add option to disable auditd

2024-11-10 01:04:13 +00:00 · 2018-09-16 20:56:48 +02:00 · 2018-09-16 20:56:48 +02:00 · 67f16f166c
commit 67f16f166c
parent cb05d55f9f
5 changed files with 12 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -16,9 +16,10 @@ It configures:
 * Shadow password suite configuration
 * Configures system path permissions
 * Disable core dumps via soft limits
- * Restrict Root Logins to System Console
+ * Restrict root Logins to System Console
 * Set SUIDs
 * Configures kernel parameters via sysctl
+ * Install and configure auditd

 It will not:

@ -61,7 +62,8 @@ Otherwise inspec will fail. For more information, see [issue #124](https://githu
 | `ufw_ipt_sysctl` | '' | by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`
 | `ufw_default_input_policy` | DROP | set default input policy of ufw to `DROP` |
 | `ufw_default_output_policy` | ACCEPT | set default output policy of ufw to `ACCEPT` |
-| `ufw_default_forward_policy` | DROP| set default forward policy of ufw to `DROP` |
+| `ufw_default_forward_policy` | DROP | set default forward policy of ufw to `DROP` |
+| `os_auditd_enabled` | true | Set to false to disable installing and configuring auditd. |

 ## Packages

@ -86,7 +88,7 @@ We disable the following filesystems, because they're most likely not used:
 * "hfsplus"
 * "squashfs"
 * "udf"
- * "vfat"
+ * "vfat" # only if uefi is not in use

 To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable.

--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -247,3 +247,6 @@ os_filesystem_whitelist: []
 # Set to false to turn the role into a no-op. Useful when using
 # the Ansible role dependency mechanism.
 os_hardening_enabled: true
+
+# Set to false to disable installing and configuring auditd.
+os_auditd_enabled: true
--- a/tasks/hardening.yml
+++ b/tasks/hardening.yml
@ -15,6 +15,7 @@

 - import_tasks: auditd.yml
  tags: auditd
+  when: os_auditd_enabled

 - import_tasks: limits.yml
  tags: limits
--- a/tasks/profile.yml
+++ b/tasks/profile.yml
@ -7,7 +7,7 @@
    group: 'root'
    mode: '0750'
  when: not os_security_kernel_enable_core_dump
-  
+
 - name: remove pinerolo_profile.sh from profile.d
  file:
    path: /etc/profile.d/pinerolo_profile.sh
--- a/tests/test.yml
+++ b/tests/test.yml
@ -62,6 +62,8 @@

 - name: wrapper playbook for kitchen testing "ansible-os-hardening"
  hosts: localhost
+  vars:
+    - os_auditd_enabled: false
  pre_tasks:
    - name: Run the equivalent of "apt-get update" as a separate step
      apt: