Commit 87728a7f authored by Bill MacAllister's avatar Bill MacAllister
Browse files

Change the default to generate /var/log/audisp-simplify output and to

send the results to the logsink server.
parent be6b1dd5
release/001.002 (2015-02-17)
Change the default to generate /var/log/audisp-simplify output
and to send the results to the logsink server. (whm)
release/001.001 (2015-02-17)
Initial release of auditd puppet support. (whm)
......@@ -31,12 +31,17 @@ define audit::auditd (
$max_log_file = 1000,
$max_log_file_action = 'ROTATE',
$num_logs = 5,
$simplify = 'NONE',
$simplify,
$simplify_syslog = 'logsink.stanford.edu',
$space_left = 5000,
$space_left_action = 'SYSLOG',
$ensure
) {
# An attempt to make the manifest more readable
$afile = 'puppet:///modules/audit'
$bfile = 'puppet:///modules/base/syslog'
case $ensure {
'present': {
......@@ -57,7 +62,7 @@ define audit::auditd (
# What to audit
file {
'/etc/audit/audit.rules':
source => 'puppet:///modules/audit/etc/audit/audit.rules',
source => "$afile/etc/audit/audit.rules",
require => Package['auditd'];
'/etc/audit/auditd.conf':
content => template('audit/etc/audit/auditd.conf.erb'),
......@@ -67,10 +72,10 @@ define audit::auditd (
# Where to send the audit
file {
'/etc/audisp/audispd.conf':
source => 'puppet:///modules/audit/etc/audisp/audispd.conf',
source => "$afile/etc/audisp/audispd.conf",
require => Package['auditd'];
'/etc/audisp/plugins.d/au-remote.conf':
source => 'puppet:///modules/audit/etc/audisp/plugins.d/au-remote.conf',
source => "$afile/etc/audisp/plugins.d/au-remote.conf",
require => Package['auditd'];
'/etc/audisp/audisp-remote.conf':
content => template('audit/etc/audisp/audisp-remote.conf.erb'),
......@@ -78,19 +83,51 @@ define audit::auditd (
}
# Test the simplification of auditd logging
if $simplify != 'NONE' {
if $simplify == 'NONE' {
package { 'stanford-auditd-tools': ensure => absent }
file {
'/etc/audisp/plugins.d/simplify.conf': ensure => absent;
'/etc/newsyslog.daily/audisp-simplify': ensure => absent;
}
base::syslog::fragment {
'05-modules-imfile.conf': ensure => 'absent';
'15-input-simplify.conf': ensure => 'absent';
'50-simplify.conf': ensure => 'absent';
}
} else {
package {
'stanford-auditd-tools': ensure => installed;
}
file {
'/etc/audisp/plugins.d/simplify.conf':
source => 'puppet:///modules/audit/etc/audisp/plugins.d/simplify.conf',
source => "$afile/etc/audisp/plugins.d/simplify.conf",
require => Package['auditd'];
'/etc/newsyslog.daily/audisp-simplify':
mode => 644,
source => "puppet:///modules/audit/etc/newsyslog.daily/audisp-simplify",
source => "$afile/etc/newsyslog.daily/audisp-simplify",
require => Package['newsyslog'];
}
# Send audisp-simplify to syslog server
if $simplify_syslog == 'NONE' {
base::syslog::fragment {
'05-modules-imfile.conf': ensure => 'absent';
'15-input-simplify.conf': ensure => 'absent';
'40-simplify.conf': ensure => 'absent';
}
} else {
$syslog_tag = 'audispSimplify'
base::syslog::fragment {
'05-modules-imfile.conf':
ensure => 'present',
source => "$bfile/etc/rsyslog.d/05-modules-imfile.conf";
'15-input-simplify.conf':
ensure => 'present',
content => template('audit/etc/rsyslog.d/15-input-simplify.conf.erb');
'40-simplify.conf':
ensure => 'present',
content => template('audit/etc/rsyslog.d/40-simplify.conf.erb');
}
}
}
# There appears to be a memory leak that is causing auditd to
......
# audisp-simplify output
input(type="imfile" File="/var/log/audisp-simplify"
Tag="<%= @syslog_tag %>"
Severity="info"
PersistStateInterval="20000"
StateFile="stat-audisp-simplify")
# Forward apache logs onto the syslog server
if $syslogtag == "<%= @syslog_tag %>" then {
action(type="omfwd"
name = "<%= @syslog_tag %>Remote"
Target = "<%= @simplify_syslog %>"
Port = "10514"
protocol = "tcp"
queue.Type = "LinkedList"
queue.FileName = "apacheAccessRemoteQueue"
queue.size = "4000000"
queue.HighWaterMark = "3000000"
queue.LowWaterMark = "10000"
queue.WorkerThreads = "10"
queue.TimeoutEnqueue = "0"
queue.MaxDiskSpace = "2g"
queue.MaxFileSize = "100m"
action.ResumeRetryCount = "-1"
template="ForwardFormat")
stop
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment