ansible-pull/roles/bastionhost/tasks/system_setup/auditd_logging.yml

---
- name: system setup | auditd | ensure rsyslog is installed
  tags: auditd,hardening,system
  package:
    name:
      - rsyslog
      - rsyslog-gnutls # Required for TLS forwarding
    state: present

- name: system setup | auditd | install auditd and audispd-plugins
  tags: auditd,hardening,system
  package:
    name:
      - auditd
      - audispd-plugins # Required for remote logging on Debian/Ubuntu
    state: present

- name: system setup | auditd | configure rules to log all command executions
  tags: auditd,hardening,system
  copy:
    dest: /etc/audit/rules.d/99-execve.rules
    owner: root
    group: root
    mode: '0640'
    content: |
      # Log all execve syscalls (command executions) for both 64-bit and 32-bit.
      # This file is managed by Ansible.
      -a always,exit -F arch=b64 -S execve -k command_execution
      -a always,exit -F arch=b32 -S execve -k command_execution
  notify: restart auditd

- name: system setup | auditd | configure remote logging plugin
  tags: auditd,hardening,system
  lineinfile:
    path: /etc/audit/plugins.d/syslog.conf
    regexp: '^active ='
    line: 'active = yes'
    create: true
  notify: restart auditd

- name: system setup | auditd | configure rsyslog to forward audit logs
  tags: auditd,hardening,system
  copy:
    dest: /etc/rsyslog.d/60-audit.conf
    owner: root
    group: root
    mode: '0644'
    content: |
      # Forward all audit logs to a remote server via TLS
      # This file is managed by Ansible.

      # Define the CA certificate rsyslog should trust
      global(DefaultNetstreamDriverCAFile="{{ rsyslog_tls_ca_cert }}")

      # Define the forwarding rule
      if $programname == 'audisp-syslog' then {
        action(type="omfwd"
              target="{{ auditd_remote_log_server }}"
              port="6514"
              protocol="tcp"
              StreamDriver="gtls"
              StreamDriverMode="1"
              StreamDriverAuthMode="x509/name")
      }
  notify: restart rsyslog

- name: system setup | auditd | ensure auditd service is running and enabled
  tags: auditd,hardening,system
  service:
    name: auditd
    state: started
    enabled: true