add auditd filtering tasks/vars

README.md

@@ -134,6 +134,7 @@ Note: Any task with an **adhoc** prefix means that it can be used independently
 - **check_splunk.yml** - Check if Splunk is installed. If Splunk is not installed, it will be installed on the host. If Splunk is already installed, the task will execute a "splunk version" command on the host, and then compare the version and build number of Splunk to the version and build number of the expected version of Splunk. Note that the expected version of Splunk does not need to be statically defined; The expected Splunk version and build are automatically extracted from the value of splunk_package_url_full or splunk_package_url_uf using Jinja regex filters. This task will work for both the Universal Forwarder and full Splunk Enterprise packages. You define which host uses what package by organizing it under the appropriate group ('full' or 'uf') in your Ansible inventory.
 - **check_decrypted_secret.yml** - Check the decrypted value of a given `pass4SymmKey`. This can be called by a task to compare the desired value with the currently configured value to see if they match. This pervents unnessecary changes to be applied.
 - **configure_apps.yml** - This task should be called directly from a playbook in order to deploy apps or configurations (from git repositories) to Splunk hosts. Tip: Add a this task to a playbook after the check_splunk.yml play. Doing so will perform a "install (or upgrade) and deploy apps" run, all in one playbook.
+- **configure_auditd.yml** - Configure auditd filtering rules to exclude splunk launched executables. Disabled by default, but can be enabled by setting `splunk_auditd_configure` to `true`.
 - **configure_authentication.yml** - Uses the template identified by the `splunk_authenticationconf` variable to install an authentication.conf file to $SPLUNK_HOME/etc/system/local/authentication.conf. We are including this task here since Ansible is able to securely deploy an authentication.conf configuration by using ansible-vault to encrypt sensitive values such as the value of the `ad_bind_password` variable. Note: If you are using a common splunk.secret file, you can omit this task and instead use configure_apps.yml to deploy an authentication.conf file from a Git repository containing an authentication.conf app with pre-hashed credentials.
 - **configure_bash.yml** - Configures bashrc and bash_profile files for the splunk user. Please note that the templates included with this role will overwrite any existing files for the splunk user (if they exist). The templates will define a custom PS1 at the bash prompt, configure the $SPLUNK_HOME environment variable so that you can issue "splunk <command>" without specifying the full path to the Splunk binary, and will enable auto-completion of Splunk CLI commands in bash.
 - **configure_deploymentclient.yml** - Generates a new deploymentclient.conf file from the deploymentclient.conf.j2 template and installs it to $SPLUNK_HOME/etc/system/local/deploymentclient.conf. This task is included automatically during new installations when values have been configured for the `clientName` and `splunk_uri_ds` variables.

roles/splunk/defaults/main.yml

@@ -51,6 +51,7 @@ git_project: undefined
 git_version: master # Configure default version to clone, overridable inside the git_apps dictionary within host_vars
 app_relative_path: # set a sub-path you want to sync within a repo. If the repo contains multiple apps in the root directory, just set this to a trailing slash.
 splunk_app_deploy_path: undefined # Path under $SPLUNK_HOME/ to deploy apps to - Note that this may be set in group_vars, host_vars, playbook vars, or inside the git_apps dictionary within host_vars
+splunk_auditd_configure: false  # Whether or not to install auditd filtering rules for splunk launched executables
 # IDXC Vars
 splunk_idxc_key: mypass4symmkey
 splunk_idxc_rf: 2

roles/splunk/tasks/check_splunk.yml

@@ -15,6 +15,11 @@
 - name: Configure license
   include_tasks: configure_license.yml
 
+  # Configure auditd for both fresh and old installs
+- name: Configure Auditd
+  include_tasks: configure_auditd.yml
+  when: splunk_auditd_configure
+
 - name: Execute this block only if splunk is already installed
   block:
 

roles/splunk/tasks/configure_auditd.yml

@@ -0,0 +1,42 @@
+---
+- name: "get {{ splunk_nix_user }} user uid"
+  getent:
+    database: passwd
+    key: "{{ splunk_nix_user }}"
+
+- name: auditd - set 20-splunk.rules
+  become: true
+  template:
+    src: 20-splunk.rules.j2
+    dest: /etc/audit/rules.d/20-splunk.rules
+    mode: 0600
+    owner: root
+    group: root
+  register: splunk_rule
+
+- name: Get auditd enabled level
+  become: true
+  shell: auditctl -s | grep enabled | cut -d" " -f2
+  changed_when: false
+  check_mode: false
+  register: auditctl_enabled
+
+# restart auditd if not immutable
+- name: restart auditd if not immutable
+  become: true
+  service:
+    name: auditd
+    state: restarted
+    use: service
+  when:
+    - splunk_rule is changed
+    - auditctl_enabled.stdout != '2'
+  tags: molecule-notest
+
+# if immutable output "auditd immutable - OS REBOOT REQUIRED"
+- name: auditd immutable  # noqa no-handler
+  debug:
+    msg: "auditd immutable - OS REBOOT REQUIRED"
+  when:
+    - splunk_rule is changed
+    - auditctl_enabled.stdout == '2'

roles/splunk/templates/20-splunk.rules.j2

@@ -0,0 +1,2 @@
+-a never,exit -F path={{ splunk_home }}/bin/splunkd -F uid={{ ansible_facts.getent_passwd[splunk_user][1] }}
+-a never,exit -F path={{ splunk_home }}/var/run/splunk -F uid={{ ansible_facts.getent_passwd[splunk_user][1] }}