Puppet Module for auditd
A Puppet module for managing and configuring the Linux Audit Daemon auditd on
Debian and RedHat family distros.
Example Usage
Daemon Configuration
The config parameter is used to configure auditd.conf.
class { 'auditd':
config => {
local_events => 'yes',
write_logs => 'yes',
log_format => 'RAW',
flush => 'INCREMENTAL_ASYNC',
freq => 50,
}
}By default the values shipped with the Debian and Ubuntu packages are used.
Rules
The auditd::rules parameter can be used to pass a hash of rules to the
defined type.
Alternatively, the auditd::rule defined type can be used in a manifest.
class { 'auditd':
rules => {
non_root_mounting => {
content => '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts',
},
non_root_mounting_32 => {
content => '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts',
}
}
}auditd::rule { 'unauthorised_file_access':
content => '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access',
order => 10,
}
auditd::rule { '-w /var/log/tallylog -p wa -k logins': }auditd::rules:
sudoers_changes:
content: '-w /etc/sudoers -p wa -k scope'
sudoersd_changes:
content: '-w /etc/sudoers.d/ -p wa -k scope'
file_deletions:
content: '-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
file_deletions_32:
content: '-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'Plugins
Plugins are managed usig the auditd::plugin type.
auditd::plugin { 'clickhouse':
active => 'yes',
direction => 'out',
path => '/usr/libexec/auditd-plugin-clickhouse',
type => 'always',
args => '/etc/audit/auditd-clickhouse.conf',
format => 'string',
}auditd:
plugins:
clickhouse:
active: 'yes'
direction: 'out'
path: /usr/libexec/auditd-plugin-clickhouse
args: /etc/audit/auditd-clickhouse.confDispatcher
In modern versions of auditd (>= 3) audisp can be configured in /etc/audit.
Older versions can use auditd::audisp.
class { 'auditd::audisp':
config => {
q_depth => 250,
name_format => 'hostname',
},
}auditd::audisp::config:
q_depth: 250
overflow_action: syslog
priority_boost: 4
max_restarts: 10
name_format: hostname
plugin_dir: /etc/audisp/plugins.d/Default Configuration
---
# Daemon configuration
auditd::config:
local_events: 'yes'
log_file: /var/log/auditd.log
write_logs: 'yes'
log_format: raw
log_group: root
priority_boost: 4
flush: incremental
freq: 20
num_logs: 4
name_format: none
max_log_file: 25
max_log_file_action: rotate
verify_email: 'no'
action_mail_acct: root
space_left: 75
space_left_action: email
admin_space_left: 50
admin_space_left_action: email
disk_full_action: syslog
disk_error_action: syslog
tcp_listen_queue: 5
tcp_client_max_idle: 0
enable_krb5: 'no'
krb5_principal: auditd
distribute_network: 'no'
# Dispatcher configuration
auditd::audisp::config:
q_depth: 250
overflow_action: syslog
priority_boost: 4
max_restarts: 10
name_format: hostname
plugin_dir: /etc/audisp/plugins.d/
# Package
auditd::package_ensure: installed
auditd::package_manage: true
# Service
auditd::service_enable: true
auditd::service_ensure: running
auditd::service_manage: true
auditd::service_override: |-
[Unit]
RefuseManualStart=no
RefuseManualStop=no
# Root audit directory
auditd::path: /etc/audit
auditd::mode: '0750'
auditd::owner: 0
auditd::group: 0
# Plugins
auditd::plugin_dir: /etc/audit/plugins.d
auditd::plugin_dir_mode: '0750'
auditd::plugin_dir_owner: 0
auditd::plugin_dir_group: 0
# Rules directory
auditd::rules_dir: /etc/audit/rules.d
