auditd service incorrectly stated as up-to-date

[jblaine]

Happened to notice we were missing audit data for a bunch of our hosts (O_O...compliance requirements). Seems some RHEL update stops auditd (or crashes it) and Chef is not addressing the situation by starting it again at any point in our hourly runs. Digging in, I found the following.

Chef 13.12.3 auditd cookbook 2.3.4 RHEL 7.6

...
Recipe: auditd::default
  * yum_package[audit] action install (up to date)
  * service[auditd] action enable (up to date)
...

Here you can see that kauditd is running, but that is not auditd

[m26560@cnide-db ~]$ pgrep --exact auditd
[m26560@cnide-db ~]$ ps -ef | grep auditd
root        96     2  0 Sep26 ?        00:00:35 [kauditd]
[m26560@cnide-db ~]$ sudo systemctl status auditd
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Wed 2018-12-05 04:45:20 EST; 2 days ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
 Main PID: 649 (code=exited, status=0/SUCCESS)

Dec 05 04:45:20 cnide-db auditd[649]: The audit daemon is exiting.
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
[m26560@cnide-db ~]$

[jblaine]

Is the lack of :start here intentional? https://github.com/chef-cookbooks/auditd/blob/master/recipes/default.rb#L27