chore: add auditship configuration, installation, and logrotate tasks

leucos · leucos · commit a1a5459b3909 · 2025-07-31T22:43:22.000+02:00
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart auditd
+  ansible.builtin.service:
+    name: auditd
+    state: restarted
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
@@ -45,6 +45,28 @@
       register: logrotate_config
       failed_when: not logrotate_config.stat.exists
 
+    - name: Check auditship main configuration exists
+      ansible.builtin.stat:
+        path: /etc/auditship.conf
+      register: auditship_main_config
+      failed_when: not auditship_main_config.stat.exists
+
+    - name: Verify auditship main configuration content
+      ansible.builtin.slurp:
+        src: /etc/auditship.conf
+      register: main_config_content
+
+    - name: Validate main configuration contains expected values
+      ansible.builtin.assert:
+        that:
+          - "'tag: auditd' in main_config_decoded"
+          - "'outputs:' in main_config_decoded"
+          - "'fluent://localhost:24224' in main_config_decoded"
+          - "'/var/log/auditship.json' in main_config_decoded"
+        fail_msg: "Auditship main configuration is missing required values"
+      vars:
+        main_config_decoded: "{{ main_config_content.content | b64decode }}"
+
     - name: Test auditship binary can run (version check)
       ansible.builtin.command: /usr/local/bin/auditship -version
       register: version_output
diff --git a/tasks/configure.yml b/tasks/configure.yml
@@ -0,0 +1,29 @@
+- name: Add auditd plugin config
+  ansible.builtin.template:
+    # https://gitlab.com/devopsworks/tools/auditship/-/raw/master/auditship.plugin.conf?ref_type=heads
+    src: auditship.plugin.conf.j2
+    dest: /etc/audit/plugins.d/auditship.conf
+    owner: root
+    group: root
+    mode: '0640'
+  notify: 
+    - Restart auditd
+
+- name: Add auditship plugin config
+  ansible.builtin.template:
+    # https://gitlab.com/devopsworks/tools/auditship/-/raw/master/auditship.plugin.conf?ref_type=heads
+    src: auditship.conf.j2
+    dest: /etc/auditship.conf
+    owner: root
+    group: root
+    mode: '0640'
+  notify: 
+    - Restart auditd
+
+- name: Add logrotate config
+  ansible.builtin.get_url:
+    url: https://gitlab.com/devopsworks/tools/auditship/-/raw/master/auditship.logrotate.conf?ref_type=heads
+    dest: /etc/logrotate.d/auditship
+    owner: root
+    group: root
+    mode: '0644'
diff --git a/tasks/install.yml b/tasks/install.yml
@@ -17,24 +17,17 @@
       https://gitlab.com/api/v4/projects/71363433/packages/generic/auditship/{{ __auditship_latest_num_version }}/auditship-linux-amd64-{{ __auditship_latest_version }}.gz
     dest: /tmp/auditship.gz
     mode: '0644'
+  notify: 
+    - Restart auditd
 
 - name: Fetch & unarchive auditship
   # can not use unarchive, does not support gz
   ansible.builtin.shell: gunzip -cd /tmp/auditship.gz > /usr/local/bin/auditship && chmod 755 /usr/local/bin/auditship
   changed_when: true
 
-- name: Add auditd plugin config
+- name: Install logrotate template for auditship
   ansible.builtin.template:
-    # https://gitlab.com/devopsworks/tools/auditship/-/raw/master/auditship.plugin.conf?ref_type=heads
-    src: auditship.plugin.conf.j2
-    dest: /etc/audit/plugins.d/auditship.conf
-    owner: root
-    group: root
-    mode: '0640'
-
-- name: Add logrotate config
-  ansible.builtin.get_url:
-    url: https://gitlab.com/devopsworks/tools/auditship/-/raw/master/auditship.logrotate.conf?ref_type=heads
+    src: auditship.logrotate.j2
     dest: /etc/logrotate.d/auditship
     owner: root
     group: root
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -7,10 +7,19 @@
 
 - name: Include auditship installation tasks
   ansible.builtin.include_tasks:
-    file: auditship.yml
+    file: install.yml
     apply:
       tags:
         - auditship
   when: __auditship is defined and (not __auditship.stat.exists or auditship_force_install)
   tags:
     - always
+
+- name: Configure auditship
+  ansible.builtin.include_tasks:
+    file: configure.yml
+    apply:
+      tags:
+        - auditship
+  tags:
+    - always
diff --git a/templates/auditship.conf.j2 b/templates/auditship.conf.j2
@@ -0,0 +1,5 @@
+tag: auditd
+outputs:
+  - "-"
+  - "/var/log/auditship.json"
+  - "fluent://localhost:24224"
diff --git a/templates/auditship.logrotate.j2 b/templates/auditship.logrotate.j2
@@ -0,0 +1,11 @@
+# when used with file output, we have to rotate the log file
+/var/log/auditship.json {
+  daily
+  dateext
+  dateyesterday
+  missingok
+  rotate 5
+  compress
+  copytruncate
+  create 0640 root root
+}
diff --git a/templates/auditship.plugin.conf.j2 b/templates/auditship.plugin.conf.j2
@@ -2,7 +2,8 @@ active = yes
 direction = out
 path = /usr/local/bin/auditship
 # use one of the following lines to set the output
-args = -out {{ auditship_fluent_url | default("fluent://127.0.0.1:24224") }}
+# args = -out {{ auditship_fluent_url | default("fluent://127.0.0.1:24224") }}
 # args = -out /var/log/auditship.json
+args = -config /etc/auditship.conf
 type = always
 format = string