auditd::rules_dir_mode: '0750'
auditd::rules_dir_owner: 0
auditd::rules_dir_group: 0
# Rules file
auditd::rules_file: /etc/audit/rules.d/audit.rules
auditd::rules_file_mode: '0600'
auditd::rules_file_owner: 0
auditd::rules_file_group: 0
# Rule configuration
auditd::buffer_size: 8192
auditd::failure_mode: 1
auditd::immutable: false
# Configuration file
auditd::config_path: /etc/audit/auditd.conf
auditd::config_mode: '0600'
auditd::config_owner: 0
auditd::config_group: 0
# Audit Dispatcher
auditd::audisp::dir: /etc/audisp
auditd::audisp::mode: '0750'
auditd::audisp::owner: 0
auditd::audisp::group: 0
auditd::audisp::config_path: /etc/audisp/audispd.conf
auditd::audisp::config_mode: '0600'
auditd::audisp::config_owner: 0
auditd::audisp::config_group: 0
auditd::audisp::package_name: audispd-plugins
auditd::audisp::package_ensure: installed
auditd::audisp::package_manage: true
auditd::audisp::plugin_dir: /etc/audisp/plugins.d
auditd::audisp::plugin_dir_mode: '0750'
auditd::audisp::plugin_dir_owner: 0
auditd::audisp::plugin_dir_group: 0
---
auditd::audisp::dir: /etc/audit
auditd::audisp::config_path: /etc/audit/auditd.conf
auditd::audisp::plugin_dir: /etc/audit/plugins.d
auditd::config:
local_events: 'yes'
write_logs: 'yes'
log_file: /var/log/audit/audit.log
log_group: root
log_format: enriched
flush: incremental_async
freq: 50
max_log_file: 8
num_logs: 5
priority_boost: 4
name_format: none
max_log_file_action: rotate
space_left: 75
space_left_action: syslog
verify_email: 'yes'
action_mail_acct: root
admin_space_left: 50
admin_space_left_action: rotate
disk_full_action: syslog
disk_error_action: syslog
use_libwrap: 'yes'
tcp_listen_queue: 5
tcp_max_per_addr: 1
tcp_client_max_idle: 0
transport: tcp
krb5_principal: auditd
distribute_network: 'no'
q_depth: 400
overflow_action: syslog
max_restarts: 10
plugin_dir: /etc/audit/plugins.d
auditd::plugins:
af_unix:
active: 'no'
direction: out
path: builtin_af_unix
type: builtin
args: 0640 /var/run/audispd_events
format: string
au-remote:
active: 'no'
direction: out
path: /sbin/audisp-remote
type: always
format: string
syslog:
active: 'no'
direction: out
path: /sbin/audisp-syslog
type: always
args: LOG_INFO
format: string
---
auditd::audisp::dir: /etc/audit
auditd::audisp::config_path: /etc/audit/auditd.conf
auditd::audisp::plugin_dir: /etc/audit/plugins.d
auditd::config:
local_events: 'yes'
write_logs: 'yes'
log_file: /var/log/audit/audit.log
log_group: adm
log_format: enriched
flush: incremental_async
freq: 50
max_log_file: 8
num_logs: 5
priority_boost: 4
name_format: none
max_log_file_action: rotate
space_left: 75
space_left_action: syslog
verify_email: 'yes'
action_mail_acct: root
admin_space_left: 50
use_libwrap: 'yes'
tcp_listen_queue: 5
tcp_max_per_addr: 1
tcp_client_max_idle: 0
transport: tcp
krb5_principal: auditd
distribute_network: 'no'
q_depth: 400
overflow_action: syslog
max_restarts: 10
plugin_dir: /etc/audit/plugins.d
auditd::plugins:
af_unix:
active: 'no'
direction: out
path: builtin_af_unix
type: builtin
args: 0640 /var/run/audispd_events
format: string
au-remote:
active: 'no'
direction: out
path: /sbin/audisp-remote
type: always
format: string
audispd-zos-remote:
active: 'no'
direction: out
path: /sbin/audispd-zos-remote
type: always
args: /etc/audit/zos-remote.conf
format: string
syslog:
active: 'no'
direction: out
path: builtin_syslog
type: builtin
args: LOG_INFO
format: string
