Commenting out BIND and CONNECT, simplify.ignore enhancement

files/etc/audit/audit.rules

@@ -13,8 +13,9 @@
 # deletion and command line executions.
 -a exit,always -F arch=b32 -S execve -k EXEC
 -a exit,always -F arch=b64 -S execve -k EXEC
--a exit,always -F arch=b64 -S bind       -k BIND       -F exit!=-2
--a exit,always -F arch=b64 -S connect    -k CONNECT    -F exit!=-2
+# Uncomment if you want BIND and CONNECT events to be logged
+#-a exit,always -F arch=b64 -S bind       -k BIND       -F exit!=-2
+#-a exit,always -F arch=b64 -S connect    -k CONNECT    -F exit!=-2
 -a exit,always -F arch=b32 -S socketcall -k SOCKETCALL -F exit!=-2
 -a exit,always -F arch=b32 -S link -S unlink -k FILEWRITE
 -a exit,always -F arch=b64 -S link -S unlink -k FILEWRITE

manifests/auditd.pp

@@ -18,6 +18,7 @@
 define audit::auditd (
   $content             = 'NONE',
   $source              = 'NONE',
+  $source_simplify     = 'NONE',
   $client_source_port  = '650',
   $max_log_file        = 1000,
   $max_log_file_action = 'ROTATE',
@@ -90,6 +91,7 @@ define audit::auditd (
         file {
           '/etc/audisp/plugins.d/simplify.conf':  ensure => absent;
           '/etc/newsyslog.daily/audisp-simplify': ensure => absent;
+          '/etc/audisp/simplify.ignores':         ensure => absent;
         }
         base::syslog::fragment {
           '05-modules-imfile.conf': ensure => 'absent';
@@ -109,6 +111,13 @@ define audit::auditd (
             source  => "$afile/etc/newsyslog.daily/audisp-simplify",
             require => Package['newsyslog'];
         }
+        # Allow custom simplify.ignores
+        if $simplify_ignores != 'NONE' {
+          file { '/etc/audisp/simplify.ignores':
+            source  => $simplify_ignores,
+            require => Package['stanford-auditd-tools'],
+          }
+        }
         # Send audisp-simplify to syslog server
         if $simplify_syslog == 'NONE' {
           base::syslog::fragment {