Commit 4d18f1c6 authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

initial refactoring

parent 21c9529b
......@@ -8,35 +8,38 @@
# GSSAPI.
#
# For the central logging server the sink_server variable should be set to
# true. For the client servers server no configuration is require as long
# true. For the client servers server no configuration is required as long
# as the sink server default is acceptable.
#
# Example client server:
#
# audit::auditd { "{$::hostname}.stanford.edu": ensure => present }
#
# $use_sink_server: set to true if you want to forward auditd logs to the
# $use_logsink_server: set to true if you want to forward auditd logs to the
# legacy log-sink server, false otherwise. Eventually, the log-sink
# server will go away as we are moving to Splunk and ELK.
# Default: true
#
# $copy_to_syslog: set to true to send audit logs to the syslog socket.
# $simplify: enable the audisp plugin "audisp-simplify". This sends a
# simplified version of the audit logs to /var/log/audisp-simplify. If
# $simplify is set to true and $use_logsink_server is also set to true,
# rsyslog will forward lines from /var/log/audisp-simplify to the
# logsink server.
# Default: true
define audit::auditd (
$content = 'NONE',
$source = 'NONE',
$source_simplify = 'NONE',
$client_source_port = '650',
$max_log_file = 1000,
$max_log_file_action = 'ROTATE',
$num_logs = 5,
$simplify = 'true',
$simplify = true,
$syslog_server = 'logsink.stanford.edu',
$use_logsink_server = true,
$space_left = 5000,
$space_left_action = 'SYSLOG',
$copy_to_syslog = true,
$ensure
) {
......@@ -85,103 +88,39 @@ define audit::auditd (
require => Package['auditd'];
}
if ($copy_to_syslog) {
file {'/etc/audisp/plugins.d/syslog.conf':
source => "$afile/etc/audisp/plugins.d/syslog.conf",
require => Package['auditd'],
# Setup audisp-simplify.
if ($simplify) {
class { 'audit::auditd::simplify':
ensure => present,
use_logsink_server => $use_logsink_server,
}
} else {
file {'/etc/audisp/plugins.d/syslog.conf':
class { 'audit::auditd::simplify':
ensure => absent,
}
}
# This fragment forwards to the log-sink server, so only
# provision if $use_logsink_server is true.
# Set up rsyslog to forward auditd messages to the log-sink server
# (or not).
if ($use_logsink_server) {
base::syslog::fragment {
'50-audisp-remote.conf':
ensure => 'present',
content => template('audit/etc/rsyslog.d/50-audisp-remote.conf.erb'),
}
} else {
base::syslog::fragment {
'50-audisp-remote.conf': ensure => 'absent';
}
}
# Test the simplification of auditd logging
# The 'simplify' plugin has a dependency of perl-POSIX-strptime that is
# not met on RHEL/CentOS5; quietly disabling 'simplify' in that case
if ($simplify == 'NONE' or ($::osfamily == 'RedHat' and $::lsbmajdistrelease == '5')) {
if ($::osfamily == 'RedHat' and $::lsbmajdistrelease == '5') {
# do nothing - package is not available in repos
} else {
package { 'stanford-auditd-tools': ensure => absent }
}
file {
'/etc/audisp/plugins.d/simplify.conf': ensure => absent;
'/etc/newsyslog.daily/audisp-simplify': ensure => absent;
'/etc/audisp/simplify.ignores': ensure => absent;
# In order that rsyslog sees auditd messages, we send them to
# syslog. The following audisp plugin does that:
file {'/etc/audisp/plugins.d/syslog.conf':
source => "$afile/etc/audisp/plugins.d/syslog.conf",
require => Package['auditd'],
}
base::syslog::fragment {
'05-modules-imfile.conf': ensure => 'absent';
'15-input-simplify.conf': ensure => 'absent';
'50-simplify.conf': ensure => 'absent';
base::syslog::fragment { '50-audisp-remote.conf':
ensure => 'present',
content => template('audit/etc/rsyslog.d/50-audisp-remote.conf.erb'),
}
} else {
package {
'stanford-auditd-tools': ensure => installed;
}
file {
'/etc/audisp/plugins.d/simplify.conf':
source => "$afile/etc/audisp/plugins.d/simplify.conf",
require => Package['auditd'];
'/etc/newsyslog.daily/audisp-simplify':
mode => '0644',
source => "$afile/etc/newsyslog.daily/audisp-simplify",
require => Package['newsyslog'];
base::syslog::fragment { '50-audisp-remote.conf':
ensure => 'absent',
}
# Allow custom simplify.ignores
if $simplify_ignores != 'NONE' {
file { '/etc/audisp/simplify.ignores':
source => $simplify_ignores,
require => Package['stanford-auditd-tools'],
}
}
# Send audisp-simplify to syslog server
if $simplify_syslog == 'NONE' {
base::syslog::fragment {
'05-modules-imfile.conf': ensure => 'absent';
'15-input-simplify.conf': ensure => 'absent';
'40-simplify.conf': ensure => 'absent';
}
} else {
$syslog_tag = 'audispSimplify'
base::syslog::fragment {
'05-modules-imfile.conf':
ensure => 'present',
source => "$bfile/etc/rsyslog.d/05-modules-imfile.conf";
'15-input-simplify.conf':
ensure => 'present',
content => template('audit/etc/rsyslog.d/15-input-simplify.conf.erb');
