Forge Home

auditd

A SIMP puppet module for managing auditd and audispd
Project URLRSS FeedReport issues

63,288 downloads

2,037 latest version

4.2 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 8.14.4 (latest)
  • 8.14.3
  • 8.14.2
  • 8.14.1
  • 8.14.0
  • 8.13.0
  • 8.12.0
  • 8.11.0
  • 8.10.1
  • 8.10.0
  • 8.8.0
  • 8.7.5
  • 8.7.4
  • 8.7.3
  • 8.7.2
  • 8.7.1
  • 8.7.0
  • 8.6.5
  • 8.6.4
  • 8.6.3
  • 8.6.2
  • 8.6.1
  • 8.6.0
  • 8.5.3
  • 8.5.2
  • 8.5.1
  • 8.5.0
  • 8.4.0
  • 8.3.2
  • 8.3.1
  • 8.3.0
  • 8.2.1
  • 8.2.0
  • 8.1.1
  • 8.1.0
  • 8.0.1
  • 7.1.3
  • 7.1.2
  • 7.1.1
  • 7.1.0
  • 7.0.2
  • 7.0.1
  • 5.1.1
  • 5.0.4
released Nov 26th 2024
This version is compatible with:
  • Puppet Enterprise 2025.3.x, 2025.2.x, 2025.1.x, 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0
  • , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'simp-auditd', '8.14.4'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add simp-auditd
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install simp-auditd --version 8.14.4

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download
Tags: auditd, simp, audispd

Documentation

simp/auditd — version 8.14.4 Nov 26th 2024
  • Fix more use of legacy facts
  • Fix comparison of space_left and admin_space_left as percentages
  • Remove calls to deprecated parameters (for Puppet 8 compatibility)
  • Clean up legacy fact usage for Puppet 8 compatibility
  • (SIMP-10744) Add purge behaviour for auditd rules
  • Add EL9 support
  • [puppetsync] Updates for Puppet 8
    • These updates may include the following:
      • Update Gemfile
      • Add support for Puppet 8
      • Drop support for Puppet 6
      • Update module dependencies
  • Add AlmaLinux 8 support
  • Add RHEL 9 hieradata
  • Add RockyLinux 8 support
  • All of the rule files will now have the same mode defined for /etc/audit/rules.d
  • do not include auditd::config::grub on hosts without grub
  • fix simp base profile to work when grub_version fact is not set
  • Make parameter backlog_wait_time optional because there are auditd versions not supporting it
  • Add support for Amazon Linux 2
  • Actually fix flapping on rotated audit log files
  • Ensure that permissions do not flap on rotated audit log files
  • Fix the permissions on /var/log/audit
  • Changed the auditd_sample_rulesets fact to look in both /usr/share/audit/sample-rules and /usr/share/doc/audit*/rules for sample rulesets.
  • Fixed a bug preventing overflow_action from being set properly
  • Removed support for Puppet 5
  • Ensured support for Puppet 7 in requirements and stdlib
  • Fixed
    • Align EL8 STIG settings
  • Changed
    • Bump supported puppet version to include 7
    • Always add the 'head' rules (global auditd config) settings when applying rule sets. These do not interfere with user-defined rules and are required for proper functionality of the system.
  • Use -F key= in lieu of -k in the STIG profile, to match scanner updates.
  • Switch auditd rules to be 'always,exit' instead of 'exit,always' to match the man pages and general scanner updates.
  • Expanded simp/rsyslog dependendency range to < 9.0.0.
  • Removed EL6 support
  • Fixed a bug in which the module could not enable auditing in a system with auditing already disabled in the kernel, when replication of the audit logs to syslog was required.
    • Manifest would fail to compile because of a nil auditd_version fact.
  • Allow auditd space_left and admin_space_left to accept percentages on supported versions
  • Ensure that the auditd service is not managed if the kernel is not enforcing auditing
  • Add an acceptance test for toggling disabling auditing without modifying the kernel parameter
  • Add INCREMENTAL_ASYNC to possible values for $::auditd::flush
  • Ensure that facts are properly confined
  • Utilize the new simplib__auditd fact
  • Add built_in audit profile to the subsystem that provides ability to include and manage sample rulesets to be compiled into active rules
  • Added a File statement for /etc/audit/audit.rules.prev to prevent unnecessary flapping
  • Ensure that the inspec tests don't run if there isn't a profile available
  • Ensure that kmod is audited in all STIG modes on EL7+
  • Fix regex substitution for bad path characters
  • Allow users to knockout entries from arrays specified in Hiera
  • Multiple rules added based on best practices mostly pulled from /usr/share/doc/auditd:
    • Audit 32 bit operations on 64 bit systems
    • Audit calls to the auditd CLI commands
    • Audit IPv4 and IPv6 inbound connections
    • Optionally audit IPv4 and IPv6 outbound connections
    • Audit suspicious applications
    • Audit systemd
    • Audit the auditd configuration space
    • Ignore time daemon logs (clutter)
    • Ignore CRYPTO_KEY_USER logs (clutter)
    • Add ability to set the backlog_wait_time
    • Set loginuid_immutable

