auditd: add possibility to override config template (#685)

Meecr0b · web-flow · commit 6bcdb253eceb · 2023-07-24T11:34:47.000+02:00
* make template overrideable

by referencing the auditd.conf.j2 template, a custom template can be provided to the role.

Signed-off-by: Dennis Lerch &lt;dennis.lerch@mercedes-benz.com&gt;

* extend auditd config

make freq and log_file configurable
implement write_logs with it's default value in order to be able to disable log writing

Signed-off-by: Dennis Lerch &lt;dennis.lerch@mercedes-benz.com&gt;

* Extend README.md documentation by new variables

reorder `os_auditd_log_format` to keep sequence from defaults

Signed-off-by: Dennis Lerch &lt;dennis.lerch@mercedes-benz.com&gt;

---------

Signed-off-by: Dennis Lerch &lt;dennis.lerch@mercedes-benz.com&gt;
diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md
@@ -219,6 +219,9 @@ We know that this is the case on Raspberry Pi.
 - `os_auditd_enabled`
   - Default: `true`
   - Description: Set to false to disable installing and configuring auditd.
+- `os_auditd_template`
+  - Default: `etc/audit/auditd.conf.j2`
+  - Description: Template file to use for auditd.conf. By overwriting this value, a custom auditd.conf template can be provided. Put a `templates` directory next to your playbook with a custom template in it (e.q. `myauditd.conf.j2`) and set this variable to your template.
 - `os_auditd_max_log_file_action`
   - Default: `keep_logs`
   - Description: Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`.
@@ -321,12 +324,24 @@ We know that this is the case on Raspberry Pi.
 - `os_auditd_flush`
   - Default: `INCREMENTAL`
   - Description: Valid values are none, incremental, incremental_async, data, and sync.
+- `os_auditd_freq`
+  - Default: `20`
+  - Description: Specify number of records to write before issuing an explicit flush to disk command. This value is only valid when the flush keyword is set to incremental or incremental_async.
 - `os_auditd_max_log_file`
   - Default: 6
   - Description: This keyword specifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action.
 - `os_auditd_max_log_file_action`
   - Default: `keep_logs`
   - Description: This parameter tells the system what action to take when the system has detected that the max file size limit has been reached. Valid values are ignore, syslog, suspend, rotate and keep_logs.
+- `os_auditd_write_logs`
+  - Default: `true`
+  - Description: Set to false in order to disable writing logs to disk.
+- `os_auditd_log_file`
+  - Default: `/var/log/audit/audit.log`
+  - Description: Specify the full path name to the log file where audit records will be stored. It must be a regular file.
+- `os_auditd_log_format`
+  - Default: `RAW`
+  - Description: The log format describes how the information should be stored on disk. There are 2 options: raw and enriched. If set to `RAW`, the audit records will be stored in a format exactly as the kernel sends it. The `ENRICHED` option will resolve all uid, gid, syscall, architecture, and socket address information before writing the event to disk. This aids in making sense of events created on one system but reported/analyzed on another system.
 - `os_auditd_admin_space_left`
   - Default: 50
   - Description: This is a numeric value in megabytes that tells the audit daemon when to perform a configurable action because the system is running low on disk space.
@@ -339,9 +354,6 @@ We know that this is the case on Raspberry Pi.
 - `os_auditd_action_mail_acct`
   - Default: root
   - Description: If `space_left_action` or `admin_space_left_action` are set to `email`, uses the address or alias to send the email using `/usr/lib/sendmail`. If the address or alias is not local, requires email properly configured on the machine and network.
-- `os_auditd_log_format`
-  - Default: `RAW`
-  - Description: The log format describes how the information should be stored on disk. There are 2 options: raw and enriched. If set to `RAW`, the audit records will be stored in a format exactly as the kernel sends it. The `ENRICHED` option will resolve all uid, gid, syscall, architecture, and socket address information before writing the event to disk. This aids in making sense of events created on one system but reported/analyzed on another system.
 - `os_mnt_boot_dir_mode`
   - Default: `0700`
   - Description: Set default perimissions for /boot
diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml
@@ -332,9 +332,13 @@ os_hardening_enabled: true
 
 # Set to false to disable installing and configuring auditd.
 os_auditd_enabled: true
+os_auditd_template: etc/audit/auditd.conf.j2
 os_auditd_flush: INCREMENTAL
+os_auditd_freq: 20
 os_auditd_max_log_file: 6
 os_auditd_max_log_file_action: keep_logs
+os_auditd_write_logs: true
+os_auditd_log_file: /var/log/audit/audit.log
 os_auditd_log_format: RAW
 os_auditd_admin_space_left: 50
 os_auditd_space_left: 75
diff --git a/roles/os_hardening/tasks/auditd.yml b/roles/os_hardening/tasks/auditd.yml
@@ -7,7 +7,7 @@
 
 - name: Configure auditd | package-08
   ansible.builtin.template:
-    src: etc/audit/auditd.conf.j2
+    src: "{{ os_auditd_template }}"
     dest: /etc/audit/auditd.conf
     owner: root
     group: root
diff --git a/roles/os_hardening/templates/etc/audit/auditd.conf.j2 b/roles/os_hardening/templates/etc/audit/auditd.conf.j2
@@ -1,12 +1,13 @@
 {{ ansible_managed | comment }}
 # Generated by Ansible role {{ ansible_role_name }}
 
-log_file = /var/log/audit/audit.log
+write_logs = {{ os_auditd_write_logs | bool | ternary('yes', 'no') }}
+log_file = {{ os_auditd_log_file }}
 log_format = {{ os_auditd_log_format }}
 log_group = {{ os_auditd_log_group }}
 priority_boost = 4
 flush = {{ os_auditd_flush }}
-freq = 20
+freq = {{ os_auditd_freq }}
 num_logs = {{ os_auditd_num_logs }}
 disp_qos = lossy
 dispatcher = /sbin/audispd
