Add in support for audisp-simplify

This summaries multiple lines of the audit log file nicely, but it
is not clear if it will satisfy the auditor's since there is not
connection to the original user for users that login using kerberos
to gain root access to the system.

files/etc/audisp/audispd.conf

@@ -3,7 +3,7 @@
 # dispatcher daemon, audispd.
 #
 
-q_depth = 10000
+q_depth = 32767
 overflow_action = SYSLOG
 priority_boost = 4
 max_restarts = 10

files/etc/audisp/plugins.d/simplify.conf

+active = yes
+direction = out
+path = /usr/sbin/audisp-simplify
+type = always
+format = string

files/etc/audit/audit.rules

@@ -6,17 +6,20 @@
 
 # Increase the buffers to survive stress events.
 # Make this bigger for busy systems
--b 1024
+-b 32767
 
 # The following rules create log entries to be written whenever the
 # rmdir, unlink, execve system calls exit. This will record file
 # deletion and command line executions.
--a exit,always -F arch=b32 -S execve -k exec
--a exit,always -F arch=b64 -S execve -k exec
--a exit,always -F arch=b32 -S link -S unlink -k filewrite
--a exit,always -F arch=b64 -S link -S unlink -k filewrite
--a exit,always -F arch=b32 -S mkdir -S rmdir -k filewrite
--a exit,always -F arch=b64 -S mkdir -S rmdir -k filewrite
+-a exit,always -F arch=b32 -S execve -k EXEC
+-a exit,always -F arch=b64 -S execve -k EXEC
+-a exit,always -F arch=b64 -S bind       -k BIND       -F exit!=-2
+-a exit,always -F arch=b64 -S connect    -k CONNECT    -F exit!=-2
+-a exit,always -F arch=b32 -S socketcall -k SOCKETCALL -F exit!=-2
+-a exit,always -F arch=b32 -S link -S unlink -k FILEWRITE
+-a exit,always -F arch=b64 -S link -S unlink -k FILEWRITE
+-a exit,always -F arch=b32 -S mkdir -S rmdir -k FILEWRITE
+-a exit,always -F arch=b64 -S mkdir -S rmdir -k FILEWRITE
 
 # The following rules create log entries when the critical system 
 # files are created or deleted.

files/etc/newsyslog.daily/audisp-simplify

+# audisp-simplify -- Rotate audisp-simplify logs
+#
+set logdir  = /var/log/%n
+set save    = /var/log/OLD/%n
+
+syslog {
+   log: audisp-simplify logdir root 0 644
+
+   archive: ldap save 30
+}

manifests/auditd.pp

@@ -31,6 +31,7 @@ define audit::auditd (
   $max_log_file        = 1000,
   $max_log_file_action = 'ROTATE',
   $num_logs            = 5,
+  $simplify            = 'NONE',
   $space_left          = 5000,
   $space_left_action   = 'SYSLOG',
   $ensure
@@ -65,7 +66,7 @@ define audit::auditd (
 
       # Where to send the audit
       file {
-        '/etc/audisp/audispd.conf': 
+        '/etc/audisp/audispd.conf':
           source  => 'puppet:///modules/audit/etc/audisp/audispd.conf',
           require => Package['auditd'];
         '/etc/audisp/plugins.d/au-remote.conf':
@@ -76,13 +77,29 @@ define audit::auditd (
           require => Package['auditd'];
       }
 
+      # Test the simplification of auditd logging
+      if $simplify != 'NONE' {
+        package {
+          'stanford-auditd-tools': ensure => installed;
+        }
+        file {
+          '/etc/audisp/plugins.d/simplify.conf':
+            source  => 'puppet:///modules/audit/etc/audisp/plugins.d/simplify.conf',
+            require => Package['auditd'];
+          '/etc/newsyslog.daily/audisp-simplify':
+            mode    => 644,
+            source  => "puppet:///modules/audit/etc/newsyslog.daily/audisp-simplify",
+            require => Package['newsyslog'];
+        }
+      }
+
       # There appears to be a memory leak that is causing auditd to
       # consume swap space.  Restarting once a week fixes this.
       file { '/etc/cron.d/auditd-restart':
         ensure => present,
         source => 'puppet:///modules/audit/etc/cron.d/auditd-restart',
       }
-      
+
       # The only difference about a sink server is that it allows
       # remote connections.
       if $sink_server {