Puppet Class: auditd::config::audisp::syslog

Defined in:
manifests/config/audisp/syslog.pp

Summary

Utilizes rsyslog to send all audit records to syslog.

Overview

This capability is most useful for forwarding audit records to remote servers as syslog messages, since these records are already persisted locally in audit logs. For most sites, however, using this capability for all audit records can quickly overwhelm host and/or network resources, especially if the messages are forwarded to multiple remote syslog servers or (inadvertently) persisted locally. Site-specific, rsyslog actions to implement filtering will likely be required to reduce this message traffic.

If you are using simp_rsyslog, it, by default, sets up a rsyslog rule to drop the audispd messages from being written locally to prevent duplication of logging audit events on the local system. See simp_rsyslog::local for more information.

It is also recommend you ensure any forwarded, audit messages are encrypted using the stunnel module, due to the nature of the information carried by these messages.

Parameters:

  • rsyslog (Boolean) (defaults to: simplib::lookup('simp_options::syslog', { 'default_value' => false }))

    (deprecated) If set, enable the SIMP ‘rsyslog` module and set up the appropriate rules for the `auditd` services.

  • drop_audit_logs (Boolean) (defaults to: true)

    (deprecated) When set to false, auditd records will be forwarded to remote servers and/or written to local syslog files, as directed by the site rsyslog configuration. This setting is not needed any more. If you want to disable/enable sending audit records to syslog, set the ‘enable’ parameter in this module to false/true as appropriate. It is left here for backwards compatability but will not be in the next major release.

  • enable (Boolean) (defaults to: true)

    Enable or disable sending audit mesages to syslog.

  • priority (Auditd::LogPriority) (defaults to: 'LOG_INFO')

    The syslog priority for all audit record messages. This value is used in the /etc/audisp/plugins.d/syslog.conf file.

  • facility (Auditd::LogFacility) (defaults to: 'LOG_LOCAL5')

    The syslog facility for all audit record messages. This value is used in the /etc/audisp/plugins.d/syslog.conf file. For the older auditd versions used by CentOS6 and CentOS7, must be an empty string, LOG_LOCAL0, LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6, or LOG_LOCAL7. An empty string results in LOG_USER and is the ONLY mechanism to specify that facility. No other facilities are allowed.

  • syslog_path (String)

    The path to the syslog plugin executable.

  • type (String)

    The type of auditd plugin.

  • pkg_name (Optional[String]) (defaults to: undef)

    The name of the plugin package to install. Only needed for auditd version 3 and later.

  • package_ensure (String) (defaults to: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }))

    The default ensure parmeter for packages.

Author:



67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
 
# File 'manifests/config/audisp/syslog.pp', line 67

class auditd::config::audisp::syslog (
  Boolean                         $enable          = true,
  Boolean                         $drop_audit_logs = true, #deprecated see @param
  Auditd::LogPriority             $priority        = 'LOG_INFO',
  Auditd::LogFacility             $facility        = 'LOG_LOCAL5',
  Optional[String]                $pkg_name        = undef,
  String                          $syslog_path,    # data in module
  String                          $type,           # data in module
  Boolean                         $rsyslog         = simplib::lookup('simp_options::syslog', { 'default_value' => false }),   #deprecated see @param
  String                          $package_ensure  = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }),
) {
  if versioncmp($facts['auditd_version'], '3.0') >= 0  and $enable {
    package { $pkg_name :
      ensure => $package_ensure,
    }
  }

  file { "${auditd::plugin_dir}/syslog.conf":
    mode    => $auditd::config::config_file_mode,
    owner   => 'root',
    content => epp("${module_name}/plugins/syslog_conf", {
        enable => $enable,
        path   => $syslog_path,
        type   => $type,
        args   => "${priority} ${facility}"
    }),
  }
  #
  #  The below section is here for backwards compatability. It will be removed
  #  in the next major release of this module.
  #  To disable logging audit events to syslog you should set
  #  auditd::syslog to true (to enable management of the syslog plugin).
  #  auditd::config::audisp::syslog::enable to false (to make sure the plugin is not
  #     active.)
  #  auditd::config::audisp::syslog::rsyslog to false ( so it does not install
  #     unnecessary rsyslog rules.)
  #
  if $rsyslog {
    simplib::assert_optional_dependency($module_name, 'simp/rsyslog')

    include 'rsyslog'

    if $drop_audit_logs {
      # This will prevent audit records from being forwarded to remote
      # servers and/or written to local syslog files, but you still have
      # access to the records in the local audit log files.
      rsyslog::rule::drop { 'audispd':
        rule   => '$programname == \'audispd\'',
      }
    }
  }
  # End of deprecated section.
}