Puppet auditing of file resource not working

puppet

I just can't seem to get this to work at all. I want to have puppet send a log message that shows up in the reports whenever a file changes. This seems so simple from what I've heard and read, but nothing works at all.

Here is the init.pp file:

# sudo init.pp

# 21 Sep 2011: Changed to test for notification only

class sudo {
    package { 'sudo':
        ensure  => present,
        before  => File['/etc/sudoers'],
    }

    file { '/etc/sudoers':
        ensure  => file,
        mode    => 440,
        owner   => root,
        group   => root,
        source  => 'puppet:///modules/sudo/sudoers',
        replace => false,
        audit   => content,
    }

#   exec { "/bin/date":
#       cwd => "/tmp",
#       subscribe => File['/etc/sudoers'],
#       refreshonly => true,
#   }

#   notify { "sudoers has been changed.":
#       refreshonly => true,
#   }
}

If I add the exec, nothing happens. If I add the notify, it complains about the refreshonly parameter.

If I remove all of the options for the file except audit, then the file permissions change from 440 to 644.

If I remove replace then puppet overwrites the file.

My test has been:

Run puppet agent --test
Change file (/etc/sudo)
Rerun puppet agent --test (possibly with a touch site.pp or a service apache2 reload first)

I have yet to see any messages from audit. I'm running puppet v2.6.3 on Ubuntu Lucid Lynx server 10.04.

Best Answer

Yes, this is very possible. What you need to use is the "notify" metaparameter, which will tell the file resource to cause another resource to run if it is triggered. Some resource types care about being notified ("refreshed" in the documentation); service and exec resources are the most useful ones. You can then build an exec resource with refreshonly => true that writes to a log or to stdout.

I would implement your config above like so:

class sudo {
    package { 'sudo':
        ensure  => present,
        before  => File['/etc/sudoers'],
    }

    file { '/etc/sudoers':
        ensure  => file,
        mode    => 440,
        owner   => root,
        group   => root,
        source  => 'puppet:///modules/sudo/sudoers',
        replace => false,
        notify  => Exec["sudoers_changed"],
    }

    exec { "sudoers_changed":
       command => "/bin/echo '/etc/sudoers has changed...'",
       refreshonly => true,
       loglevel => "alert",
       logoutput => true,
   }
}

The loglevel and logoutput parameters to the exec will just make it more clear about where the output is going while you're experimenting; you can certainly tweak them to your needs.

Related Solutions

How to solve the dependency problems with a resolvconf/dnsmasq installation script

Add a line to require the package in your file resource like this:

file { '/etc/resolvconf/resolv.conf.d/base':
    ensure  => file,
    owner   => root,
    group   => root,
    content => '...
    require => Package['resolvconf'],
}

Using a require basically forced puppet to perform the package install first.

This of course assumes that the installation of the resolvconf package creates the required directories, which I believe it does happen.

Invalid parameter for defined type

You are nowhere defining the actual sysctl class, it seems.

In your modules/sysctl/manifests/init.pp you should have at least a class sysctl set, and then included your defined type (which should be named differently form the class itself), like so:

class sysctl {
  # this is empty
}

define sysctl::set ( $value = undef, $ensure = undef ) {
  ...
}

This is why you get an error when trying to include sysctl, because there is no such class. Fix modules/sysctl/manifests/init.pp and then in /etc/puppet/modules/template/manifests/api.pp add include sysctl at the top. Then it should work.

Best Answer

Related Solutions

How to solve the dependency problems with a resolvconf/dnsmasq installation script

Invalid parameter for defined type

Related Topic