  • Set defaults for syslog parameters if auditd version is unknown.

  • Added support for auditd v3.0 which is used by RedHat 8.

  • A fact that determines the major version of auditd that is running on the system was added, auditd_major_version. This is used in hiera.yaml hierarchy to add module data specific to the versions.

  • Most of the changes in auditd v3.0 were related to how the plugins are handled but there are a few new parameters added to auditd.conf. They were set to their defaults according to man of auditd.conf.

  • Auditd V3.0 moved the handling of plugins into auditd from audispd. The following changes were made to accommodate that:

    • To make sure the parameters used to handle plugins where defined in one place no matter what version of auditd was used, they were moved to init.pp and referenced from there by the audisp manifest. For backwards compatibility, they remain in audisp.conf and are aliased in the hiera module data.
    • For backwards compatibility auditd::syslog remains defaulting to the value of simp_options::syslog although the two are not really the same thing. You might want to review this setting and set auditd::syslog to a setting that is appropriate for your system.
      • To enable auditd logging to syslog set the following in hiera: auditd::syslog: true auditd::config::audisp::syslog::enable: true.

        The drop_audit_logs is still there for backwards compatibility and

        needs to be disabled.

        auditd::config::audisp::syslog::drop_audit_logs: false
      • To stop auditd logging to syslog set the following in hiera: auditd::syslog: true auditd::config::plugins::syslog::enable: false. Setting auditd::syslog to false will stop Puppet from managing the syslog.conf, it will not disable auditd logging to syslog. been removed. Disable the syslog plugin as described above.
    • The settings for syslog.conf were updated and to work for new and old versions of auditd.
    • Added installation of audisp-syslog package when using auditd v3.

