---
# Auditd Configuration Tasks (CIS 4.1.x)

- name: Ensure auditd is installed (CIS 4.1.1)
  ansible.builtin.apt:
    name:
      - auditd
      - audispd-plugins
    state: present

- name: Configure auditd max log file size (CIS 4.1.3)
  ansible.builtin.lineinfile:
    path: /etc/audit/auditd.conf
    regexp: '^max_log_file\s*='
    line: "max_log_file = {{ auditd_max_log_file }}"
    state: present

- name: Configure auditd log retention (CIS 4.1.4)
  ansible.builtin.lineinfile:
    path: /etc/audit/auditd.conf
    regexp: '^max_log_file_action\s*='
    line: "max_log_file_action = keep_logs"
    state: present

- name: Configure auditd space left action (CIS 4.1.5)
  ansible.builtin.lineinfile:
    path: /etc/audit/auditd.conf
    regexp: '^space_left_action\s*='
    line: "space_left_action = email"
    state: present

- name: Configure auditd admin space left action
  ansible.builtin.lineinfile:
    path: /etc/audit/auditd.conf
    regexp: '^admin_space_left_action\s*='
    line: "admin_space_left_action = halt"
    state: present

- name: Deploy CIS-compliant audit rules
  ansible.builtin.template:
    src: audit.rules.j2
    dest: /etc/audit/rules.d/cis.rules
    owner: root
    group: root
    mode: '0640'
  notify: restart auditd

- name: Load audit rules
  ansible.builtin.command: augenrules --load
  changed_when: false
  failed_when: false

- name: Ensure auditd is started and enabled (CIS 4.1.2)
  ansible.builtin.systemd:
    name: auditd
    state: started
    enabled: yes