kemra102 · achevalet · Nov 9, 2020
diff --git a/manifests/audisp/plugin.pp b/manifests/audisp/plugin.pp
@@ -1,11 +1,11 @@
 define auditd::audisp::plugin (
-  $active    = true,
-  $direction = 'out',
-  $path      = undef,
-  $type      = 'always',
-  $args      = undef,
-  $format    = 'string',
-
+  $active     = true,
+  $direction  = 'out',
+  $path       = undef,
+  $type       = 'always',
+  $args       = undef,
+  $format     = 'string',
+  $audisp_dir = $::auditd::params::audisp_dir
 ) {
 
   validate_bool($active)
@@ -27,7 +27,7 @@
     $real_active = 'no'
   }
 
-  file { "/etc/audisp/plugins.d/${name}.conf":
+  file { "${audisp_dir}/plugins.d/${name}.conf":
     ensure  => 'file',
     owner   => 'root',
     group   => 'root',

diff --git a/manifests/audisp/syslog.pp b/manifests/audisp/syslog.pp
@@ -1,11 +1,13 @@
 class auditd::audisp::syslog (
   $args = 'LOG_INFO',
+  $path = $::auditd::params::syslog_path,
+  $type = $::auditd::params::syslog_type,
 
 ) {
 
   auditd::audisp::plugin { 'syslog':
-    path    => 'builtin_syslog',
-    type    => 'builtin',
+    path    => $path,
+    type    => $type,
     args    => $args,
     require => Package['auditd'],
   }

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -370,6 +370,7 @@
   $audisp_max_restarts     = $::auditd::params::audisp_max_restarts,
   $audisp_name_format      = $::auditd::params::audisp_name_format,
   $audisp_name             = $::auditd::params::audisp_name,
+  $has_audisp_config       = $::auditd::params::has_audisp_config,
 
   # Service management variables
   $manage_service          = $::auditd::params::manage_service,
@@ -463,7 +464,6 @@
     alias  => 'auditd',
     before => [
       File['/etc/audit/auditd.conf'],
-      File['/etc/audisp/audispd.conf'],
       Concat[$rules_file],
     ],
   }
@@ -500,16 +500,22 @@
     content => template('auditd/audit.rules.begin.fragment.erb'),
     order   => 0
   }
-  file { '/etc/audisp/audispd.conf':
-    ensure  => 'file',
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0640',
-    content => template('auditd/audispd.conf.erb'),
+  if($has_audisp_config) {
+    file { '/etc/audisp/audispd.conf':
+      ensure  => 'file',
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0640',
+      content => template('auditd/audispd.conf.erb'),
+      require => Package[$package_name],
+    }
+    if ($manage_service) {
+      File['/etc/audisp/audispd.conf'] ~> Service['auditd']
+    }
   }
 
   # If a hash of rules is supplied with class then call auditd::rules defined type to apply them
-  $rules.each |$key,$opts| { 
+  $rules.each |$key,$opts| {
     auditd::rule { $key:
       * => pick($opts,{}),
     }
@@ -525,7 +531,6 @@
       stop      => $service_stop,
       subscribe => [
         File['/etc/audit/auditd.conf'],
-        File['/etc/audisp/audispd.conf'],
         Concat[$rules_file],
       ],
     }

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -7,6 +7,10 @@
       $audisp_package     = 'audispd-plugins'
       $manage_audit_files = false
       $rules_file         = '/etc/audit/rules.d/audit.rules'
+      $has_audisp_config  = true
+      $audisp_dir         = '/etc/audisp'
+      $syslog_path        = 'builtin_syslog'
+      $syslog_type        = 'builtin'
 
       case $::lsbmajdistrelease {
         '8': {
@@ -21,6 +25,10 @@
     }
     'Suse': {
       $package_name       = 'audit'
+      $has_audisp_config  = true
+      $audisp_dir         = '/etc/audisp'
+      $syslog_path        = 'builtin_syslog'
+      $syslog_type        = 'builtin'
       if versioncmp($::operatingsystemrelease, '12') >= 0 and $::operatingsystem == 'SLES' {
         $audisp_package     = 'audit-audispd-plugins'
         $manage_audit_files = true
@@ -41,6 +49,18 @@
       $audisp_package     = 'audispd-plugins'
       $manage_audit_files = true
 
