Commit effe1b04 authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

release/001.007: ignore some syslog complaints on wheezy servers

parent 1ec3aae4
release/001.007 (2015-07-29)
Add a filter-syslog file on wheezy machines to ignore complaints about
innocuous file permissions on audispd. (adamhl)
release/001.006 (2015-03-24)
Allow the specification of custom rules as a file or a
......
# On wheezy we want to ignore these kind of errors:
#
# 2015-07-28T23:45:01.850038-07:00 ldap-test0 auditd[4506]: /sbin/audispd permissions should be 0750
# 2015-07-28T23:45:01.850149-07:00 ldap-test0 auditd[4506]: config change requested by pid=17795 auid=0 subj=?
# 2015-07-28T23:45:01.850222-07:00 ldap-test0 auditd[4506]: audit(1438152301.850:2396) config changed, auid=0 pid=17795 subj=? res
=success
#
# See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640866
/.*.sbin.audispd permissions should be 0750.*/ ... /.*config changed, auid=.* pid=.* subj=. res=success.*/
......@@ -77,7 +77,7 @@ define audit::auditd (
ensure => 'present',
content => template('audit/etc/rsyslog.d/50-audisp-remote.conf.erb'),
}
# Test the simplification of auditd logging
if $simplify == 'NONE' {
package { 'stanford-auditd-tools': ensure => absent }
......@@ -132,6 +132,15 @@ define audit::auditd (
ensure => present,
source => 'puppet:///modules/audit/etc/cron.d/auditd-restart',
}
# On wheezy we want to ignore complaints about audispd's permissions.
if ($::lsbdistcodename == 'wheezy') {
file { '/etc/filter-syslog/auditd-wheezy':
ensure => present,
source => 'puppet:///modules/audit/etc/filter-syslog/auditd-wheezy',
}
}
}
'absent': {
......@@ -144,9 +153,11 @@ define audit::auditd (
'/etc/audit/audit.rules': ensure => absent;
'/etc/audit/auditd.conf': ensure => absent;
'/etc/audisp/audispd.conf': ensure => absent;
'/etc/filter-syslog/auditd-wheezy': ensure => absent;
}
}
default: {
fail('Call to audit::auditd does not include ensure')
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment