Allow overriding modules, including max_file_size for file_integrity/…

…system
j91321 · Jun 7, 2023 · f9ed023 · f9ed023
1 parent 760e0fa
commit f9ed023
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 33 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -23,3 +23,38 @@ auditbeat_processors: |
 
 auditbeat_portage:
   package: =auditbeat-{{ auditbeat_service.version }}
+
+auditbeat_module:
+  auditd:
+    enabled: true
+  file_integrity:
+    enabled: true
+    paths:
+      - /bin
+      - /usr/bin
+      - /sbin
+      - /usr/sbin
+      - /etc
+  system:
+    enabled: true
+    datasets:
+      - host
+      - login
+      - package
+      - process
+      - socket
+      - user
+
+auditbeat_module_windows:
+  file_integrity:
+    enabled: true
+    paths:
+      - C:\windows
+      - C:\windows\system32
+      - C:\Program Files
+      - C:\Program Files (x86)
+  system:
+    enabled: true
+    datasets:
+      - host
+      - process
diff --git a/templates/auditbeat.yml.j2 b/templates/auditbeat.yml.j2
@@ -11,6 +11,7 @@ auditbeat.modules:
 - module: file_integrity
   paths:
     {{ auditbeat_module.file_integrity.paths | to_nice_yaml | trim | indent(4) }}
+  max_file_size: {{ auditbeat_module.file_integrity.max_file_size | default("100 MiB") }}
 {% endif %}
 {% if auditbeat_module.system.enabled | bool %}
 - module: system
@@ -30,6 +31,8 @@ auditbeat.modules:
   # File patterns of the login record files.
   login.wtmp_file_pattern: {{ auditbeat_module.system.login_wtmp_pattern | default('/var/log/wtmp*') }}
   login.btmp_file_pattern: {{ auditbeat_module.system.login_btmp_pattern | default('/var/log/btmp*') }}
+
+  process.hash.max_file_size: {{ auditbeat_module.system["process.hash.max_file_size"] | default("100 MiB") }}
 {% endif %}
 #==================== Elasticsearch template setting ==========================
 setup.template.enabled: {{ auditbeat_template.enabled | default(true) }}

diff --git a/vars/main.yml b/vars/main.yml
@@ -1,35 +1,2 @@
 ---
 # vars file for ansible-role-auditbeat
-auditbeat_module:
-  auditd:
-    enabled: true
-  file_integrity:
-    enabled: true
-    paths:
-      - /bin
-      - /usr/bin
-      - /sbin
-      - /usr/sbin
-      - /etc
-  system:
-    enabled: true
-    datasets:
-      - host
-      - login
-      - package
-      - process
-      - socket
-      - user
-auditbeat_module_windows:
-  file_integrity:
-    enabled: true
-    paths:
-      - C:\windows
-      - C:\windows\system32
-      - C:\Program Files
-      - C:\Program Files (x86)
-  system:
-    enabled: true
-    datasets:
-      - host
-      - process