Merge pull request #973 from konstruktoid/audit

audtid: set arch on perm and just enable

Author: konstruktoid

handlers/main.yml

@@ -1,30 +1,19 @@
 ---
-- name: Restart Debian auditd
+- name: Enable auditd
   become: true
   ansible.builtin.service:
     name: auditd
-    state: restarted
-  when:
-    - ansible_os_family == "Debian"
-    - ansible_virtualization_type not in ["container", "docker", "podman"]
-
-# https://github.com/ansible/ansible/issues/22171
-- name: Restart RedHat auditd # noqa command-instead-of-module
-  become: true
-  ansible.builtin.command:
-    cmd: service auditd restart
-  register: service_auditd_restart
-  changed_when: service_auditd_restart.rc == 0
+    enabled: true
   when:
-    - ansible_os_family == "RedHat"
     - ansible_virtualization_type not in ["container", "docker", "podman"]
 
 - name: Generate auditd rules
   become: true
   ansible.builtin.command:
     cmd: augenrules
   register: augenrules_handler
-  changed_when: augenrules_handler.rc == 0
+  changed_when:
+    - augenrules_handler.rc == 0
 
 - name: Restart sysctl
   become: true

molecule/default/verify.yml

@@ -215,22 +215,30 @@
             cmd: |
               set -o pipefail
               auditctl -l | grep "^{{ item }}$"
+          register: auditd_rules
           changed_when: false
+          failed_when: auditd_rules.rc != 0
           args:
             executable: /bin/bash
           loop:
-            - "-w /sbin/auditctl -p x -k audittools"
-            - "-w /usr/bin/sudo -p x -k actions"
-            - "-w /etc/localtime -p wa -k localtime"
-            - "-w /var/lib/systemd/credential.secret -p wa -k systemd"
-            - "-w {{ sysctl_conf_dir }}/zz-ipv6-hardening.conf -p wa -k sysctl"
+            - "-a always,exit -F arch=b32 -S open -F dir=/etc -F success=0 -F key=access"
+            - "-a always,exit -F arch=b32 -S open -F dir=/tmp -F success=0 -F key=access"
+            - "-a always,exit -F arch=b32 -S open -F dir=/var -F success=0 -F key=access"
+            - "-a always,exit .* key=actions"
+            - "-a always,exit .* key=audispconfig"
+            - "-a always,exit .* key=audit_rules_usergroup_modification"
+            - "-a always,exit .* key=audit_time_rules"
+            - "-a always,exit .* key=cron"
+            - "-a always,exit .* path=/etc/ld.so.conf .* key=libpath"
 
         - name: Verify auditd settings
           ansible.builtin.shell:
             cmd: |
               set -o pipefail
               grep "^{{ item }}$" /etc/audit/audit.rules
+          register: auditd_settings
           changed_when: false
+          failed_when: auditd_settings.rc != 0
           args:
             executable: /bin/bash
           loop:

tasks/auditd.yml

@@ -153,5 +153,4 @@
         - auditd_apply_audit_rules | bool
       notify:
         - Generate auditd rules
-        - Restart Debian auditd
-        - Restart RedHat auditd
+        - Enable auditd