+      if versioncmp($::operatingsystemrelease, '8') >= 0 {
+        $has_audisp_config = false
+        $audisp_dir        = '/etc/audit'
+        $syslog_path       = '/sbin/audisp-syslog'
+        $syslog_type       = 'always'
+      } else {
+        $has_audisp_config = true
+        $audisp_dir        = '/etc/audisp'
+        $syslog_path       = 'builtin_syslog'
+        $syslog_type       = 'builtin'
+      }
+
       if $::operatingsystem != 'Amazon' and versioncmp($::operatingsystemrelease, '7') >= 0 {
         $rules_file      = '/etc/audit/rules.d/puppet.rules'
         $service_restart = '/usr/libexec/initscripts/legacy-actions/auditd/restart'
@@ -58,6 +78,10 @@
       $rules_file         = '/etc/audit/audit.rules'
       $service_restart    = '/usr/bin/kill -s SIGHUP $(cat /var/run/auditd.pid)'
       $service_stop       = '/usr/bin/kill -s SIGTERM $(cat /var/run/auditd.pid)'
+      $has_audisp_config  = true
+      $audisp_dir         = '/etc/audisp'
+      $syslog_path        = 'builtin_syslog'
+      $syslog_type        = 'builtin'
     }
     'Gentoo': {
       $package_name       = 'audit'
@@ -66,6 +90,10 @@
       $rules_file         = '/etc/audit/audit.rules'
       $service_restart    = '/etc/init.d/auditd restart'
       $service_stop       = '/etc/init.d/auditd stop'
+      $has_audisp_config  = true
+      $audisp_dir         = '/etc/audisp'
+      $syslog_path        = 'builtin_syslog'
+      $syslog_type        = 'builtin'
     }
     default: {
       fail("${::osfamily} is not supported by auditd")

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -1,5 +1,47 @@
 require 'spec_helper'
 describe 'auditd', :type => :class do
+  context 'default parameters on RedHat 8' do
+    let (:facts) {{
+      :osfamily               => 'RedHat',
+      :operatingsystem        => 'RedHat',
+      :operatingsystemrelease => '8',
+      :concat_basedir         => '/var/lib/puppet/concat',
+    }}
+    it {
+      should contain_class('auditd')
+      should contain_package('audit').with({
+        'ensure' => 'present',
+        'name'   => 'audit',
+      })
+      should contain_file('/etc/audit/auditd.conf').with({
+        'ensure' => 'file',
+        'owner'  => 'root',
+        'group'  => 'root',
+        'mode'   => '0640',
+      })
+      should contain_concat('/etc/audit/rules.d/puppet.rules').with({
+        'ensure'         => 'present',
+        'owner'          => 'root',
+        'group'          => 'root',
+        'mode'           => '0640',
+        'ensure_newline' => 'true',
+        'warn'           => 'true',
+      })
+      should_not contain_file('/etc/audisp/audispd.conf').with({
+        'ensure'  => 'file',
+        'owner'   => 'root',
+        'group'   => 'root',
+        'mode'    => '0640',
+      })
+      should contain_service('auditd').with({
+        'ensure'    => 'running',
+        'enable'    => 'true',
+        'hasstatus' => 'true',
+        'restart'   => '/usr/libexec/initscripts/legacy-actions/auditd/restart',
+        'stop'      => '/usr/libexec/initscripts/legacy-actions/auditd/stop',
+      })
+    }
+  end
   context 'default parameters on RedHat 7' do
     let (:facts) {{
       :osfamily               => 'RedHat',
@@ -30,6 +72,12 @@
       should_not contain_concat('/etc/audit/rules.d/puppet.rules').with({
         'alias' => 'audit-file',
       })
+      should contain_file('/etc/audisp/audispd.conf').with({
+        'ensure'  => 'file',
+        'owner'   => 'root',
+        'group'   => 'root',
+        'mode'    => '0640',
+      })
       should contain_service('auditd').with({
         'ensure'    => 'running',
         'enable'    => 'true',

diff --git a/templates/auditd.conf.erb b/templates/auditd.conf.erb
@@ -40,3 +40,14 @@ krb5_principal = <%= @krb5_principal %>
 <% unless @krb5_key_file.nil? %>
 krb5_key_file = <%= @krb5_key_file %>
 <% end -%>
+<% unless @has_audisp_config %>
+# Audisp settings:
+q_depth = <%= @audisp_q_depth %>
+overflow_action = <%= @audisp_overflow_action %>
+priority_boost = <%= @audisp_priority_boost %>
+max_restarts = <%= @audisp_max_restarts %>
+name_format = <%= @audisp_name_format %>
+<% if @audisp_name %>
+name = <%= @audisp_name %>
+<% end -%>
+<% end %>