---
auditd::audisp::dir: /etc/audit
auditd::audisp::config_path: /etc/audit/auditd.conf
auditd::audisp::plugin_dir: /etc/audit/plugins.d
auditd::config:
local_events: 'yes'
write_logs: 'yes'
log_file: /var/log/audit/audit.log
log_group: adm
log_format: enriched
flush: incremental_async
freq: 50
max_log_file: 8
num_logs: 5
priority_boost: 4
name_format: none
max_log_file_action: rotate
space_left: 75
space_left_action: syslog
verify_email: 'yes'
action_mail_acct: root
admin_space_left: 50
use_libwrap: 'yes'
tcp_listen_queue: 5
tcp_max_per_addr: 1
tcp_client_max_idle: 0
transport: tcp
krb5_principal: auditd
distribute_network: 'no'
q_depth: 400
overflow_action: syslog
max_restarts: 10
plugin_dir: /etc/audit/plugins.d
auditd::plugins:
af_unix:
active: 'no'
direction: out
path: builtin_af_unix
type: builtin
args: 0640 /var/run/audispd_events
format: string
au-remote:
active: 'no'
direction: out
path: /sbin/audisp-remote
type: always
format: string
audispd-zos-remote:
active: 'no'
direction: out
path: /sbin/audispd-zos-remote
type: always
args: /etc/audit/zos-remote.conf
format: string
syslog:
active: 'no'
direction: out
path: /sbin/audisp-syslog
type: always
args: LOG_INFO
format: string
---
auditd::audisp::dir: /etc/audit
auditd::audisp::config_path: /etc/audit/auditd.conf
auditd::audisp::plugin_dir: /etc/audit/plugins.d
auditd::config:
local_events: 'yes'
write_logs: 'yes'
log_file: /var/log/audit/audit.log
log_group: root
log_format: enriched
flush: incremental_async
freq: 50
max_log_file: 8
num_logs: 5
priority_boost: 4
name_format: none
max_log_file_action: rotate
space_left: 75
space_left_action: syslog
verify_email: 'yes'
action_mail_acct: root
admin_space_left: 50
admin_space_left_action: rotate
disk_full_action: syslog
disk_error_action: syslog
use_libwrap: 'yes'
tcp_listen_queue: 5
tcp_max_per_addr: 1
tcp_client_max_idle: 0
transport: tcp
krb5_principal: auditd
distribute_network: 'no'
q_depth: 400
overflow_action: syslog
max_restarts: 10
plugin_dir: /etc/audit/plugins.d
auditd::plugins:
af_unix:
active: 'no'
direction: out
path: builtin_af_unix
type: builtin
args: 0640 /var/run/audispd_events
format: string
au-remote:
active: 'no'
direction: out
path: /sbin/audisp-remote
type: always
format: string
syslog:
active: 'no'
direction: out
path: /sbin/audisp-syslog
type: always
args: LOG_INFO
format: string
---
auditd::audisp::dir: /etc/audit
auditd::audisp::config_path: /etc/audit/auditd.conf
auditd::audisp::plugin_dir: /etc/audit/plugins.d
auditd::config:
local_events: 'yes'
write_logs: 'yes'
log_file: /var/log/audit/audit.log
log_group: root
log_format: enriched
flush: incremental_async
freq: 50
max_log_file: 8
num_logs: 5
priority_boost: 4
name_format: none
max_log_file_action: rotate
space_left: 75
space_left_action: syslog
verify_email: 'yes'
action_mail_acct: root
admin_space_left: 50
admin_space_left_action: rotate
disk_full_action: syslog
disk_error_action: syslog
use_libwrap: 'yes'
tcp_listen_queue: 5
tcp_max_per_addr: 1
tcp_client_max_idle: 0
transport: tcp
krb5_principal: auditd
distribute_network: 'no'
q_depth: 400
overflow_action: syslog
max_restarts: 10
plugin_dir: /etc/audit/plugins.d
auditd::plugins:
af_unix:
active: 'no'
direction: out
path: builtin_af_unix
type: builtin
args: 0640 /var/run/audispd_events
format: string
au-remote:
active: 'no'
direction: out
path: /sbin/audisp-remote
type: always
