- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added
  template:
      src: audit/99_auditd.rules.j2
      dest: /etc/audit/rules.d/99_auditd.rules
      owner: root
      group: root
      mode: 0600
  register: audit_rules_updated
  notify: restart auditd

- name: POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable
  block:
      - name: POST | AUDITD | Discover if auditd immutable - will require reboot if auditd template applied
        shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
        changed_when: false
        register: auditd_immutable_check

      - name: POST | AUDITD | Set reboot required if auditd immutable
        debug:
            msg: "Reboot required for auditd to apply new rules as immutable set"
        notify: change_requires_reboot
        when:
            - auditd_immutable_check.stdout == '1'
  when:
      - audit_rules_updated.changed