Create auditd rules

[m41kc0d3]

see Telekom 2021.07-01 SoC 3.65 Req32-37 Public Telekom Security - Requirements

[nejch]

As discussed with @rndmh3ro in #367 we would be interested in managing auditd rules in os_hardening as well.

question: there are a lot of default rules here already and people might add more. Since order matters, would it make sense to structure these into the semi-conventional ordered files (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-defining_audit_rules_and_controls#bh-augenrules)? But perhaps that's overkill.

I've looked at an existing role and like how it handles this: https://github.com/juju4/ansible-auditd/. For example I like how it also deletes unmanaged rules files, which IMO helps with idempotency as well and prevents users manually trying to manage it.

Either way, in case you are no longer working on this @m41kc0d3 I'd be happy to take a look at this as well.

[nejch]

Do you think this is still relevant after https://github.com/dev-sec/ansible-collection-hardening/pull/685, @rndmh3ro? In a way it'd be nice to have some hardening defaults for auditd as well, but not sure if these are a bit opinionated towards a company's internal guidelines.

[rndmh3ro]

Good question, @nejch. I think you're right. Additionally since merely adding audit-rules (and not acting upon them) provides no additional security. It's basically the same as here: Merely having rsyslog installed does not provide any additional security - same for the audit-rules.

What do you think, @m41kc0d3 and @schurzi ?