Home / server / Questions / 314067
In Process
Mei
Asked: 2011-09-22 11:19:09 +0800 CST

Puppet auditing of file resource not working

  • 772

I just can't seem to get this to work at all. I want to have puppet send a log message that shows up in the reports whenever a file changes. This seems so simple from what I've heard and read, but nothing works at all.

Here is the init.pp file:

# sudo init.pp

# 21 Sep 2011: Changed to test for notification only

class sudo {
    package { 'sudo':
        ensure  => present,
        before  => File['/etc/sudoers'],
    }

    file { '/etc/sudoers':
        ensure  => file,
        mode    => 440,
        owner   => root,
        group   => root,
        source  => 'puppet:///modules/sudo/sudoers',
        replace => false,
        audit   => content,
    }

#   exec { "/bin/date":
#       cwd => "/tmp",
#       subscribe => File['/etc/sudoers'],
#       refreshonly => true,
#   }

#   notify { "sudoers has been changed.":
#       refreshonly => true,
#   }
}

If I add the exec, nothing happens. If I add the notify, it complains about the refreshonly parameter.

If I remove all of the options for the file except audit, then the file permissions change from 440 to 644.

If I remove replace then puppet overwrites the file.

My test has been:

  1. Run puppet agent --test
  2. Change file (/etc/sudo)
  3. Rerun puppet agent --test (possibly with a touch site.pp or a service apache2 reload first)

I have yet to see any messages from audit. I'm running puppet v2.6.3 on Ubuntu Lucid Lynx server 10.04.

puppet

2 Answers

  1. Yes, this is very possible. What you need to use is the "notify" metaparameter, which will tell the file resource to cause another resource to run if it is triggered. Some resource types care about being notified ("refreshed" in the documentation); service and exec resources are the most useful ones. You can then build an exec resource with refreshonly => true that writes to a log or to stdout.

    I would implement your config above like so:

    class sudo {
    package { 'sudo':
        ensure  => present,
        before  => File['/etc/sudoers'],
    }

    file { '/etc/sudoers':
        ensure  => file,
        mode    => 440,
        owner   => root,
        group   => root,
        source  => 'puppet:///modules/sudo/sudoers',
        replace => false,
        notify  => Exec["sudoers_changed"],
    }

    exec { "sudoers_changed":
       command => "/bin/echo '/etc/sudoers has changed...'",
       refreshonly => true,
       loglevel => "alert",
       logoutput => true,
   }
}

    The loglevel and logoutput parameters to the exec will just make it more clear about where the output is going while you're experimenting; you can certainly tweak them to your needs.

    • 1

  2. You should be able to notify any type, so you can notify the notify type.

    exec { "foo":
  notify => Notify["exec-alert"],
}

notify { "exec-alert":
  message => "sudoers has changed"
}

    the fact that the file changes is logged to the puppet logs anyway, it's marked as a change.

    • 0