# platform = multi_platform_rhel,multi_platform_fedora
# reboot = false
# strategy = restrict
# complexity = low
# disruption = low

# Inserts/replaces the rule in /etc/audit/rules.d

- name: Search /etc/audit/rules.d for audit rule entries
  find:
    paths: "/etc/audit/rules.d"
    recurse: no
    contains: "^.*path=%PATH%.*$"
    patterns: "*.rules"
  register: find_%NAME%

- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
  set_fact:
    all_files: 
      - /etc/audit/rules.d/privileged.rules
  when: find_%NAME%.matched == 0

- name: Use matched file as the recipient for the rule
  set_fact:
    all_files:
      - "{{ find_%NAME%.files | map(attribute='path') | list | first }}"
  when: find_%NAME%.matched > 0

- name: Inserts/replaces the %NAME% rule in rules.d
  lineinfile:
    path: "{{ all_files[0] }}"
    line: '-a always,exit -F path=%PATH% -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged'
    create: yes
  tags:
    @ANSIBLE_TAGS@
    
# Inserts/replaces the %NAME% rule in /etc/audit/audit.rules

- name: Inserts/replaces the %NAME% rule in audit.rules
  lineinfile:
    path: /etc/audit/audit.rules
    line: '-a always,exit -F path=%PATH% -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged'
    create: yes
  tags:
    @ANSIBLE_TAGS@
