Ansible-Bootstrap/roles/cis/tasks/auditd.yml

---
- name: Install the audit daemon
  when: cis_effective_rules.auditd | default(false)
  ansible.builtin.command: "{{ cis_pkg_install }} {{ 'auditd' if is_debian | bool else 'audit' }}"
  register: cis_auditd_install
  changed_when: cis_auditd_install.rc == 0

- name: Deploy the CIS audit rule set
  when: cis_effective_rules.auditd | default(false)
  ansible.builtin.copy:
    dest: /mnt/etc/audit/rules.d/cis.rules
    mode: "0640"
    content: |
      ## CIS baseline audit rules
      -D
      -b 8192
      -f 1
      -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
      -w /etc/localtime -p wa -k time-change
      -w /etc/group -p wa -k identity
      -w /etc/passwd -p wa -k identity
      -w /etc/shadow -p wa -k identity
      -w /etc/gshadow -p wa -k identity
      -w /etc/security/opasswd -p wa -k identity
      -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
      -w /etc/hosts -p wa -k system-locale
      -w /var/log/lastlog -p wa -k logins
      -w /var/run/faillock -p wa -k logins
      -w /var/run/utmp -p wa -k session
      -w /var/log/wtmp -p wa -k session
      -w /var/log/btmp -p wa -k session
      -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
      -w /etc/sudoers -p wa -k scope
      -w /etc/sudoers.d -p wa -k scope
      -a always,exit -F arch=b64 -S init_module,delete_module -k modules
      -e 2

- name: Enable the audit daemon
  when: cis_effective_rules.auditd | default(false)
  ansible.builtin.command: "{{ chroot_command }} systemctl enable auditd"
  register: cis_auditd_enable
  changed_when: "'Created symlink' in cis_auditd_enable.stderr"