Odd issue declaring rules with hiera

[r-eason]

Testing your module on a new CentOS 7.2 install, puppet version 4.3.1, and hiera. I am using the rules you have in the examples/cis.pp dir and changed the syntax to hiera.

Stepping through adding each rule to hiera works until I get to rule 08 or 09 which throws:

"Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Function Call, validate_integer(): Expected first argument to be an Integer or Array, got String at /etc/puppetlabs/code/environments/production/modules/auditd/manifests/rule.pp:12:3 on node"

Changing rule 08 and 09 to a different number (18,19) works fine, and removing the validate_integer($order) from rule.pp will also allow the catalog to compile.

Adding rule 10 - 16 and it will compile the catalog fine and create the /etc/audit/puppet.rules. I checked for copy/paste errors and hidden chars and am scratching my head on this since it's only when I define the rule as 08 and 09.

The hiera file:

classes:
    - 'auditd'

auditd::rules:
    'check for 64bit time adjustment syscalls':
        content: '-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change'
        order: '01'
    'check for 32bit time adjustment syscalls':
        content: '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change'
        order: '02'
    'check for 64bit clock adjustment syscalls':
        content: '-a always,exit -F arch=b64 -S clock_settime -k time-change'
        order: '03'
    'check for 32bit clock adjustment syscalls':
        content: '-a always,exit -F arch=b32 -S clock_settime -k time-change'
        order: '04'
    'watch for changes to the local time file':
        content: '-w /etc/localtime -p wa -k time-change'
        order: '05'
    'watch for changes to group file':
        content: '-w /etc/group -p wa -k identity'
        order: '06'
    'watch for changes to passwd file':
        content: '-w /etc/passwd -p wa -k identity'
        order: '07'
    'watch for changes to gshadow file':
        content: '-w /etc/gshadow -p wa -k identity'
        order: '08'
    'watch for changes to shadow file':
        content: '-w /etc/shadow -p wa -k identity'
        order: '09'
    'watch for changes to opasswd file':
        content: '-w /etc/security/opasswd -p wa -k identity'
        order: '10'
    'check for 64bit hostname change syscalls':
        content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale'
        order: '11'
    'check for 32bit hostname change syscalls':
        content: '-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale'
        order: '12'
    'watch for changes to issue notice file':
        content: '-w /etc/issue -p wa -k system-locale'
        order: '13'
    'watch for changes to issue.net notice file':
        content: '-w /etc/issue.net -p wa -k system-locale'
        order: '14'
    'watch for changes to hosts file':
        content: '-w /etc/hosts -p wa -k system-locale'
        order: '15'

[kemra102]

That's very odd indeed, so only rules 08 and 09 cause the failure? 01-07 run fine?

[r-eason]

Yup, 01-07, 10-infinity work. It's only when I declare anything for 08 and 09 it fails. I've even just replaced the rule name and rule with "test" and just the order: '08' and it will fail with the same error. It could be something I'm doing, but it really struck me as odd it was skipping two numbers and then work for the rest.

[kemra102]

Logically I don't know how that could fail, I'll dig into the issue over the weekend to see if I can figure this out.

[optiz0r]

Something to do with octal? 08 and 09 would be the only numbers starting with leading zeros that are not valid octal numerals, and puppet does like to treat strings that look like numbers as numbers.

https://tickets.puppetlabs.com/browse/PUP-6010 :)