In my playbook, i have a task to update audit.rules and then notify a
handler which should restart the auditd service.
task:
- name: 6.6.7 - audit rules configuration
template: src=X/ansible/templates/auditd_rules.j2
dest=/etc/audit/rules.d/audit.rules
backup=yes
owner=root group=root mode=0640
notify:
- restart auditd
handlers:
- name: restart auditd
service: name=auditd state=restarted
When the playbook runs, the audit rules are updated and a request is made
to restart auditd but this fails as below.
RUNNING HANDLER [restart auditd] ***
fatal: [ipX-southeast-2.compute.internal]: FAILED! => {"changed": false,
"failed": true, "msg": "Unable to restart service auditd: Failed to restart
auditd.service: Operation refused, unit auditd.service may be requested by
dependency only.\n"}
When i look at the unit definition for auditd, i can see
refuseManualStop=yes. Is this why i cant restart the service? how does one
over come this to pickup the new audit rules?
Is this more of a Centos/RHEL issue?
sudo systemctl restart auditd.service
Failed to restart auditd.service: Operation refused, unit auditd.service
may be requested by dependency only.
See system logs and 'systemctl status auditd.service' for details.
systemctl cat auditd.service
# /usr/lib/systemd/system/auditd.service
[Unit]
Description=Security Auditing Service
DefaultDependencies=no
After=local-fs.target systemd-tmpfiles-setup.service
Conflicts=shutdown.target
Before=sysinit.target shutdown.target
RefuseManualStop=yes
ConditionKernelCommandLine=!audit=0
Documentation=man:auditd(8) https://people.redhat.com/sgrubb/audit/
[Service]
ExecStart=/sbin/auditd -n
## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
## and comment/delete the next line and uncomment the auditctl line.
## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
ExecStartPost=-/sbin/augenrules --load
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
ExecReload=/bin/kill -HUP $MAINPID
# By default we don't clear the rules on exit. To enable this, uncomment
# the next line after copying the file to /etc/systemd/system/auditd.service
#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
[Install]
WantedBy=multi-user.target
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/0d2edb08-99fa-46f7-b846-fa31f442880f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
