audit.rules.prev

[pulsejets]

Hi I only get at audit.rules.prev , in /etc/audit , and it doesn't load it os debian 9

I have tried with rules_file =>'/etc/audit/rules.d/puppet.rules' , manage_audit_files => true

then i get get a concat warning

/Stage[main]/Auditd/Auditd::Rule[watch for changes to passwd file]/Concat::Fragment[auditd_fragment_watch for changes to passwd file]/Concat_fragment[auditd_fragment_watch for changes to passwd file]: Target Concat_file with path or title '/etc/audit/audit.rules' or tag '_etc_audit_audit.rules not found in the catalog

class { 'auditd': log_file => '/var/log/audit.log', rules => { 'watch for changes to passwd file' => { content => '-w /etc/passwd -p wa -k identity', order => 1, }, } }

}

[ldfzm]

I suspect you're getting the same error I am:

I noticed that in audtid::rule, the rule fragment target is coded to $auditd::params::rules_file instead of to $auditd::rules_file, so if you specify any value besides the default for $rules_file, it won't be able to find a concat for rules. This is because it's trying to use the default value for $rules_file on the fragments and the value you specified for the concat.