Forge Home

auditd

Install, configure, and manage the audit daemon

551 downloads

305 latest version

5.0 quality score

Version information

  • 0.9.0 (latest)
  • 0.2.0
released Apr 25th 2022
This version is compatible with:
  • Puppet Enterprise 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.21.0 < 8.0.0
  • , , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'genv-auditd', '0.9.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add genv-auditd
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install genv-auditd --version 0.9.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

genv/auditd — version 0.9.0 Apr 25th 2022

auditd

Build Status Release Apache-2 License

Overview

This module installs, configures and manages the Linux Audit daemon (auditd) and optionally the dispatcher (audisp) for older auditd versions.

No default rules are provided. See the Reference file for all options.

Usage

Including auditd and using the defaults will;

  • Install the audit daemon package
  • Configure and manage /etc/audit/auditd.conf with most default settings
  • Replace all suspend/halt settings with rotate/syslog to prevent unexpected availability issues
  • Manage /etc/audit/rules.d/audit.rules
  • Enable and manage the auditd service
include auditd

Configuration

The auditd::config parameter is used to configure the auditd.conf file:

  • By default actions use rotate/syslog instead of suspend/halt
  • Key names are based on documented settings in man auditd.conf

Rules

The auditd::rule define is used to create and manage auditd rules.

auditd::rule { 'insmod':
  content => '-w /sbin/insmod -p x -k modules',
  order   => 10,
}

auditd::rule { '-w /var/run/utmp -p wa -k session': }

A hash can also be passed to the main auditd class with the rules parameter:

class { 'auditd':
  rules => {
    insmod => {
      content => '-w /sbin/insmod -p x -k modules',
      order   => 10,
    },
    sudoers_changes => {
      content => '-w /etc/sudoers -p wa -k scope',
      order   => 50,
    },
  },
}

With Hiera:

auditd::rules:
  insmod:
    content: -w /sbin/insmod -p x -k modules
    order: 10
  sudoers_changes:
    content: -w /etc/sudoers -p wa -k scope
    order: 50

Plugins

The auditd::plugin define is used to create and manage auditd plugin files.

auditd::plugin { 'clickhouse':
  active    => 'yes',
  direction => 'out',
  path      => '/usr/libexec/auditd-plugin-clickhouse',
  type      => 'always',
  args      => '/etc/audit/auditd-clickhouse.conf',
  format    => 'string',
}

A hash can also be passed to the main auditd with the plugins parameter:

class { 'auditd':
  plugins => {
    auoms => {
      active    => 'no',
      direction => 'out',
      path      => '/opt/microsoft/auoms/bin/auomscollect',
    },
  },
}

With Hiera:

auditd::plugins:
  clickhouse:
    active: 'yes'
    direction: 'out'
    path: /usr/libexec/auditd-plugin-clickhouse
    args: /etc/audit/auditd-clickhouse.conf

Dispatcher

The auditd::audisp class can be used to manage the dispatcher for version 2. Using this class on more recent auditd versions (v3) is not necessary and is equivalent to:

package { 'audispd-plugins':
  ensure => 'installed',
}

In v3 audisp settings can be part of auditd::config. For v2 use auditd::audisp:

class { 'auditd::audisp':
  config => {
    q_depth     => 250,
    name_format => 'hostname',
  },
}
auditd::audisp::config:
  q_depth: 250
  overflow_action: syslog
  priority_boost: 4
  max_restarts: 10
  name_format: hostname
  plugin_dir: /etc/audisp/plugins.d/

audisp plugins

The auditd::plugin define can be used to be manage audisp plugins by setting plugin_type to audisp:

auditd::plugin { 'syslog':
  active      => 'yes',
  direction   => 'out',
  path        => '/sbin/audisp-syslog',
  type        => 'always',
  args        => 'LOG_INFO',
  format      => 'string',
  plugin_type => 'audisp',
}

Limitations

The RefuseManualStop systemd unit option has been set to no to allow for easier upgrades and management. See auditd.service and RefuseManualStop for a discussion on this subject.

Configuration files distributed via audispd-plugins are not currently managed.

This package has been tested primarily on Debian family distributions.