1. Description
2. Setup - The basics of getting started with goaudit
   • What goaudit affects
   • Setup requirements
   • Beginning with goaudit
3. Usage - Configuration options and additional functionality
4. Reference - An under-the-hood peek at what the module is doing and how
5. Limitations - OS compatibility, etc.
6. Development - Guide for contributing to the module

This module allows you to manage Go-Audit using Puppet.

The module manages package, service and configuration files for Go-Audit.

The package name is assumed to be goaudit, via the default package provider for your system. It is assumed that such a package exists. This assumption may not hold true for your platform as-is, and you may need to provide such a package yourself. The module does not contain logic for installing Go-Audit by any other method.

The module depends on the Datacat module for composing the Go-Audit YAML config file.

To install Go-Audit with a default configuration:

class { '::goaudit': }

goaudit::rule { 'TLS private key access' :
  order   => '50',
  comment => 'Reads, writes and attribute changes on TLS private keys',
  content => [
    '-w /etc/ssl/private/foo.key -p rwa -k tls-key-access',
    '-w /etc/ssl/private/bar.key -p rwa -k tls-key-access',
  ]
}

### Manage filters

goaudit::filter { 'reduce the number of connect syscall events being logged':
  syscall      => 49,      # bind
  message_type => 1306,    # AUDIT_SOCKADDR
  # 0200....7F - ipv4 on any port to 127.x.x.x
  # 01 - local/unix domain sockets
  regex        => 'saddr=(0200....7F|01)'
}

Sets the name of the Go-Audit package.

Default value: go-audit.

Whether the Go-Audit package resource should be present.

Valid values: present, absent.

Default value: present.

The filesystem path to the Go-Audit config file.

Valid values: an absolute file path on the target system.

Default value: /etc/go-audit.yaml.

Overrides the Go-Audit service name. May be required depending on what the package provides.

Default value: go-audit

Specifies whether the service should be enabled.

Valid values: true, false.

Default value: true.

The service state that should be ensured.

Valid values: stopped, running.

Default value: running.

Lower bound of range of audit type codes of events to capture.

Default value: 1300

Upper bound of range of audit type codes of events to capture.

Default value: 1399

Whether to track messages and identify if any were missed.

Valid values: true, false.

Default value: true

Whether to log out-of-orderness. These messages typically signify an overloading system.

Valid values: true, false.

Default value: false

Maximum out of orderness before a missed sequence is presumed dropped.

Default value: 500

Whether to log Go-Audit program output to stdout.

Valid values: true, false.

Default value: true

Total number of attempts to write to stdout before considering giving up. If a write fails, Go-Audit will sleep for 1 second before retrying.

Valid values: positive integers

Default value: 3

Whether to log Go-Audit program output to syslog.

Valid values: true, false.

Default value: false

Total number of attempts to write to Syslog before considering giving up. If a write fails, Go-Audit will sleep for 1 second before retrying.

Valid values: positive integers

Default value: 5

The type of socket over which to communicate with Syslog.

Valid values: see network in Golang's net.Dial: https://golang.org/pkg/net/#Dial

Default value: unixgram

The remote address over which to connect to Syslog. Can be a filesystem path, IP address, hostname.

Valid values: see address in Golang's net.Dial: https://golang.org/pkg/net/#Dial

Default value: /dev/log

Sets the facility and severity for all Syslog events generated by Go-Audit.

Default value: 129 (maps to local0 | emerg)

See any Syslog priority matrix reference material for details on calculating this value, e.g. https://en.wikipedia.org/wiki/Syslog

A tag to apply to Syslog messages generated by Go-Audit. Typically this is the name of the program generating the message. The PID of the process is automatically appended.

Default value: go-audit

Whether to log Go-Audit program output to a logfile.

Valid values: true, false.

Default value: false.

Total number of attempts to write to the logfile before considering giving up. If a write fails, Go-Audit will sleep for 1 second before retrying.

Valid values: positive integers

Default value: 2

The path to the logfile.

Valid values: any absolute file path.

Default value: /var/log/go-audit/go-audit.log.

The file mode of the logfile.

Valid values: any valid file mode octal expression, with leading zero.

Default value: 0600.

The user and group ownership of the logfile.

Valid values: any valid user and group name on the target system.

Default value: root.

Control log file line prefixes. Add together constants defined in Golang's log module. https://golang.org/pkg/log/#pkg-constants

Valid values: an integer expressing a combination of flags as defined above.

Default value: 0 (no line prefixes)

Manages a special rule in the ruleset, which always appears at the end of the ruleset and is applied last, regardless of ordering hints given to rules defined by goaudit::rule resources.

The rule tells the kernel to enable, disable, or lock the ruleset, and is applied by auditctl -e.

When set to enable, the last rule in the ruleset will be -e 1, which tells the kernel to enable the flow of audit messages.

When set to disable, the last rule in the ruleset will be -e 0, which tells the kernel to disable the flow of audit messages.

When set to lock, the last rule in the ruleset will be -e 2, which tells the kernel to enable the flow of audit messages, and prevent any further changes to the ruleset (until the next reboot).

When set to none, this rule is not added to the ruleset. Use this setting if you are managing this property through some other mechanism.

Valid values: none, disable, enable, lock

Default value: enable

Adds a rule, or multiple rules in a block, to the Go-Audit configuration. The rules will be applied to the kernel by Go-Audit on startup via a sequence of calls to the auditctl command.

An ordering hint. goaudit::rule resources will be sorted by their order before being applied to the configuration.

Valid values: integers formatted as strings

Default value: '10'

An optional comment to prepend to the rule(s). If provided, will be rendered in the configuration as a YAML comment.

A rule expression (string), or an array of rule expressions. Arrays will be rendered in the configuration in order. See the auditctl documentation for valid rule expressions.

Adds a filter to the Go-Audit configuration.

An ordering hint. goaudit::filter resources will be sorted by their order before being applied to the configuration.

Valid values: integers formatted as strings

Default value: '10'

An optional comment to prepend to the filter(s). If provided, will be rendered in the configuration as a YAML comment.

Required.

The syscall ID of the message group (a single log line from go-audit), to test against the regex

Valid values: Integers. See output of command ausyscall --dump for a list.

Required.

The message type identifier containing the data to test against the regex.

Valid values: integers. For a list of message types, see https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h#L53.

Required.

The regex to apply to the message text.