Puppet Class: auditd::config

Defined in:
manifests/config.pp

Summary

This class is called from auditd for service config.

Overview

NOTE: THIS IS A [PRIVATE](github.com/puppetlabs/puppetlabs-stdlib#assert_private) CLASS**

Author:



7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
 
# File 'manifests/config.pp', line 7

class auditd::config {
  assert_private()

  if $auditd::default_audit_profile != undef {
    deprecation('auditd::default_audit_profile',
      "'auditd::default_audit_profile' is deprecated. Use 'auditd::default_audit_profiles' instead")
    if $auditd::default_audit_profile {
      $profiles = [ 'simp' ]
    } else {
      $profiles = []
    }
  } else {
    $profiles = $auditd::default_audit_profiles
  }

  $config_file_mode = $auditd::log_group ? {
    'root'  => '0600',
    default => '0640'
  }

  $log_file_mode = $auditd::log_group ? {
    'root'  => 'u+rX,g-rwx,o-rwx',
    default => 'u+rX,g+rX,g-w,o-rwx'
  }

  file { '/etc/audit':
    ensure  => 'directory',
    owner   => 'root',
    group   => $auditd::log_group,
    mode    => $config_file_mode,
    recurse => true,
    purge   => true
  }

  file { '/etc/audit/rules.d':
    ensure  => 'directory',
    owner   => 'root',
    group   => $auditd::log_group,
    mode    => $config_file_mode,
    recurse => true,
    purge   => $auditd::purge_auditd_rules
  }

  file { [
    '/etc/audit/audit.rules',
    '/etc/audit/audit.rules.prev'
  ]:
    owner => 'root',
    group => $auditd::log_group,
    mode  => 'o-rwx'
  }

  # Build the auditd.conf from parts

  $_auditd_conf_common = epp("${module_name}/etc/audit/auditd.conf.epp")

  if $facts['auditd_version'] {
    if (versioncmp($facts['auditd_version'], '3.0') < 0) {
      $_auditd_conf_main = epp("${module_name}/etc/audit/auditd.2.conf.epp")
    } else  {
      $_auditd_conf_main = epp("${module_name}/etc/audit/auditd.3.conf.epp")
    }
  } else {
    # If auditd version is unknown use 'best guess' at default OS version
    $_auditd_conf_main = $facts['os']['release']['major'] < '8' ? {
      false   => epp("${module_name}/etc/audit/auditd.3.conf.epp"),
      default => epp("${module_name}/etc/audit/auditd.2.conf.epp")
    }
  }

  $_auditd_conf_last = epp("${module_name}/etc/audit/auditd.last.conf.epp")

  file { '/etc/audit/auditd.conf':
    owner   => 'root',
    group   => $auditd::log_group,
    mode    => $config_file_mode,
    content => "${_auditd_conf_common}${_auditd_conf_main}${_auditd_conf_last}\n",
    notify  => Class['auditd::service']
  }

  if defined('$auditd::plugin_dir') {
    file { $auditd::plugin_dir:
      ensure => 'directory',
      owner  => 'root',
      group  => $auditd::log_group,
      mode   => '0750'
    }
  }

  file { '/var/log/audit':
    ensure  => 'directory',
    owner   => 'root',
    group   => $auditd::log_group,
    mode    => $log_file_mode,
    recurse => true
  }

  if $auditd::syslog {
    include 'auditd::config::logging'
    Class['auditd::config::logging'] ~> Class['auditd::service']
  }

  unless empty($profiles) {
    # use contain instead of include so that config file changes can
    # notify auditd::service class
    contain 'auditd::config::audit_profiles'
  }
}