Add Debian 13 and Ubuntu 26.04 CIS-inspired hardening playbook

2026-05-06 08:56:45 +00:00
parent 75a11f7650
commit 2fd9c0b5ef
15 changed files with 778 additions and 0 deletions
@@ -0,0 +1,39 @@
+---
+- name: Ensure audit rules directory exists
+  ansible.builtin.file:
+    path: /etc/audit/rules.d
+    state: directory
+    owner: root
+    group: root
+    mode: "0750"
+
+- name: Report audit rules management mode
+  ansible.builtin.debug:
+    msg: >-
+      {{ 'OK: Baseline audit rule management is enabled.'
+         if cis_manage_audit_rules | bool
+         else 'WARNING: Audit rules are not managed because cis_manage_audit_rules is false.' }}
+
+- name: Install baseline audit rules when explicitly enabled
+  ansible.builtin.lineinfile:
+    path: "{{ cis_audit_rules_path }}"
+    line: "{{ item }}"
+    create: true
+    owner: root
+    group: root
+    mode: "0640"
+  loop: "{{ cis_audit_rules }}"
+  loop_control:
+    label: "{{ item }}"
+  when: cis_manage_audit_rules | bool
+  notify: restart auditd
+
+- name: Ensure auditd is enabled and running
+  ansible.builtin.systemd:
+    name: auditd
+    enabled: true
+    state: started
+  when:
+    - cis_install_auditd | bool
+    - "'auditd.service' in ansible_facts.services"
+    - not cis_container_detected | default(false) | bool