}
# This fragment forwards to the log-sink server, so only
# provision if $use_logsink_server is true.
if ($use_logsink_server) {
base::syslog::fragment {
'40-simplify.conf':
ensure => 'present',
content => template('audit/etc/rsyslog.d/40-simplify.conf.erb');
}
} else {
base::syslog::fragment {
'40-simplify.conf': ensure => 'absent';
}
}
file {'/etc/audisp/plugins.d/syslog.conf':
ensure => absent,
}
}
......@@ -199,30 +138,34 @@ define audit::auditd (
source => 'puppet:///modules/audit/etc/filter-syslog/auditd-wheezy',
}
}
}
'absent': {
package {
'auditd': ensure => purged;
'audispd-plugins': ensure => purged;
}
if ($::osfamily == 'RedHat' and $::lsbmajdistrelease == '5') {
# do nothing - package is not available in repos
} else {
package { 'stanford-auditd-tools': ensure => purged }
'auditd': ensure => purged;
'audispd-plugins': ensure => purged;
}
file {
'/etc/audit/auditd.keytab': ensure => absent;
'/etc/audit/audit.rules': ensure => absent;
'/etc/audit/auditd.conf': ensure => absent;
'/etc/audisp/audispd.conf': ensure => absent;
'/etc/filter-syslog/auditd-wheezy': ensure => absent;
'/etc/cron.d/auditd-restart': ensure => absent;
'/etc/newsyslog.daily/audisp-simplify': ensure => absent;
'/etc/audit/auditd.keytab': ensure => absent;
'/etc/audit/audit.rules': ensure => absent;
'/etc/audit/auditd.conf': ensure => absent;
'/etc/audisp/audispd.conf': ensure => absent;
'/etc/filter-syslog/auditd-wheezy': ensure => absent;
'/etc/cron.d/auditd-restart': ensure => absent;
}
}
# In case 50-audisp-remote.conf got installed, remove it:
base::syslog::fragment { '50-audisp-remote.conf':
ensure => 'absent',
}
# Make sure that nothing related to audisp-simplify is installed.
class { 'audit::auditd::simplify':
ensure => absent,
}
}
default: {
fail('Call to audit::auditd does not include ensure')
......
# Enable the audisp plugin "audisp-simplify". This plugin sends a
# simplified version of the audit logs to /var/log/audisp-simplify.
#
# The 'simplify' plugin has a dependency of perl-POSIX-strptime that is
# not met on RHEL/CentOS5. In this case, do nothing.
class audit::auditd::simplify (
$ensure = present,
$use_logsink_server = true,
) {
$afile = 'puppet:///modules/audit'
$bfile = 'puppet:///modules/base/syslog'
# Force absent for RHEL/CentOS5
if ($::osfamily == 'RedHat' and $::lsbmajdistrelease == '5') {
$ensure_real = absent
} else {
$ensure_real = $ensure
}
if ($ensure_real == present) {
## PRESENT
package {'stanford-auditd-tools': ensure => installed }
# Install the file that enables the audisp plugin 'audisp-simplify'
file { '/etc/audisp/plugins.d/simplify.conf':
source => "$afile/etc/audisp/plugins.d/simplify.conf",
require => Package['auditd'],
}
# Make sure /var/log/audisp-simplify is rotated.
file { '/etc/newsyslog.daily/audisp-simplify':
mode => '0644',
source => "$afile/etc/newsyslog.daily/audisp-simplify",
require => Package['newsyslog'],
}
# Are we sending logs to logsink server? If so, we have some
# setting up to do.
#
# 05-modules-imfile.conf: tell rsyslogd to load the "file-reader"
# module, that is, treat the lines of a text file
# like syslog messages.
# 15-input-simplify.conf: read lines from /var/log/audisp-simplify as
# syslog messages tagging each line with
# "audispSimplify".
# 40-simplify.conf: each message tagged with "audispSimplify"
# should be forwarded to the log-sink server.
if ($use_logsink_server) {
# USING LOGSINK SERVER
$syslog_tag = 'audispSimplify'
base::syslog::fragment {
'05-modules-imfile.conf':
ensure => 'present',
source => "$bfile/etc/rsyslog.d/05-modules-imfile.conf";
'15-input-simplify.conf':
ensure => 'present',
content => template('audit/etc/rsyslog.d/15-input-simplify.conf.erb');
'40-simplify.conf':
ensure => 'present',
content => template('audit/etc/rsyslog.d/40-simplify.conf.erb');
}
} else {
# NOT USING LOGSINK SERVER
base::syslog::fragment {
'05-modules-imfile.conf': ensure => 'absent';
'15-input-simplify.conf': ensure => 'absent';
'40-simplify.conf': ensure => 'absent';
}
}
} else {
## ABSENT
if ($::osfamily == 'RedHat' and $::lsbmajdistrelease == '5') {
# Do nothing - package is not available in repos
} else {
package { 'stanford-auditd-tools': ensure => absent }
}
# Remove files that setup audisp-simplify:
file {
'/etc/audisp/plugins.d/simplify.conf': ensure => absent;
'/etc/newsyslog.daily/audisp-simplify': ensure => absent;
'/etc/audisp/simplify.ignores': ensure => absent;
}
# Remove any rsyslog files related to audisp-simplify:
base::syslog::fragment {
'05-modules-imfile.conf': ensure => 'absent';
'15-input-simplify.conf': ensure => 'absent';
'40-simplify.conf': ensure => 'absent';
}
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment