Documentation

latest
latest v2.20 v2.19 v2.18 v2.17 v2.16 v2.15 v2.14 v2.12 v2.11 v2.10 v2.9 v2.8 v2.7 v2.6 v2.5 v2.4 v2.3 v2.2 v2.1 v2.0 v1.10 v1.9 v1.8 v1.7 v1.6 v1.5 v1.4 v1.3 v1.2 v1.1 v1.0
      Edit on GitHub

      PLEASE NOTE: This document applies to latest version and not to the latest stable release v2.20

      Documentation for other releases can be found by using the version selector in the top right of any doc page.

      auditd

      Manage Linux audit daemon rules.

      Attributes

      check_mode:
  support: full

      Parameters

      Parameter Required Type Values Description
      reload   boolean   Whether to reload auditd after changes. [default: true]
      rules true array   List of audit rules to add or remove.
      rules_file   string   Path to the audit rules file. [default: "/etc/audit/rules.d/audit.rules"]
      state   string present
      absent      		 Whether the rules should be present or absent. [default: "present"]

      Examples

      - name: Add audit rules for identity files
  auditd:
    rules_file: /etc/audit/rules.d/audit.rules
    rules:
      - -w /etc/passwd -p wa -k identity
      - -w /etc/group -p wa -k identity
      - -w /etc/shadow -p wa -k identity
    state: present

- name: Add syscall audit rule
  auditd:
    rules_file: /etc/audit/rules.d/audit.rules
    rules:
      - -a always,exit -F arch=b64 -S execve -k exec
    state: present

- name: Remove specific audit rules
  auditd:
    rules_file: /etc/audit/rules.d/audit.rules
    rules:
      - -w /var/log -p wa -k logs
    state: absent

- name: Add rule without reload
  auditd:
    rules_file: /etc/audit/rules.d/audit.rules
    rules:
      - -w /etc/ssh/sshd_config -p wa -k ssh
    state: present
    reload: false