    Mon Aug 19 2019 Robert Vincent pillarsdotnet@gmail.com - 8.4.1-0

  • Add rules to monitor /usr/share/selinux

  • Add v2 compliance_markup data
  • Fix an issue where trailing newlines may not be present on custom rule profiles, particularly with rules defined in an Array.
  • Fix a breaking change inadvertantly introduced into auditd::rule in which the auditd class was no longer included when an auditd::rule was defined in a manifest.
  • Added a custom audit profile that accepts either an Array of rules or a template path for ease of setting full rulesets via Hiera.
  • Updated all module components for puppet strings
  • Fixed the README
  • Added a REFERENCE.md
  • Refactored the filename logic in the base profiles to be simpler
  • Converted the rule template to EPP
  • Converted the rotated_audit_logs template to EPP
  • Converted STIG audit profile template to EPP
  • Converted SIMP audit profile template to EPP
  • Ensure that space_left is always larger than admin_space_left
  • Updated tests in support of puppet6, and removed puppet4 support
  • Updated puppet template scope API from 3 to newer
  • config.pp now managed /etc/audit in addition to /etc/audit/rules.d. The permissions and ownership of the two directories should be the same. Both directories use purge and recurse.
  • Use Puppet Integer in lieu of simplib's deprecated Puppet 3 to_integer
  • Expanded the upper limit of the stdlib Puppet module version
  • Updated a URL in the README.md
  • Allow users to optimize their audit processing by only collecting on specific SELinux types
  • Add restorecon audit for STIG profile
  • Update to remove potentially redundant test code and use the updated simp-beaker-helpers
  • Revert back to using the native service provider for the auditd service since puppet fixed the service handling.
  • Allow users to opt-out of hooking the audit dispatchers into the SIMP rsyslog module using auditd::config::audisp::syslog::rsyslog = false or, alternatively, setting simp_options::syslog = false.
  • Add a write_logs opttion to the auditd_class and multiplex between the log_format = NOLOG setting and write_logs = false since there were breaking changes in these settings after auditd version 2.6.0.
  • Add support for log_format = ENHANCED for auditd version >= 2.6.0. Older versions will simply fall back to RAW.
  • Removed unnecessary dependencies from metadata.json. Now, when users install auditd stand-alone i.e. puppet module install, they will not have extraneous modules clutter their environment.
    • herculesteam/augeasproviders_grub
    • simp/rsyslog
  • Changed the $package_ensure parameter from 'latest' to 'installed'
  • It will also respect simp_options::package_ensure
  • Update Hiera 4 to Hiera 5
  • Align group ownership of the auditd log directories with the setting for auditd itself so that the designated group can access the log files.
  • Updated to work with Puppet 5 and OEL
  • Allow lowercase values for several parameters in accordance with the man pages and SCAP expectations.
  • Added ability to select one or more audit profiles. When multiple profiles are selected, their rules are effectively concatenated in the order in which the profiles are listed in auditd::default_audit_profiles.
  • The following API Changes were made in support of multiple audit profiles:
    • $::auditd::$default_audit_profile has been deprecated by $::auditd::$default_audit_profiles
    • auditd::config and auditd::config::audit_profiles::simp classes are now private. In the unlikely event that you included just these classes in your manifest, you must now include auditd instead.
    • The following auditctl global configuration options that were in auditd::config::audit_profiles::simp are now in the auditd class, instead: $ignore_errors, $ignore_anonymous, $ignore_system_services, and $ignore_crond. They were moved because they are now applied to the set of audit profiles selected, not just the 'simp' audit profile.
    • The following auditd::config::audit_profiles::simp class parameters have been deprecated for clarity:
      • $audit_sudoers has been deprecated by $audit_cfg_sudoers
      • $audit_sudoers_tag has been deprecated by $audit_cfg_sudoers
      • $audit_grub has been deprecated by $audit_cfg_grub
      • $audit_grub_tag has been deprecated by $audit_cfg_grub_tag
      • $audit_yum has been deprecated by $audit_cfg_yum
      • $audit_yum_tag has been deprecated by $audit_cfg_yum_tag
    • Some previously hard-coded, internal configuration is now exposed as data-in-modules.
  • Added 'stig' audit profile which manages rules that match DISA STIG checks, exactly.