format: string
syslog:
active: 'no'
direction: out
path: /sbin/audisp-syslog
type: always
args: LOG_INFO
format: string
---
auditd::config:
local_events: 'yes'
write_logs: 'yes'
log_file: /var/log/audit/audit.log
log_group: adm
log_format: RAW
flush: INCREMENTAL_ASYNC
freq: 50
max_log_file: 8
num_logs: 5
priority_boost: 4
disp_qos: lossy
dispatcher: /sbin/audispd
name_format: NONE
max_log_file_action: ROTATE
space_left: 75
space_left_action: SYSLOG
verify_email: 'yes'
action_mail_acct: root
admin_space_left: 50
use_libwrap: 'yes'
tcp_listen_queue: 5
tcp_max_per_addr: 1
tcp_client_max_idle: 0
enable_krb5: 'no'
krb5_principal: auditd
distribute_network: 'no'
auditd::audisp::config:
q_depth: 250
overflow_action: syslog
priority_boost: 4
max_restarts: 10
name_format: hostname
plugin_dir: /etc/audisp/plugins.d/
auditd::audisp::plugins:
af_unix:
active: 'no'
direction: out
path: builtin_af_unix
type: builtin
args: 0640 /var/run/audispd_events
format: string
au-prelude:
active: 'no'
direction: out
path: /sbin/audisp-prelude
type: always
format: string
au-remote:
active: 'no'
direction: out
path: /sbin/audisp-remote
type: always
format: string
audispd-zos-remote:
active: 'no'
direction: out
path: /sbin/audispd-zos-remote
type: always
args: /etc/audisp/zos-remote.conf
format: string
syslog:
active: 'no'
direction: out
path: builtin_syslog
type: builtin
args: LOG_INFO
format: string
---
auditd::audisp::dir: /etc/audit
auditd::audisp::config_path: /etc/audit/auditd.conf
auditd::audisp::plugin_dir: /etc/audit/plugins.d
auditd::config:
local_events: 'yes'
write_logs: 'yes'
log_file: /var/log/audit/audit.log
log_group: adm
log_format: enriched
flush: incremental_async
freq: 50
max_log_file: 8
num_logs: 5
priority_boost: 4
name_format: none
max_log_file_action: rotate
space_left: 75
space_left_action: syslog
verify_email: 'yes'
action_mail_acct: root
admin_space_left: 50
admin_space_left_action: email
disk_full_action: rotate
disk_error_action: syslog
use_libwrap: 'yes'
tcp_listen_queue: 5
tcp_max_per_addr: 1
tcp_client_max_idle: 0
transport: tcp
krb5_principal: auditd
distribute_network: 'no'
q_depth: 1200
overflow_action: syslog
max_restarts: 10
plugin_dir: /etc/audit/plugins.d
end_of_event_timeout: 2
auditd::plugins:
af_unix:
active: 'no'
direction: out
path: builtin_af_unix
type: builtin
args: 0640 /var/run/audispd_events
format: string
au-remote:
active: 'no'
direction: out
path: /sbin/audisp-remote
type: always
format: string
audispd-zos-remote:
active: 'no'
direction: out
path: /sbin/audispd-zos-remote
type: always
args: /etc/audit/zos-remote.conf
format: string
syslog:
active: 'no'
direction: out
path: builtin_syslog
type: builtin
args: LOG_INFO
format: string
---
auditd::audisp::dir: /etc/audit
auditd::audisp::config_path: /etc/audit/auditd.conf
auditd::audisp::plugin_dir: /etc/audit/plugins.d
auditd::config:
local_events: 'yes'
write_logs: 'yes'
log_file: /var/log/audit/audit.log
log_group: adm
log_format: enriched
flush: incremental_async
freq: 50
max_log_file: 8
num_logs: 5
priority_boost: 4
name_format: none
max_log_file_action: rotate
space_left: 75
space_left_action: syslog
verify_email: 'yes'
action_mail_acct: root
admin_space_left: 50
admin_space_left_action: email
disk_full_action: rotate
disk_error_action: syslog
use_libwrap: 'yes'
tcp_listen_queue: 5
tcp_max_per_addr: 1
tcp_client_max_idle: 0
transport: tcp
krb5_principal: auditd
