simp / pupmod-simp-auditd Goto Github PK

Can you please update to stdlib < 9.0.0

and change herculesteam/augeasproviders_grub to puppet/augeasproviders_grub <5.0.0 as they have taken over the herculesteam release.

Thank you.

Audtid configuration files in /etc/ should not be managed by auditd::log_group. Introduce a new variable, ex. auditd::config_group. Modify $config_file_mode to utilize auditd::config_group as a ternary. Update all audit files managed within /etc/ to use the new auditd::config_group and update permissions as needed.

The code under templates/rule_profiles/common/default_drop.epp states on lines 21 and 28 if greater than 6 but chrony is only on RHEL 8 and above. It should be >6 and <8 or just change 6 to 7. The error is stated if you run on RHEL 7: augenrules --load

Unknown user: chrony
-F unknown field: uid
There was an error in line 13 of /etc/audit/audit.rules
Unknown user: chrony
-F unknown field: uid

Please can Rocky 8 be added to the supported os list?

The hieradata in data/os needs to be updated with parameters for RHEL 9.

Puppet manages the q_depth setting in /etc/audisp/audispd.conf. We ' d like q_depth to be optionally managed so puppet don't manage it.

The template for overflow_action looks for the $audit::overflowaction parameter, however, the actual parameter name in the class is $auditd::overflow_action so the template will never set overflow action to what a user has requested.

On RHEL 8, dbus/dbus-daemon does not provide the /usr/lib64/dbus-1 directory, which causes augenrules to fail.

Unsure if this also affects CentOS/OEL 8.

Set the force => true option on the /etc/audit file resource: https://github.com/simp/pupmod-simp-auditd/blob/master/manifests/config.pp#L32-L39

Otherwise, if a directory is created in /etc/audit, puppet will be unable to remove it and will non-idempotently restart auditd every run.

We are using your module to manage our auditd rules. Unfortunately, some systems are running software which is adding its own rules to /etc/audit/rules.d. The file containing these rules is automatically removed by Puppet. Is it possible to either disable this file removal, or configure one or more rule files to ignore?

When new rule files get created they are created with a default mode of 0644, which will cause compliance scan failures for CIS at the very least. We need a way to determine the correct mode for the files under /etc/audit/rules.d and apply it.

Applications may manage settings in audispd.conf independently from puppet. Update manifests/config/audisp.pp so users can disable management of individual settings.

When auditd rotates the log files, it removes the write bit from the user permissions.

The module needs to be updated to use symbolic permissions instead of numeric.

The permissions on /var/log/audit.log.<number> remove user write permissions.

This means that the current implementation will flap as evidenced in https://gitlab.com/simp/pupmod-simp-simp/-/jobs/2578131227#L3835

On RHEL 7 machines the fact reference above returns blank because /usr/share/audit/sample-rules doesn't exist. The samples all apear to live under /usr/share/doc/audit-2.8.5/rules instead. The fact needs to be modified so it will look inside of both locations.