Merge pull request dev-sec#192 from dev-sec/auditd_disable

add option to disable auditd
divialth · Sep 20, 2018 · 1072f41 · 1072f41
2 parents eaa8cbc + 4c0bdb8
commit 1072f41
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -16,9 +16,10 @@ It configures:
  * Shadow password suite configuration
  * Configures system path permissions
  * Disable core dumps via soft limits
- * Restrict Root Logins to System Console
+ * Restrict root Logins to System Console
  * Set SUIDs
  * Configures kernel parameters via sysctl
+ * Install and configure auditd
 
 It will not:
 
@@ -61,7 +62,8 @@ Otherwise inspec will fail. For more information, see [issue #124](https://githu
 | `ufw_ipt_sysctl` | '' | by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`
 | `ufw_default_input_policy` | DROP | set default input policy of ufw to `DROP` |
 | `ufw_default_output_policy` | ACCEPT | set default output policy of ufw to `ACCEPT` |
-| `ufw_default_forward_policy` | DROP| set default forward policy of ufw to `DROP` |
+| `ufw_default_forward_policy` | DROP | set default forward policy of ufw to `DROP` |
+| `os_auditd_enabled` | true | Set to false to disable installing and configuring auditd. |
 
 ## Packages
 
@@ -86,7 +88,7 @@ We disable the following filesystems, because they're most likely not used:
  * "hfsplus"
  * "squashfs"
  * "udf"
- * "vfat"
+ * "vfat" # only if uefi is not in use
 
 To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable.
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -247,3 +247,6 @@ os_filesystem_whitelist: []
 # Set to false to turn the role into a no-op. Useful when using
 # the Ansible role dependency mechanism.
 os_hardening_enabled: true
+
+# Set to false to disable installing and configuring auditd.
+os_auditd_enabled: true
diff --git a/tasks/hardening.yml b/tasks/hardening.yml
@@ -15,6 +15,7 @@
 
 - import_tasks: auditd.yml
   tags: auditd
+  when: os_auditd_enabled
 
 - import_tasks: limits.yml
   tags: limits

diff --git a/tasks/profile.yml b/tasks/profile.yml
@@ -7,7 +7,7 @@
     group: 'root'
     mode: '0750'
   when: not os_security_kernel_enable_core_dump
-  
+
 - name: remove pinerolo_profile.sh from profile.d
   file:
     path: /etc/profile.d/pinerolo_profile.sh

diff --git a/tests/test.yml b/tests/test.yml
@@ -62,6 +62,8 @@
 
 - name: wrapper playbook for kitchen testing "ansible-os-hardening"
   hosts: localhost
+  vars:
+    - os_auditd_enabled: false
   pre_tasks:
     - name: Run the equivalent of "apt-get update" as a separate step
       apt: