Puppet Class: security_baseline::auditd_suid_rules_cron

Defined in:
manifests/auditd_suid_rules_cron.pp

Summary

Create a cron job to search binaries with s-bit

Overview

Create a fact with all auditd rules needed to monitor the usage of s-bit programs.

Examples:

include security_baseline::auditd_suid_rules_cron

Parameters:

  • include (Array) (defaults to: [])

    Directories to include into search. Can not be set together with parameter exclude.

  • exclude (Array) (defaults to: [])

    Directories to exclude from search. Can not be set together with parameter include.

  • auditd_rules_fact_file (String) (defaults to: '/tmp/auditd.facts.yaml')

    File to write the auditd rules facts into.

  • suid_fact_file (String) (defaults to: '/tmp/suid_programs.yaml')

    File to write the suid program facts into.

  • sgid_fact_file (String) (defaults to: '/tmp/sgid_progras.yaml')

    File to etite the sgid program facts into.



23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
 
# File 'manifests/auditd_suid_rules_cron.pp', line 23

class security_baseline::auditd_suid_rules_cron (
  Array $include                 = [],
  Array $exclude                 = [],
  String $auditd_rules_fact_file = '/tmp/auditd.facts.yaml',
  String $suid_fact_file         = '/tmp/suid_programs.yaml',
  String $sgid_fact_file         = '/tmp/sgid_progras.yaml',
) {
  if(!empty($include) and !empty($exclude)) {
    fail('Please include directories or exclude them but you can not do both!')
  }

  concat { '/etc/cron.daily/suid-audit':
    ensure => present,
    owner  => 'root',
    group  => 'root',
    mode   => '0700',
  }

  concat::fragment {'suid_cron_top':
    target  => '/etc/cron.daily/suid-audit',
    content => epp('security_baseline/suid_auditd_top.epp', { 'auditd_rules_fact_file' => $auditd_rules_fact_file}),
    order   => 01,
  }

  if(empty($include)) {
    $tmp_include = ''

    if(empty($exclude)) {
      $tmp_exclude = ''
    } else {
      $tmp_exclude = "-e ${exclude.join('-e ')}"
    }

    concat::fragment {'suid_cron_body':
      target  => '/etc/cron.daily/suid-audit',
      content => epp('security_baseline/suid_auditd_exclude.epp', { 'exclude' => $tmp_exclude}),
      order   => 10,
    }

  } else {
    $tmp_include = "${include.join(' ')}"
      concat::fragment {'suid_cron_body':
      target  => '/etc/cron.daily/suid-audit',
      content => epp('security_baseline/suid_auditd_include.epp', { 'include' => $tmp_include}),
      order   => 10,
    }
  }

  concat::fragment {'suid_cron_end':
    target  => '/etc/cron.daily/suid-audit',
    content => epp('security_baseline/suid_auditd_end.epp', {
      'auditd_rules_fact_file' => $auditd_rules_fact_file,
      'suid_fact_file'         => $suid_fact_file,
      'sgid_fact_file'         => $sgid_fact_file
    }),
    order   => 99,
  }
}