From 308a8d5185e63460755410248f718dabb3c803ea Mon Sep 17 00:00:00 2001
From: gaima8 <7595658+gaima8@users.noreply.github.com>
Date: Wed, 7 Jun 2023 17:35:47 +0100
Subject: [PATCH] Allow overriding modules, including max_file_size for
 file_integrity/system

---
 defaults/main.yml          | 35 +++++++++++++++++++++++++++++++++++
 templates/auditbeat.yml.j2 |  3 +++
 vars/main.yml              | 33 ---------------------------------
 3 files changed, 38 insertions(+), 33 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 97acb49..dbe42c6 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -24,3 +24,38 @@ auditbeat_processors: |
 auditbeat_portage:
   package: =auditbeat-{{ auditbeat_service.version }}
   getbinpkg: no
+
+auditbeat_module:
+  auditd:
+    enabled: true
+  file_integrity:
+    enabled: true
+    paths:
+      - /bin
+      - /usr/bin
+      - /sbin
+      - /usr/sbin
+      - /etc
+  system:
+    enabled: true
+    datasets:
+      - host
+      - login
+      - package
+      - process
+      - socket
+      - user
+
+auditbeat_module_windows:
+  file_integrity:
+    enabled: true
+    paths:
+      - C:\windows
+      - C:\windows\system32
+      - C:\Program Files
+      - C:\Program Files (x86)
+  system:
+    enabled: true
+    datasets:
+      - host
+      - process
diff --git a/templates/auditbeat.yml.j2 b/templates/auditbeat.yml.j2
index 339d0b9..678e000 100644
--- a/templates/auditbeat.yml.j2
+++ b/templates/auditbeat.yml.j2
@@ -11,6 +11,7 @@ auditbeat.modules:
 - module: file_integrity
   paths:
     {{ auditbeat_module.file_integrity.paths | to_nice_yaml | trim | indent(4) }}
+  max_file_size: {{ auditbeat_module.file_integrity.max_file_size | default("100 MiB") }}
 {% endif %}
 {% if auditbeat_module.system.enabled | bool %}
 - module: system
@@ -30,6 +31,8 @@ auditbeat.modules:
   # File patterns of the login record files.
   login.wtmp_file_pattern: {{ auditbeat_module.system.login_wtmp_pattern | default('/var/log/wtmp*') }}
   login.btmp_file_pattern: {{ auditbeat_module.system.login_btmp_pattern | default('/var/log/btmp*') }}
+
+  process.hash.max_file_size: {{ auditbeat_module.system["process.hash.max_file_size"] | default("100 MiB") }}
 {% endif %}
 #==================== Elasticsearch template setting ==========================
 setup.template.enabled: {{ auditbeat_template.enabled | default(true) }}
diff --git a/vars/main.yml b/vars/main.yml
index d3472a9..920e845 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,35 +1,2 @@
 ---
 # vars file for ansible-role-auditbeat
-auditbeat_module:
-  auditd:
-    enabled: true
-  file_integrity:
-    enabled: true
-    paths:
-      - /bin
-      - /usr/bin
-      - /sbin
-      - /usr/sbin
-      - /etc
-  system:
-    enabled: true
-    datasets:
-      - host
-      - login
-      - package
-      - process
-      - socket
-      - user
-auditbeat_module_windows:
-  file_integrity:
-    enabled: true
-    paths:
-      - C:\windows
-      - C:\windows\system32
-      - C:\Program Files
-      - C:\Program Files (x86)
-  system:
-    enabled: true
-    datasets:
-      - host
-      - process