    • For executables explicitly listed in the RHEL7 STIG, includes watchs for binaries in the real paths (/usr/bin, /usr/sbin) and linked paths (/bin, /sbin). This is to address inconsistencies among the STIG and the Inspec and OSCAP scans. (All should use the real paths, but don't.)
  • Fixed bugs in 'simp' audit profile
    • Fixed umask syscall rules. These rules require arch filters.
    • Fixed clock_settime syscall rules. Per the sample STIG audit rules packaged in the auditd RPM, these rules require an 'a0' filter.
    • Fixed bug in which /var/log/tallylog was grouped with session instead of logins.
    • Fixed bug in which the /etc/pam.d watch rule had the wrong tag
  • Updated 'simp' audit profile settings for DISA STIG.
    • Expanded the list of successful syscall operations audited.
    • Expanded the list of module syscall operations audited
    • Added an option to monitor selinux commands, (i.e., chcon, semanage, setfiles, setsebool)
    • Added an option to audit the execution of password commands ('passwd', 'unix_chkpwd', 'gpasswd', 'chage', 'userhelper')
    • Added an option to audit the execution of privilege-related commands ('su', 'sudo', 'newgrp', 'chsh', 'sudoedit')
    • Added an option to audit the execution of postfix-related commands ('postdrop', 'postqueue')
    • Added an option to audit the execution of the 'ssh-keysign' command
    • Added an option to audit the execution of the 'crontab' command
    • Added an option to audit the execution of the 'pam_timestamp_check' command
    • Added an option to audit the execution of rename/remove operations for non-service users (rename', 'renameat', rmdir', 'unlink', and 'unlinkat')
    • Added watch rules for /etc/hostname and /etc/NetworkManager (for centos7) pulled from the sample STIG audit rules packaged in the auditd RPM.
    • For executables explicitly listed in the RHEL7 STIG, includes watchs for binaries in the real paths (/usr/bin, /usr/sbin) and linked paths (/bin, /sbin). This is to address inconsistencies among the STIG and the Inspec and OSCAP scans. (All should use the real paths, but don't.)
  • Work around RPM upgrade issue with nodeset link in compliance acceptance test suite.
  • Updated compliance suite to use new inspec profile, https://github.com/simp/inspec-profile-disa_stig-el7
  • Removed the el6 nodeset from the compliance suite; there are no simp-supported el6 inspec profiles at this time.
  • Ensured git installed as it's a dependency of our inspec profiles
  • /var/run/faillock should be tagged under 'login'
  • Adjust audit.rules mode per inspec testing
  • Updated to use augeasproviders_grub 3
  • Added the ability to log calls to the 'rpm' and 'yum' commands
  • Fix bug whereby audit.rules file was not being regenerated prior to auditd service start in CentOS/RedHat 6.
  • Update puppet version in metadata.json
  • Audit kernel module tools from /usr/bin as well as /bin and /sbin
  • Correct auditing /var/log/tallylock, it should have been /var/log/tallylog
  • Changed auditd::failure_mode to '1' by default since the compliant audit rules were causing routine system restarts. The new value will default to sending printk messages when the buffer is full.
  • Changed all rules that were exit,always to be always,exit
  • In response to the DISA STIG Requirements
    • Added 'open_by_handle_at' to the 'access' key
    • Added watches on /varlog/faillock and /var/log/tallylock
    • Added watches on /usr/sbin/insmod and /bin/kmod
    • Added permissions modification notification for 'chmod'
  • Renamed auditd::add_rules to auditd::rule
  • Split the audit permissions rules into separate lines
  • Disabled chmod auditing by default
  • Refactor to work in Puppet 4 Changes
  • Updated acceptance tests
  • Update version to reflect SIMP6 dependencies
  • Updated global catalysts
  • Changed default log facility to local5.
  • Added a drop rule for crond events
  • Minor cleanup
  • Mon Sep 26 2016 Jeanne Greulich, Liz Nemsick - 5.1.0-0
  • Allow user to specify syslog facility and priority for audit record messages.
  • Allow user to enable/disable audit record syslog messaging independent of the presence of forwarding logging servers.
  • Added a file resource to detect and fix incorrect permissions on the /var/log/audit/audit.log file.
  • Added booleans to toggle sections of audit rules.
  • Fix for strict_variables failure
  • Added a default audit rule for 'renameat', per CCE-26651-0.
  • Added an auditd_version fact.
  • Updated validation for *_action lists to differentiate between auditd versions.
  • Updated module to use new rake helper to auto-gen .spec file.
  • Change btmp and wtmp locations to /var/log
  • Support dynamic audit log locations
  • Added compliance function support
  • Ensure that the ::auditd::add_rules define does not run if $::auditd::enable_auditing is false.
