os_hardening: disable systemd audit logging

Christoph Sieber · Christoph Sieber · commit 4ed7941642ad · 2025-10-27T13:49:30.000+01:00
disable audit logging via systemd-journald when enabling auditd
as this leads to duplicate logs in the journal or even /var/log/messages
depending on the configuration

Signed-off-by: Christoph Sieber &lt;Christoph.Sieber@telekom.de&gt;
diff --git a/roles/os_hardening/handlers/main.yml b/roles/os_hardening/handlers/main.yml
@@ -27,3 +27,8 @@
     path: "{{ item }}"
     state: remounted
   loop: "{{ mountpoints_changed }}"
+
+- name: Restart journald
+  ansible.builtin.systemd:
+    name: systemd-journald.service
+    state: restarted
diff --git a/roles/os_hardening/tasks/auditd.yml b/roles/os_hardening/tasks/auditd.yml
@@ -16,3 +16,13 @@
     - Restart auditd via service
     - Restart auditd via systemd
   tags: auditd
+
+- name: Disable systemd-journald.audit
+  ansible.builtin.systemd:
+    name: systemd-journald-audit.socket
+    state: stopped
+    enabled: false
+    masked: true
+  notify:
+    - Restart journald
+  tags: auditd
