Documentation

v2.21
latest v2.21 v2.20 v2.19 v2.18 v2.17 v2.16 v2.15 v2.14 v2.12 v2.11 v2.10 v2.9 v2.8 v2.7 v2.6 v2.5 v2.4 v2.3 v2.2 v2.1 v2.0 v1.10 v1.9 v1.8 v1.7 v1.6 v1.5 v1.4 v1.3 v1.2 v1.1 v1.0
      Edit on GitHub

      auditd

      Manage Linux audit daemon rules.

      Attributes

      check_mode:
  support: full

      Parameters

      Parameter Required Type Values Description
      reload   boolean   Whether to reload auditd after changes. [default: true]
      rules true array   List of audit rules to add or remove.
      rules_file   string   Path to the audit rules file. [default: "/etc/audit/rules.d/audit.rules"]
      state   string present
      absent      		 Whether the rules should be present or absent. [default: "present"]

      Examples

      - name: Add audit rules for identity files
  auditd:
    rules_file: /etc/audit/rules.d/audit.rules
    rules:
      - -w /etc/passwd -p wa -k identity
      - -w /etc/group -p wa -k identity
      - -w /etc/shadow -p wa -k identity
    state: present

- name: Add syscall audit rule
  auditd:
    rules_file: /etc/audit/rules.d/audit.rules
    rules:
      - -a always,exit -F arch=b64 -S execve -k exec
    state: present

- name: Remove specific audit rules
  auditd:
    rules_file: /etc/audit/rules.d/audit.rules
    rules:
      - -w /var/log -p wa -k logs
    state: absent

- name: Add rule without reload
  auditd:
    rules_file: /etc/audit/rules.d/audit.rules
    rules:
      - -w /etc/ssh/sshd_config -p wa -k ssh
    state: present
    reload: false