Decouple and fix permissions for logs and configs#243
Open
nick-markowski wants to merge 1 commit into
Open
Conversation
- Decouple the permissions for logs and configs - Add the force parameter to purge on /etc/audit
There was a problem hiding this comment.
Pull request overview
This PR addresses permission management in the auditd Puppet module by separating ownership/permissions for configuration files under /etc/audit from audit log permissions under /var/log/audit, and by making /etc/audit purging able to remove nested directories (Fixes #167, #194).
Changes:
- Add a new
config_groupclass parameter and use it for/etc/audit/*ownership and config file modes (instead oflog_group). - Add
force => trueto the/etc/auditdirectory resource to allow purging nested directories. - Update unit tests for the new parameter behavior and adjust Gem dependencies.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
manifests/init.pp |
Introduces config_group parameter to decouple config ownership from log ownership. |
manifests/config.pp |
Applies config_group to /etc/audit resources and sets force => true for purge behavior. |
spec/classes/config_spec.rb |
Updates/extends expectations for new permission/group behavior and force => true. |
Gemfile |
Updates simp-rake-helpers and removes pdk from the bundle. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
32
to
37
| file { '/etc/audit': | ||
| ensure => 'directory', | ||
| owner => 'root', | ||
| group => $auditd::log_group, | ||
| group => $auditd::config_group, | ||
| mode => $config_file_mode, | ||
| recurse => true, |
Comment on lines
42
to
47
| file { '/etc/audit/rules.d': | ||
| ensure => 'directory', | ||
| owner => 'root', | ||
| group => $auditd::log_group, | ||
| group => $auditd::config_group, | ||
| mode => $config_file_mode, | ||
| recurse => true, |
Comment on lines
157
to
162
| @@ -101,6 +161,7 @@ | |||
| mode: '0640', | |||
| recurse: true, | |||
| gem 'puppet-strings' | ||
| gem 'rake' | ||
| gem 'rspec' | ||
| gem 'rspec-puppet' |
Comment on lines
239
to
243
| Stdlib::Absolutepath $log_file = '/var/log/audit/audit.log', | ||
| Auditd::LogFormat $log_format = 'raw', | ||
| String $log_group = 'root', | ||
| String $config_group = 'root', | ||
| Boolean $loginuid_immutable = true, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #167
Fixes #194