distribute_network: 'no'
q_depth: 1200
overflow_action: syslog
max_restarts: 10
plugin_dir: /etc/audit/plugins.d
end_of_event_timeout: 2
auditd::plugins:
af_unix:
active: 'no'
direction: out
path: builtin_af_unix
type: builtin
args: 0640 /var/run/audispd_events
format: string
au-remote:
active: 'no'
direction: out
path: /sbin/audisp-remote
type: always
format: string
audispd-zos-remote:
active: 'no'
direction: out
path: /sbin/audispd-zos-remote
type: always
args: /etc/audit/zos-remote.conf
format: string
syslog:
active: 'no'
direction: out
path: builtin_syslog
type: builtin
args: LOG_INFO
format: string
Documentation
Change log
v2.1.0 (2025-04-26)
Added
Fixed
- Explicitly set numeric ordering for rules #29 (gibbs)
- Make override.conf world readable #25 (pluijm)
v2.0.1 (2024-11-08)
Added
v2.0.0 (2024-01-21)
Added
v1.0.4 (2023-10-02)
Added
- chore: update pdk version 3.0.0 #19 (TheMeier)
- Extend range of order parameter to 1000 #16 (imp-)
- Update to PDK 2.6.1 #15 (Phil-Friderici)
v1.0.3 (2023-01-19)
Added
- Update to PDK 2.6.0 #14 (Phil-Friderici)
- Update actions and dependencies using deprecated node version #12 (gibbs)
- Stricter unit tests #11 (Phil-Friderici)
Fixed
v1.0.2 (2022-11-24)
Added
- Add Ubuntu 22.04 to metadata #10 (Phil-Friderici)
Fixed
- Raise resource coverage to 100% #9 (Phil-Friderici)
- update pdk + pdk templates #8 (TheMeier)
v1.0.1 (2022-07-12)
v1.0.0 (2022-07-12)
Fixed
v0.9.0 (2022-04-22)
Added
- Add auditd::audisp for managing the dispatcher on older auditd versions. #6 (gibbs)
- Add support for various RedHat family based distros #5 (gibbs)
- Add plugin define for managing plugin configuration #4 (gibbs)
0.2.0 (2022-03-10)
Added
- Allow capitalised values. Use capitalised vendor defaults #3 (gibbs)
- Add acceptance tests and workflow. Add Debian/Ubuntu config defaults. #2 (gibbs)
Fixed
Reference
Table of Contents
Classes
Public Classes
auditd: audit daemonauditd::audisp: audit event dispatcher
Private Classes
auditd::config: auditd configurationauditd::package: auditd package managementauditd::service: auditd service management
Defined types
auditd::plugin: Create plugin filesauditd::rule: Creates auditd rules
Data types
Auditd::Audisp::Conf: audispd.conf configuration file parametersAuditd::Conf: auditd.conf configuration file parametersAuditd::Plugins: auditd plugin parametersAuditd::Rules: auditd rule parameters
Classes
auditd
audit daemon
Parameters
The following parameters are available in the auditd class:
buffer_sizefailure_modeimmutabledirmodeownergroupconfigconfig_pathconfig_modeconfig_ownerconfig_grouppackage_namepackage_ensurepackage_manageservice_enableservice_nameservice_ensureservice_manageservice_overrideplugin_dirplugin_dir_modeplugin_dir_ownerplugin_dir_grouppluginsrules_dirrules_dir_moderules_dir_ownerrules_dir_grouprules_filerules_file_moderules_file_ownerrules_file_grouprules
buffer_size
Data type: Integer
The buffer size to use
Default value: 8192
failure_mode
Data type: Integer
The failure mode (defaults to printing failure message)
Default value: 1
immutable
Data type: Boolean
Set if the configuration should be immutable
Default value: false
dir
Data type: Stdlib::Absolutepath
The auditd configuration directory path (e.g. /etc/audit)
Default value: '/etc/audit'
mode
Data type: Stdlib::Filemode
The auditd configuration directory mode
Default value: '0750'
owner
