diff --git a/handbook.yml b/handbook.yml
index df9fee9..0939496 100644
--- a/handbook.yml
+++ b/handbook.yml
@@ -24,3 +24,6 @@
 
     - role: snort-community
       tags: [snort, ips, ids]
+
+    - role: auditd
+      tags: [auditd]
diff --git a/roles/auditd/.travis.yml b/roles/auditd/.travis.yml
new file mode 100644
index 0000000..36bbf62
--- /dev/null
+++ b/roles/auditd/.travis.yml
@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/
\ No newline at end of file
diff --git a/roles/auditd/README.md b/roles/auditd/README.md
new file mode 100644
index 0000000..6d3d84e
--- /dev/null
+++ b/roles/auditd/README.md
@@ -0,0 +1,35 @@
+auditd
+=========
+
+This role install and setup auditd rules for services
+
+Requirements
+------------
+
+.
+
+Role Variables
+--------------
+
+- **auditd_enabled** (boolean): Enable or disable auditd support
+- **auditd_rules** (array): List of services to install rules
+
+Dependencies
+------------
+
+.
+
+Example Playbook
+----------------
+
+`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target" --tags auditd`
+
+License
+-------
+
+GPLv3
+
+Author Information
+------------------
+
+- [Claudio Maradonna](https://social.unitoo.it/claudio)
diff --git a/roles/auditd/defaults/main.yml b/roles/auditd/defaults/main.yml
new file mode 100644
index 0000000..e9e8b8e
--- /dev/null
+++ b/roles/auditd/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+# defaults file for auditd
+
+auditd_enabled: false
+auditd_rules:
+  - docker
diff --git a/roles/auditd/handlers/main.yml b/roles/auditd/handlers/main.yml
new file mode 100644
index 0000000..887de13
--- /dev/null
+++ b/roles/auditd/handlers/main.yml
@@ -0,0 +1,2 @@
+---
+# handlers file for auditd
diff --git a/roles/auditd/meta/main.yml b/roles/auditd/meta/main.yml
new file mode 100644
index 0000000..c572acc
--- /dev/null
+++ b/roles/auditd/meta/main.yml
@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
diff --git a/roles/auditd/tasks/install_rules.yml b/roles/auditd/tasks/install_rules.yml
new file mode 100644
index 0000000..9e373f0
--- /dev/null
+++ b/roles/auditd/tasks/install_rules.yml
@@ -0,0 +1,14 @@
+- name: Install rules for {{ item }}
+  ansible.builtin.file:
+    path: '/{{ item.path }}'
+    state: directory
+    mode: '{{ item.mode }}'
+  with_community.general.filetree: '../templates/{{ item }}/'
+  when: item.state == 'directory'
+
+- name: Create and copy rules files
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '/{{ item.path }}'
+  with_community.general.filetree: '../templates/{{ item }}/'
+  when: item.state == 'file'
diff --git a/roles/auditd/tasks/main.yml b/roles/auditd/tasks/main.yml
new file mode 100644
index 0000000..7dbe918
--- /dev/null
+++ b/roles/auditd/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+# tasks file for auditd
+
+- name: Install and setup rules Auditd if enabled
+  when: 'auditd_enabled is true'
+  block:
+    - name: Install auditd
+      ansible.builtin.package:
+        name: auditd
+
+    - name: Create directory tree if not exists
+      include_tasks: install_rules.yml
+      loop: '{{ auditd_rules }}'
diff --git a/roles/auditd/templates/docker/etc/audit/rules.d/docker.rules b/roles/auditd/templates/docker/etc/audit/rules.d/docker.rules
new file mode 100644
index 0000000..80b6380
--- /dev/null
+++ b/roles/auditd/templates/docker/etc/audit/rules.d/docker.rules
@@ -0,0 +1,13 @@
+-w /etc/docker -k docker
+-w /etc/default/docker -k docker
+-w /etc/docker/daemon.json -k docker
+-w /etc/containerd/config.toml -k docker
+-w /lib/systemd/system/docker.service -k docker
+-w /lib/systemd/system/docker.socket -k docker
+-w /run/containerd -k docker
+-w /usr/bin/containerd -k docker
+-w /usr/bin/containerd-shim -k docker
+-w /usr/bin/containerd-shim-runc-v1 -k docker
+-w /usr/bin/containerd-shim-runc-v2 -k docker
+-w /usr/bin/runc -k docker
+-w /var/lib/docker -k docker
diff --git a/roles/auditd/tests/inventory b/roles/auditd/tests/inventory
new file mode 100644
index 0000000..878877b
--- /dev/null
+++ b/roles/auditd/tests/inventory
@@ -0,0 +1,2 @@
+localhost
+
diff --git a/roles/auditd/tests/test.yml b/roles/auditd/tests/test.yml
new file mode 100644
index 0000000..c3e3a38
--- /dev/null
+++ b/roles/auditd/tests/test.yml
@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - auditd
diff --git a/roles/auditd/vars/main.yml b/roles/auditd/vars/main.yml
new file mode 100644
index 0000000..41520ea
--- /dev/null
+++ b/roles/auditd/vars/main.yml
@@ -0,0 +1,2 @@
+---
+# vars file for auditd