---
- name: Ensure audit rules directory exists
  ansible.builtin.file:
    path: /etc/audit/rules.d
    state: directory
    owner: root
    group: root
    mode: "0750"

- name: Report audit rules management mode
  ansible.builtin.debug:
    msg: >-
      {{ 'OK: Baseline audit rule management is enabled.'
         if cis_manage_audit_rules | bool
         else 'WARNING: Audit rules are not managed because cis_manage_audit_rules is false.' }}

- name: Install baseline audit rules when explicitly enabled
  ansible.builtin.lineinfile:
    path: "{{ cis_audit_rules_path }}"
    line: "{{ item }}"
    create: true
    owner: root
    group: root
    mode: "0640"
  loop: "{{ cis_audit_rules }}"
  loop_control:
    label: "{{ item }}"
  when: cis_manage_audit_rules | bool
  notify: restart auditd

- name: Ensure auditd is enabled and running
  ansible.builtin.systemd:
    name: auditd
    enabled: true
    state: started
  when:
    - cis_install_auditd | bool
    - "'auditd.service' in ansible_facts.services"
    - not cis_container_detected | default(false) | bool