Data type: Variant[String[1], Integer]
The auditd configuration directory owner
Default value: 0
group
Data type: Variant[String[1], Integer]
The auditd configuration directory group
Default value: 0
config
Data type: Auditd::Conf
auditd.conf configuration hash
Default value: {}
config_path
Data type: Stdlib::Absolutepath
auditd.conf configuration filepath (e.g. /etc/audit/auditd.conf)
Default value: '/etc/audit/auditd.conf'
config_mode
Data type: Stdlib::Filemode
The configurtion file mode
Default value: '0600'
config_owner
Data type: Variant[String[1], Integer]
The configurtion file mode owner
Default value: 0
config_group
Data type: Variant[String[1], Integer]
The configurtion file mode group
Default value: 0
package_name
Data type: String[1]
The package name to use
Default value: 'auditd'
package_ensure
Data type: String
The package state to set
Default value: 'installed'
package_manage
Data type: Boolean
If the auditd package should be managed
Default value: true
service_enable
Data type: Boolean
The service enable state
Default value: true
service_name
Data type: String[1]
The service name to use
Default value: 'auditd'
service_ensure
Data type: Stdlib::Ensure::Service
The service ensure state
Default value: 'running'
service_manage
Data type: Boolean
If the auditd service should be managed
Default value: true
service_override
Data type: Optional[String]
auditd service override content
Default value: undef
plugin_dir
Data type: Stdlib::Absolutepath
The plugin directory path to manage
Default value: '/etc/audit/plugins.d'
plugin_dir_mode
Data type: Stdlib::Filemode
The plugin directory mode
Default value: '0750'
plugin_dir_owner
Data type: Variant[String[1], Integer]
The plugin directory owner
Default value: 0
plugin_dir_group
Data type: Variant[String[1], Integer]
The plugin directory group
Default value: 0
plugins
Data type: Hash[String, Auditd::Plugins]
Hash of auditd plugin configuration files to create
Default value: {}
rules_dir
Data type: Stdlib::Absolutepath
The rules directory path to manage
Default value: '/etc/audit/rules.d'
rules_dir_mode
Data type: Stdlib::Filemode
The rules directory mode
Default value: '0750'
rules_dir_owner
Data type: Variant[String[1], Integer]
The rules directory owner
Default value: 0
rules_dir_group
Data type: Variant[String[1], Integer]
The rules directory group
Default value: 0
rules_file
Data type: Stdlib::Absolutepath
The rules filepath
Default value: '/etc/audit/rules.d/audit.rules'
rules_file_mode
Data type: Stdlib::Filemode
The rules file mode
Default value: '0600'
rules_file_owner
Data type: Variant[String[1], Integer]
The rules file owner
Default value: 0
rules_file_group
Data type: Variant[String[1], Integer]
The rules file group
Default value: 0
rules
Data type: Hash[String, Auditd::Rules]
Hash of auditd rules to set
Default value: {}
auditd::audisp
audit event dispatcher
Parameters
The following parameters are available in the auditd::audisp class:
dirmodeownergroupconfigconfig_pathconfig_modeconfig_ownerconfig_grouppackage_namepackage_ensurepackage_manageplugin_dirplugin_dir_modeplugin_dir_ownerplugin_dir_groupplugins
dir
Data type: Stdlib::Absolutepath
The auditd configuration directory path
Default value: '/etc/audisp'
mode
Data type: Stdlib::Filemode
The auditd configuration directory mode
Default value: '0750'
owner
Data type: Variant[String[1], Integer]
The auditd configuration directory owner
