Role - tripleo_auditd¶
Role Documentation¶
Welcome to the “tripleo_auditd” role documentation.
Role Defaults¶
This section highlights all of the defaults and variables set within the “tripleo_auditd” role.
tripleo_auditd_pkg: audit
tripleo_auditd_service: auditd
tripleo_auditd_rules: {}
tripleo_auditd_config: {}
tripleo_auditd_config_default:
log_file: /var/log/audit/audit.log
log_format: RAW
log_group: root
write_logs: yes
priority_boost: '4'
flush: incremental_async
freq: '20'
num_logs: '5'
disp_qos: lossy
dispatcher: /sbin/audispd
name_format: none
max_log_file: '6'
max_log_file_action: rotate
space_left: '75'
space_left_action: syslog
action_mail_acct: root
admin_space_left: '50'
admin_space_left_action: suspend
disk_full_action: suspend
disk_error_action: suspend
tcp_listen_queue: '5'
tcp_max_per_addr: '1'
tcp_client_max_idle: '0'
enable_krb5: no
krb5_principal: auditd
Molecule Scenarios¶
Molecule is being used to test the “tripleo_auditd” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.
Scenario: default¶
Molecule Inventory¶
hosts:
all:
hosts:
instance:
ansible_host: localhost
Example default playbook¶
- name: Converge
hosts: all
tasks:
- name: Default install without custom rules
include_role:
name: tripleo_auditd
Scenario: custom_rules¶
Molecule Inventory¶
hosts:
all:
hosts:
instance:
ansible_host: localhost
Example custom_rules playbook¶
- name: Converge
hosts: all
vars:
ordered_rules:
- -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
- -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
- -a always,exit -F arch=b64 -S clock_settime -F key=audit_time_rules
tasks:
- name: Push some rules
vars:
tripleo_auditd_rules:
Record attempts to alter time through settimeofday:
content: -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
order: 2
Record attempts to alter time through adjtimex:
content: -a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
order: 1
Record Attempts to Alter Time Through clock_settime:
content: -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
order: 3
include_role:
name: tripleo_auditd
- name: Get auditd rules
become: true
register: auditctl_listing
command: /sbin/auditctl -l
- name: Ensure rules are present in the correct order
assert:
that:
- auditctl_listing.stdout_lines == ordered_rules