  • Full migration to simplib, removed common and functions.
  • migration to simplib and simpcat (lib/ only)
  • Module refactor to the new SIMP standard
  • Fixes for the audit dispatcher and syslog connections
  • Updated facts from $::lsbmajdistrelease to $::operatingsystemmajrelease.
  • Updated to use the new rsyslog module.
  • Migrated to the new 'simp' environment.
  • Changed puppet-server requirement to puppet
  • Updated auditd::to_syslog to support multiple log servers and support for native TLS.
  • Fixed a missing rule for RHEL<7 that did not properly drop all of the useless audit data.
  • Updated to use the new reboot_notify native type.
  • Updated to support both grub and grub2
  • Fixed a bug in the audit ruleset where the initial drop rule was set to drop everything that was not anonymous.
  • Added support for /etc/audit/rules.d for RHEL7 systems.
  • Removed MD5 file checksums for FIPS compliance.
  • Pointed concat fragment auditd+head at the correct template!
  • Updated to support RHEL7
  • Added the ability to put rules before the default rule body in audit.rules.
  • Added validation to add_rules.pp.
  • The template for auditing the rotated audit logs had a one-off error preventing the audit of the last rotated log.
  • Spec tests were added.
  • Added class for auditing grub.
  • Converted all string booleans to native booleans.
  • Added support for audispd based on patches provided by Raymond Page raymond.page@icat.us.
  • Removed the old rsyslog file tap on audit.log.
  • Folded the auditd::conf define into the auditd main class since parameterized classes eliminate the need for the define.
    • Breaking Change
  • Updated the audit base rules to compress and reorder many of the rules to allow for greater processing efficiency.
  • Added checks for kernel module manipulation in accordance with CCE-26610-6.
  • Mapped all audit rules to their associated SSG rules in the file template.
  • Updated templates to reference instance variables with @
  • Removed the sgid binary check in the audit rules because it doesn't actually make any sense.
  • Added audit rules to catch the execution of sgid and suid binaries.
  • Added the ability to rate limit the auditd messages. If you use this, you probably want to change the failure mode to 1.
  • Added the ability to ignore failures in the audit configuration and continue and set it to true by default. Since the rules are automatically managed, the likelihood of one being wrong is fairly high. Also, rules will fail if a file doesn't exist which isn't all that helpful.
  • Removed the watch on /proc/kcore since it wasn't really helpful and was throwing SELinux AVC's on startup.
  • Added default auditing to /etc/yum.conf and /etc/yum.repos.d
  • Skip any rule that does not load properly so that we have as much of the configuration active as possible.
  • Updated to require pupmod-common >= 2.1.1-2 so that upgrading an old system works properly.
  • Added a cucumber test to ensure that the auditd daemon starts when including audit in the puppet server manifest.
  • Updated all references of /etc/modprobe.conf to /etc/modprobe.d/00_simp_blacklist.conf as modprobe.conf is now deprecated.
  • Ensure that Arrays in templates are flattened.
  • Call facts as instance variables.
  • Moved mit-tests to /usr/share/simp...
  • Moved rsyslog module inclusion from init.pp to to_syslog.pp where it is used.
  • Updated pp files to better meet Puppet's recommended style guide.
  • Improved test stubs.
  • Removed all references to 'entry' rules since they are deprecated.
  • Removed the watch rule for /etc/firmware since it was removed in RHEL6 and pretty much useless anyway.
  • Added test stubs
  • Scoped all of the top level variables.
  • Removed the base audit of /etc/ldap.conf since it was redundant.
  • Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.
  • Modified several audit rules to be a bit more complete and to conform to some of the Red Hat syntax standards.
  • Updated to use concat_build and concat_fragment types.
  • Refactored for SIMP-2.0.0-alpha release
  • Converting all spec files to check for directories prior to copy.
  • More code refactoring
  • Made log_file configurable in to_syslog define.
  • Code + doc refactor
  • Added the option $root_audit_level to auditd::conf
    • The allowed strings are basic(default), aggressive, insane
      • Basic(default): Safe, should not follow program execution outside of the base app
      • Aggressive: Adds execve
      • Insane: Adds fork, vfork, write, chown, creat, link, mkdir, rmdir
  • Removed watch on /etc. That was a very bad rule.
  • Audit rules now properly handle 64 and 32 bit architectures (for now). Previously, the 64 bit calls were not handled properly.