Default value: 0
group
Data type: Variant[String[1], Integer]
The auditd configuration directory group
Default value: 0
config
Data type: Auditd::Audisp::Conf
audispd.conf configuration hash
Default value: {}
config_path
Data type: Stdlib::Absolutepath
audispd.conf file path
Default value: '/etc/audisp/audispd.conf'
config_mode
Data type: Stdlib::Filemode
audispd.conf file mode
Default value: '0600'
config_owner
Data type: Variant[String[1], Integer]
audispd.conf file owner
Default value: 0
config_group
Data type: Variant[String[1], Integer]
audispd.conf file group
Default value: 0
package_name
Data type: String[1]
The audisp plugins package name
Default value: 'audispd-plugins'
package_ensure
Data type: String
The package state to set
Default value: 'installed'
package_manage
Data type: Boolean
If the audisp plugin package should be managed
Default value: true
plugin_dir
Data type: Stdlib::Absolutepath
The plugin directory path to manage
Default value: '/etc/audisp/plugins.d'
plugin_dir_mode
Data type: Stdlib::Filemode
The plugin directory mode
Default value: '0750'
plugin_dir_owner
Data type: Variant[String[1], Integer]
The plugin directory owner
Default value: 0
plugin_dir_group
Data type: Variant[String[1], Integer]
The plugin directory group
Default value: 0
plugins
Data type: Hash[String, Auditd::Plugins]
Hash of audisp plugin configuration files to create
Default value: {}
Defined types
auditd::plugin
Create plugin files
Parameters
The following parameters are available in the auditd::plugin defined type:
active
Data type: Enum['yes', 'no']
Set the plugin active state.
Default value: 'yes'
direction
Data type: Enum['in', 'out']
Give a clue to the event dispatcher about which direction events flow.
Default value: 'out'
path
Data type: Variant[Stdlib::Absolutepath, String]
The absolute path to the plugin executable.
type
Data type: Enum['builtin', 'always']
Tells the dispatcher how the plugin wants to be run.
Default value: 'always'
args
Data type: Optional[String]
Pass arguments to the child program.
Default value: undef
format
Data type: Enum['binary', 'string']
Binary or string dispatcher options.
Default value: 'string'
plugin_type
Data type: Enum['auditd', 'audisp']
The plugin type
Default value: 'auditd'
mode
Data type: Stdlib::Filemode
The file mode to apply
Default value: '0600'
owner
Data type: Variant[String, Integer]
The file owner to set
Default value: 0
group
Data type: Variant[String, Integer]
The file group to set
Default value: 0
auditd::rule
Creates auditd rules
Parameters
The following parameters are available in the auditd::rule defined type:
content
Data type: Optional[String]
The rule content
Default value: undef
order
Data type: Integer[1, 1000]
The rule priority order (between 1 and 1000)
Default value: 10
Data types
Auditd::Audisp::Conf
audispd.conf configuration file parameters
Alias of
Struct[{
Optional['q_depth'] => Integer,
Optional['overflow_action'] => Enum['ignore', 'IGNORE', 'syslog', 'SYSLOG', 'suspend', 'SUSPEND', 'single', 'SINGLE', 'halt', 'HALT'],
Optional['priority_boost'] => Integer[0],
Optional['max_restarts'] => Integer[0],
Optional['name_format'] => Enum['none', 'NONE', 'hostname', 'HOSTNAME', 'fqd', 'FQD', 'numeric', 'NUMERIC', 'user', 'USER'],
Optional['name'] => String,
Optional['plugin_dir'] => Stdlib::Absolutepath,
}]Auditd::Conf
auditd.conf configuration file parameters
