feat(cis): add selectable profile and per-rule hardening toggles

roles/cis/tasks/auditd.yml

@@ -0,0 +1,42 @@
+---
+- name: Install the audit daemon
+  when: cis_effective_rules.auditd | default(false)
+  ansible.builtin.command: "{{ cis_pkg_install }} {{ 'auditd' if is_debian | bool else 'audit' }}"
+  register: cis_auditd_install
+  changed_when: cis_auditd_install.rc == 0
+
+- name: Deploy the CIS audit rule set
+  when: cis_effective_rules.auditd | default(false)
+  ansible.builtin.copy:
+    dest: /mnt/etc/audit/rules.d/cis.rules
+    mode: "0640"
+    content: |
+      ## CIS baseline audit rules
+      -D
+      -b 8192
+      -f 1
+      -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
+      -w /etc/localtime -p wa -k time-change
+      -w /etc/group -p wa -k identity
+      -w /etc/passwd -p wa -k identity
+      -w /etc/shadow -p wa -k identity
+      -w /etc/gshadow -p wa -k identity
+      -w /etc/security/opasswd -p wa -k identity
+      -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
+      -w /etc/hosts -p wa -k system-locale
+      -w /var/log/lastlog -p wa -k logins
+      -w /var/run/faillock -p wa -k logins
+      -w /var/run/utmp -p wa -k session
+      -w /var/log/wtmp -p wa -k session
+      -w /var/log/btmp -p wa -k session
+      -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
+      -w /etc/sudoers -p wa -k scope
+      -w /etc/sudoers.d -p wa -k scope
+      -a always,exit -F arch=b64 -S init_module,delete_module -k modules
+      -e 2
+
+- name: Enable the audit daemon
+  when: cis_effective_rules.auditd | default(false)
+  ansible.builtin.command: "{{ chroot_command }} systemctl enable auditd"
+  register: cis_auditd_enable
+  changed_when: "'Created symlink' in cis_auditd_enable.stderr"