Forge Home


Install, configure, and manage the audit daemon


168 latest version

4.7 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 2.0.0 (latest)
  • 1.0.4
  • 1.0.3
  • 1.0.2
  • 1.0.1
  • 1.0.0 (deleted)
  • 0.9.0
  • 0.2.0
released Jan 21st 2024
This version is compatible with:
  • Puppet Enterprise 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0
  • , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'genv-auditd', '2.0.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add genv-auditd
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install genv-auditd --version 2.0.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



genv/auditd — version 2.0.0 Jan 21st 2024


Build Status Release Puppet Forge Apache-2 License


This module installs, configures and manages the Linux Audit daemon (auditd) and optionally the dispatcher (audisp) for older auditd versions.

No default rules are provided. See the Reference file for all options.


Including auditd and using the defaults will;

  • Install the audit daemon package
  • Configure and manage /etc/audit/auditd.conf with most default settings
  • Replace all suspend/halt settings with rotate/syslog to prevent unexpected availability issues
  • Manage /etc/audit/rules.d/audit.rules
  • Enable and manage the auditd service
include auditd


The auditd::config parameter is used to configure the auditd.conf file:

  • By default actions use rotate/syslog instead of suspend/halt
  • Key names are based on documented settings in man auditd.conf


The auditd::rule define is used to create and manage auditd rules.

auditd::rule { 'insmod':
  content => '-w /sbin/insmod -p x -k modules',
  order   => 10,

auditd::rule { '-w /var/run/utmp -p wa -k session': }

A hash can also be passed to the main auditd class with the rules parameter:

class { 'auditd':
  rules => {
    insmod => {
      content => '-w /sbin/insmod -p x -k modules',
      order   => 10,
    sudoers_changes => {
      content => '-w /etc/sudoers -p wa -k scope',
      order   => 50,

With Hiera:

    content: -w /sbin/insmod -p x -k modules
    order: 10
    content: -w /etc/sudoers -p wa -k scope
    order: 50


The auditd::plugin define is used to create and manage auditd plugin files.

auditd::plugin { 'clickhouse':
  active    => 'yes',
  direction => 'out',
  path      => '/usr/libexec/auditd-plugin-clickhouse',
  type      => 'always',
  args      => '/etc/audit/auditd-clickhouse.conf',
  format    => 'string',

A hash can also be passed to the main auditd with the plugins parameter:

class { 'auditd':
  plugins => {
    auoms => {
      active    => 'no',
      direction => 'out',
      path      => '/opt/microsoft/auoms/bin/auomscollect',

With Hiera:

    active: 'yes'
    direction: 'out'
    path: /usr/libexec/auditd-plugin-clickhouse
    args: /etc/audit/auditd-clickhouse.conf


The auditd::audisp class can be used to manage the dispatcher for version 2. Using this class on more recent auditd versions (v3) is not necessary and is equivalent to:

package { 'audispd-plugins':
  ensure => 'installed',

In v3 audisp settings can be part of auditd::config. For v2 use auditd::audisp:

class { 'auditd::audisp':
  config => {
    q_depth     => 250,
    name_format => 'hostname',
  q_depth: 250
  overflow_action: syslog
  priority_boost: 4
  max_restarts: 10
  name_format: hostname
  plugin_dir: /etc/audisp/plugins.d/

audisp plugins

The auditd::plugin define can be used to be manage audisp plugins by setting plugin_type to audisp:

auditd::plugin { 'syslog':
  active      => 'yes',
  direction   => 'out',
  path        => '/sbin/audisp-syslog',
  type        => 'always',
  args        => 'LOG_INFO',
  format      => 'string',
  plugin_type => 'audisp',


The RefuseManualStop systemd unit option has been set to no to allow for easier upgrades and management. See auditd.service and RefuseManualStop for a discussion on this subject.

Configuration files distributed via audispd-plugins are not currently managed.

This package has been tested primarily on Debian family distributions.