Role - tripleo_auditd

Role Documentation

Welcome to the “tripleo_auditd” role documentation.

Role Defaults

This section highlights all of the defaults and variables set within the “tripleo_auditd” role.

tripleo_auditd_pkg: audit
tripleo_auditd_service: auditd
tripleo_auditd_rules:
  Default - Delete all rules:
    content: -D
    order: 0
  Default - Set Buffer size:
    content: -b 8192
    order: 1
  Default - Set failure mode:
    content: -f 1
    order: 2
  Default - Set backlog time:
    content: --backlog_wait_time 60000
    order: 3

tripleo_auditd_config: {}
tripleo_auditd_config_default:
  log_file: /var/log/audit/audit.log
  log_format: RAW
  log_group: root
  write_logs: yes
  priority_boost: '4'
  flush: incremental_async
  freq: '20'
  num_logs: '5'
  disp_qos: lossy
  dispatcher: /sbin/audispd
  name_format: none
  max_log_file: '6'
  max_log_file_action: rotate
  space_left: '75'
  space_left_action: syslog
  action_mail_acct: root
  admin_space_left: '50'
  admin_space_left_action: suspend
  disk_full_action: suspend
  disk_error_action: suspend
  tcp_listen_queue: '5'
  tcp_max_per_addr: '1'
  tcp_client_max_idle: '0'
  enable_krb5: no
  krb5_principal: auditd

Molecule Scenarios

Molecule is being used to test the “tripleo_auditd” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.

Scenario: default

Driver: delegated
Molecule Options
managed: false
login_cmd_template: >-
  ssh
  -o UserKnownHostsFile=/dev/null
  -o StrictHostKeyChecking=no
  -o Compression=no
  -o TCPKeepAlive=yes
  -o VerifyHostKeyDNS=no
  -o ForwardX11=no
  -o ForwardAgent=no
  {instance}
ansible_connection_options:
  ansible_connection: ssh
Molecule Inventory
hosts:
  all:
    hosts:
      instance:
        ansible_host: localhost
Example default playbook
- name: Converge
  hosts: all
  tasks:
  - name: Default install without custom rules
    include_role:
      name: tripleo_auditd

Scenario: custom-rules

Driver: delegated
Molecule Options
managed: false
login_cmd_template: >-
  ssh
  -o UserKnownHostsFile=/dev/null
  -o StrictHostKeyChecking=no
  -o Compression=no
  -o TCPKeepAlive=yes
  -o VerifyHostKeyDNS=no
  -o ForwardX11=no
  -o ForwardAgent=no
  {instance}
ansible_connection_options:
  ansible_connection: ssh
Molecule Inventory
hosts:
  all:
    hosts:
      instance:
        ansible_host: localhost
Example custom-rules playbook
- name: Converge
  hosts: all
  vars:
    ordered_rules:
    - -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
    - -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
    - -a always,exit -F arch=b64 -S clock_settime -F key=audit_time_rules
  tasks:
  - name: Push some rules
    vars:
      tripleo_auditd_rules:
        Record attempts to alter time through settimeofday:
          content: -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
          order: 2
        Record attempts to alter time through adjtimex:
          content: -a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
          order: 1
        Record Attempts to Alter Time Through clock_settime:
          content: -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
          order: 3
    include_role:
      name: tripleo_auditd

  - name: Get auditd rules
    become: true
    register: auditctl_listing
    command: /sbin/auditctl -l

  - name: Ensure rules are present in the correct order
    assert:
      that:
      - auditctl_listing.stdout_lines == ordered_rules