---
- name: Ensure audit rules directory exists
  ansible.builtin.file:
    path: /etc/audit/rules.d
    state: directory
    owner: root
    group: root
    mode: "0750"

- name: Configure audit backlog limit
  ansible.builtin.lineinfile:
    path: /etc/audit/audit.rules
    regexp: '^-b\s+'
    line: "-b {{ cis_audit_backlog_limit }}"
    create: true
    owner: root
    group: root
    mode: "0640"
  notify: restart auditd

- name: Install baseline audit rules
  ansible.builtin.lineinfile:
    path: "{{ cis_audit_rules_path }}"
    line: "{{ item }}"
    create: true
    owner: root
    group: root
    mode: "0640"
  loop: "{{ cis_audit_rules }}"
  loop_control:
    label: "{{ item }}"
  notify: restart auditd

- name: Ensure auditd is enabled and running
  ansible.builtin.systemd:
    name: auditd
    enabled: true
    state: started