search

kemra102 / puppet-auditd

Manage the audit daemon and it's rules.
BSD 2-Clause "Simplified" License
14 stars 54 forks source link

Allow to disable fragment 0 #20

Closed fabianfrz closed 7 years ago

fabianfrz commented 7 years ago

It is the file containing the static header so this header does not need to be removed via exec.

It would delete the rules while using multiple auditd configuration files when audit concatenates them.

kemra102 commented 7 years ago

Can you be more clear about what your issue is exactly? I don't follow the bulk of your post.

The title is straight forward enough though I am not sure what the benefit is - pull requests are of course welcome.

fabianfrz commented 7 years ago

This line her will delete all rules from auditd: https://github.com/kemra102/puppet-auditd/blob/master/templates/audit.rules.begin.fragment.erb#L2

If you want to create a configuration like this: base.pp service.pp

service.pp will delete the rules from base.pp because of the "-D" on top of each file

kemra102 commented 7 years ago 
This line her will delete all rules from auditd:
https://github.com/kemra102/puppet-auditd/blob/master/templates/audit.rules.begin.fragment.erb#L2

Correct

If you want to create a configuration like this:
base.pp
service.pp

service.pp will delete the rules from base.pp because of the "-D" on top of each file

Was this supposed to link to something? There is no base.pp or service.pp in this module.

Just guessing as to what may be in these files, I don't see any way in which the rules will be deleted more than once as the initial concat fragment only gets written once.

Again my apologies but it's not clear to me what is being asked here.

fabianfrz commented 7 years ago

Those files are an example of how to create the rules with multiple puppet manifests so you have a manifest for the system itself and some for the other stuff. When you do that, each will generate a rules file and each will have the -D on top. When auditd is started, it will concatenate all files is the rules directory.

kemra102 commented 7 years ago

I'm not sure I see the issue still. If you are able to share the content of those files it might help.

Normally the way you'd use a module like this is to say have something like:

base.pp:

class { '::auditd':
  space_left_action             => 'email',
  action_mail_acct             => 'secadmin@example.com',
  admin_space_left_action => 'halt',
  max_log_file_action         => 'keep_logs',
  rules                                 => {
    'watch for changes to passwd file' => {
      content => '-w /etc/passwd -p wa -k identity',
      order   => 1,
    },
    'watch for changes to hosts file'  => {
      content => '-w /etc/hosts -p wa -k system-locale',
      order   => 2,
    },
  },
}

service.pp:

auditd::rule { 'check puppet config for changes':
  content => '-w /etc/puppet/ -p wa -k puppet_config_changes',
  order   => 1,
}
auditd::rule { 'check puppet data for changes':
  content => '-w /var/lib/puppet/ -p wa -k puppet_data_changes',
  order   => 2,
}

This will mean that the -D rule will only occur once, nodes that do not include service.pp will have the base rules only, but nodes that DO include service.pp will have the additional rules as well.