- Description
- Setup - The basics of getting started with goaudit
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
This module allows you to manage Go-Audit using Puppet.
The module manages package, service and configuration files for Go-Audit.
The package name is assumed to be goaudit
, via the default package provider for your system. It is
assumed that such a package exists. This assumption may not hold true for your platform as-is, and
you may need to provide such a package yourself. The module does not contain logic for installing
Go-Audit by any other method.
The module depends on the Datacat module for composing the Go-Audit YAML config file.
To install Go-Audit with a default configuration:
class { '::goaudit': }
goaudit::rule { 'TLS private key access' :
order => '50',
comment => 'Reads, writes and attribute changes on TLS private keys',
content => [
'-w /etc/ssl/private/foo.key -p rwa -k tls-key-access',
'-w /etc/ssl/private/bar.key -p rwa -k tls-key-access',
]
}
### Manage filters
goaudit::filter { 'reduce the number of connect syscall events being logged':
syscall => 49, # bind
message_type => 1306, # AUDIT_SOCKADDR
# 0200....7F - ipv4 on any port to 127.x.x.x
# 01 - local/unix domain sockets
regex => 'saddr=(0200....7F|01)'
}
Sets the name of the Go-Audit package.
Default value: go-audit
.
Whether the Go-Audit package resource should be present.
Valid values: present
, absent
.
Default value: present
.
The filesystem path to the Go-Audit config file.
Valid values: an absolute file path on the target system.
Default value: /etc/go-audit.yaml
.
Overrides the Go-Audit service name. May be required depending on what the package provides.
Default value: go-audit
Specifies whether the service should be enabled.
Valid values: true
, false
.
Default value: true
.
The service state that should be ensured.
Valid values: stopped
, running
.
Default value: running
.
Lower bound of range of audit type codes of events to capture.
Default value: 1300
Upper bound of range of audit type codes of events to capture.
Default value: 1399
Whether to track messages and identify if any were missed.
Valid values: true
, false
.
Default value: true
Whether to log out-of-orderness. These messages typically signify an overloading system.
Valid values: true
, false
.
Default value: false
Maximum out of orderness before a missed sequence is presumed dropped.
Default value: 500
Whether to log Go-Audit program output to stdout.
Valid values: true
, false
.
Default value: true
Total number of attempts to write to stdout before considering giving up. If a write fails, Go-Audit will sleep for 1 second before retrying.
Valid values: positive integers
Default value: 3
Whether to log Go-Audit program output to syslog.
Valid values: true
, false
.
Default value: false
Total number of attempts to write to Syslog before considering giving up. If a write fails, Go-Audit will sleep for 1 second before retrying.
Valid values: positive integers
Default value: 5
The type of socket over which to communicate with Syslog.
Valid values: see network
in Golang's net.Dial
: https://golang.org/pkg/net/#Dial
Default value: unixgram
The remote address over which to connect to Syslog. Can be a filesystem path, IP address, hostname.
Valid values: see address
in Golang's net.Dial
: https://golang.org/pkg/net/#Dial
Default value: /dev/log
Sets the facility and severity for all Syslog events generated by Go-Audit.
Default value: 129
(maps to local0 | emerg
)
See any Syslog priority matrix reference material for details on calculating this value, e.g. https://en.wikipedia.org/wiki/Syslog
A tag to apply to Syslog messages generated by Go-Audit. Typically this is the name of the program generating the message. The PID of the process is automatically appended.
Default value: go-audit
Whether to log Go-Audit program output to a logfile.
Valid values: true
, false
.
Default value: false
.
Total number of attempts to write to the logfile before considering giving up. If a write fails, Go-Audit will sleep for 1 second before retrying.
Valid values: positive integers
Default value: 2
The path to the logfile.
Valid values: any absolute file path.
Default value: /var/log/go-audit/go-audit.log
.
The file mode of the logfile.
Valid values: any valid file mode octal expression, with leading zero.
Default value: 0600
.
The user and group ownership of the logfile.
Valid values: any valid user and group name on the target system.
Default value: root
.
Control log file line prefixes. Add together constants defined in Golang's log
module.
https://golang.org/pkg/log/#pkg-constants
Valid values: an integer expressing a combination of flags as defined above.
Default value: 0
(no line prefixes)
Manages a special rule in the ruleset, which always appears at the end of the ruleset and is applied
last, regardless of ordering hints given to rules defined by goaudit::rule
resources.
The rule tells the kernel to enable, disable, or lock the ruleset, and is applied by auditctl -e
.
When set to enable
, the last rule in the ruleset will be -e 1
, which tells the kernel to enable
the flow of audit messages.
When set to disable
, the last rule in the ruleset will be -e 0
, which tells the kernel to
disable the flow of audit messages.
When set to lock
, the last rule in the ruleset will be -e 2
, which tells the kernel to enable
the flow of audit messages, and prevent any further changes to the ruleset (until the next reboot).
When set to none
, this rule is not added to the ruleset. Use this setting if you are managing this
property through some other mechanism.
Valid values: none
, disable
, enable
, lock
Default value: enable
Adds a rule, or multiple rules in a block, to the Go-Audit configuration. The rules will be applied
to the kernel by Go-Audit on startup via a sequence of calls to the auditctl
command.
An ordering hint. goaudit::rule
resources will be sorted by their order before being applied to
the configuration.
Valid values: integers formatted as strings
Default value: '10'
An optional comment to prepend to the rule(s). If provided, will be rendered in the configuration as a YAML comment.
A rule expression (string), or an array of rule expressions. Arrays will be rendered in the
configuration in order. See the auditctl
documentation for valid rule expressions.
Adds a filter to the Go-Audit configuration.
An ordering hint. goaudit::filter
resources will be sorted by their order before being applied to
the configuration.
Valid values: integers formatted as strings
Default value: '10'
An optional comment to prepend to the filter(s). If provided, will be rendered in the configuration as a YAML comment.
Required.
The syscall ID of the message group (a single log line from go-audit), to test against the regex
Valid values: Integers. See output of command ausyscall --dump
for a list.
Required.
The message type identifier containing the data to test against the regex.
Valid values: integers. For a list of message types, see https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h#L53.
Required.
The regex to apply to the message text.