Alias of
Struct[{
Optional['local_events'] => Enum['yes', 'no'],
Optional['log_file'] => Stdlib::Absolutepath,
Optional['write_logs'] => Enum['yes', 'no'],
Optional['log_format'] => Enum['raw', 'RAW', 'enriched', 'ENRICHED'],
Optional['log_group'] => Variant[Integer, String[1]],
Optional['priority_boost'] => Integer[0],
Optional['flush'] => Enum[
'none',
'NONE',
'incremental',
'INCREMENTAL',
'incremental_async',
'INCREMENTAL_ASYNC',
'data',
'DATA',
'sync',
'SYNC',
],
Optional['freq'] => Integer[0],
Optional['dispatcher'] => String,
Optional['disp_qos'] => Enum['lossy', 'LOSSY', 'lossless', 'LOSSLESS'],
Optional['num_logs'] => Integer[0, 999],
Optional['name_format'] => Enum['none', 'NONE', 'hostname', 'HOSTNAME', 'fqd', 'FQD', 'numeric', 'NUMERIC', 'user', 'USER'],
Optional['name'] => String,
Optional['max_log_file'] => Integer,
Optional['max_log_file_action'] => Enum[
'ignore',
'IGNORE',
'syslog',
'SYSLOG',
'suspend',
'SUSPEND',
'rotate',
'ROTATE',
'keep_logs',
'KEEP_LOGS'],
Optional['verify_email'] => Enum['yes', 'no'],
Optional['action_mail_acct'] => Variant[String, Stdlib::Email],
Optional['space_left'] => Integer,
Optional['space_left_action'] => Enum[
'ignore',
'IGNORE',
'syslog',
'SYSLOG',
'rotate',
'ROTATE',
'email',
'EMAIL',
'exec',
'EXEC',
'suspend',
'SUSPEND',
'single',
'SINGLE',
'halt',
'HALT'],
Optional['admin_space_left'] => Variant[Integer, String],
Optional['admin_space_left_action'] => Enum[
'ignore',
'IGNORE',
'syslog',
'SYSLOG',
'rotate',
'ROTATE',
'email',
'EMAIL',
'exec',
'EXEC',
'suspend',
'SUSPEND',
'single',
'SINGLE',
'halt',
'HALT',
],
Optional['disk_full_action'] => Enum['ignore',
'IGNORE',
'syslog',
'SYSLOG',
'rotate',
'ROTATE',
'exec',
'EXEC',
'suspend',
'SUSPEND',
'single',
'SINGLE',
'halt',
'HALT',
],
Optional['disk_error_action'] => Enum['ignore',
'IGNORE',
'syslog',
'SYSLOG',
'exec',
'EXEC',
'suspend',
'SUSPEND',
'single',
'SINGLE',
'halt',
'HALT',
],
Optional['tcp_listen_port'] => Integer[1,65535],
Optional['tcp_listen_queue'] => Integer,
Optional['tcp_max_per_addr'] => Integer[1,1024],
Optional['use_libwrap'] => Enum['yes', 'no'],
Optional['tcp_client_ports'] => Variant[Integer, String],
Optional['tcp_client_max_idle'] => Integer,
Optional['transport'] => Enum['tcp', 'TCP', 'krb5', 'KRB5'],
Optional['enable_krb5'] => Enum['yes', 'no'],
Optional['krb5_principal'] => String,
Optional['krb5_key_file'] => Stdlib::Absolutepath,
Optional['distribute_network'] => Enum['yes', 'no'],
Optional['q_depth'] => Integer,
Optional['overflow_action'] => Enum['ignore',
'IGNORE',
'syslog',
'SYSLOG',
'suspend',
'SUSPEND',
'single',
'SINGLE',
'halt',
'HALT',
],
Optional['max_restarts'] => Integer[0],
Optional['plugin_dir'] => Stdlib::Absolutepath,
Optional['end_of_event_timeout'] => Integer[0],
}]Auditd::Plugins
auditd plugin parameters
Alias of
Struct[{
Optional['active'] => Enum['yes', 'no'],
Optional['direction'] => Enum['in', 'out'],
'path' => Variant[Stdlib::Absolutepath, String],
Optional['type'] => Enum['builtin', 'always'],
Optional['args'] => String,
Optional['format'] => Enum['binary', 'string'],
Optional['plugin_type'] => Enum['auditd', 'audisp'],
Optional['mode'] => Stdlib::Filemode,
Optional['owner'] => Variant[String, Integer],
Optional['group'] => Variant[String, Integer],
}]Auditd::Rules
auditd rule parameters
Alias of
Struct[{
Optional['content'] => String,
Optional['order'] => Integer[1, 999],
}]