd,hardening,system
  copy:
    dest: /etc/rsyslog.d/60-audit.conf
    owner: root
    group: root
    mode: '0644'
    content: |
      # Forward all audit logs to a remote server
      # This file is managed by Ansible.
      if $programname == 'audit' then @{{ auditd_remote_log_server }}:514
  notify: restart rsyslog

- name: system setup | auditd | ensure auditd service is running and enabled
  tags: auditd,hardening,system
  service:
    name: auditd
    state: started
    enabled: true