Fixes #5

README.md

@@ -21,6 +21,8 @@ Variables related to this role are listed below:
 # docker_daemon_config:
 #   experimental: true
 docker_daemon_config:
+# Enable auditing of Docker related files and directories
+docker_enable_audit: false
 # Enable Docker CE Edge
 docker_enable_ce_edge: false
 # Setup Docker to devicemapper as storage driver. Require space to be available on LVM partition for new logical partition.
@@ -36,11 +38,32 @@ None.
 
 ## Example Playbook
 
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+Following sub sections show different kind of examples to illustrate what this role supports.
+
+### Simplest
+
+    - hosts: localhost
+      roles:
+         - role: haxorof.docker-ce
+
+### On the road to CIS security compliant Docker engine installation
+
+This minimal example below show what kind of role configuration that is required to pass the [Docker bench](https://github.com/docker/docker-bench-security) checks.
+However this configuration setup devicemapper in a certain way which will create logical volumes for the containers. Simplest is to have at least 3 GB of free space available in the partition.
 
     - hosts: localhost
       roles:
          - role: haxorof.docker-ce
+           docker_enable_audit: true
+           docker_setup_devicemapper: true
+           docker_daemon_config:
+             icc: false
+             init: true
+             userns-remap: default
+             disable-legacy-registry: true
+             live-restore: true
+             userland-proxy: false
+             log-driver: journald
 
 ## License
 

defaults/main.yml

@@ -6,6 +6,8 @@
 # docker_daemon_config:
 #   experimental: true
 docker_daemon_config:
+# Enable auditing of Docker related files and directories
+docker_enable_audit: false
 # Enable Docker CE Edge
 docker_enable_ce_edge: false
 # Setup Docker to devicemapper as storage driver. Require space to be available on LVM partition for new logical partition.

files/etc/audit/rules.d/docker.rules

@@ -0,0 +1,11 @@
+-w /usr/bin/docker -k docker
+-w /var/lib/docker -k docker
+-w /etc/docker -k docker
+-w /usr/lib/systemd/system/docker.service -k docker
+-w /usr/lib/systemd/system/docker.socket -k docker
+-w /etc/default/docker -k docker
+-w /var/run/docker.sock -k docker
+-w /var/run/docker/libcontainerd/docker-containerd.sock -k docker
+-w /etc/docker/daemon.json -k docker
+-w /usr/bin/docker-containerd -k docker
+-w /usr/bin/docker-runc -k docker

handlers/main.yml

@@ -5,4 +5,11 @@
   service:
     name: docker
     state: restarted
-  become: true
+  become: true
+
+# Workaround because systemd cannot be used: https://github.com/ansible/ansible/issues/22171
+- name: restart auditd
+  shell: service auditd restart
+  args:
+    warn: false
+  become: true

tasks/main-Fedora.yml

@@ -11,6 +11,8 @@
 
 - name: Determine Docker CE Edge repo status
   shell: dnf config-manager --dump docker-ce-edge | grep enabled
+  args:
+    warn: false
   ignore_errors: yes
   changed_when: false
   register: cmd_docker_ce_edge_enabled

tasks/main-Generic.yml

@@ -1,6 +1,22 @@
 ---
 # tasks file for ansible-role-docker-ce
 
+- name: Copy Docker audit rules
+  copy:
+    src: files/etc/audit/rules.d/docker.rules
+    dest: /etc/audit/rules.d/docker.rules
+  become: yes
+  notify: restart auditd
+  when: docker_enable_audit == true
+
+- name: Ensure Docker audit rules are removed
+  file:
+    path: /etc/audit/rules.d/docker.rules
+    state: absent
+  become: yes
+  notify: restart auditd
+  when: docker_enable_audit == false
+
 - name: Determine Docker version
   command: bash -c "docker version | grep Version | awk '{print $2}'"
   ignore_errors: yes