Add option to not purge unmanages files under /etc/audit/rules.d/ - SIMP-10744

CHANGELOG

@@ -1,3 +1,6 @@
+* Wed Nov 22 2023 ben <[email protected]> - 8.14.0
+- (SIMP-10744) Add purge behaviour for auditd rules
+
 * Tue Oct 24 2023 Joshua Hoblitt <[email protected]> - 8.13.0
 - Add EL9 support
 

REFERENCE.md

@@ -116,6 +116,7 @@ The following parameters are available in the `auditd` class:
 * [`uid_min`](#-auditd--uid_min)
 * [`verify_email`](#-auditd--verify_email)
 * [`write_logs`](#-auditd--write_logs)
+* [`purge_auditd_rules`](#-auditd--purge_auditd_rules)
 
 ##### <a name="-auditd--enable"></a>`enable`
 
@@ -593,6 +594,14 @@ Whether or not to write logs to disk.
 
 Default value: `$log_format ? { /^(?i:nolog)$/ => false, default => true`
 
+##### <a name="-auditd--purge_auditd_rules"></a>`purge_auditd_rules`
+
+Data type: `Boolean`
+
+Whether or not to purge existing auditd rules under /etc/audit/rules.d
+
+Default value: `true`
+
 ### <a name="auditd--config"></a>`auditd::config`
 
 NOTE: THIS IS A [PRIVATE](https://github.com/puppetlabs/puppetlabs-stdlib#assert_private) CLASS**

manifests/config.pp

@@ -44,7 +44,7 @@
     group   => $auditd::log_group,
     mode    => $config_file_mode,
     recurse => true,
-    purge   => true
+    purge   => $auditd::purge_auditd_rules
   }
 
   file { [

manifests/init.pp

@@ -198,6 +198,9 @@
 #     of `auditd` so this attempts to do "the right thing" when `log_format` is
 #     set to `NOLOG` for legacy support.
 #
+# @param purge_auditd_rules
+#   Whether or not to purge existing auditd rules under /etc/audit/rules.d
+#
 # @author https://github.com/simp/pupmod-simp-auditd/graphs/contributors
 #
 class auditd (
@@ -257,7 +260,8 @@
   Optional[Array[Pattern['^.*_t$']]]      $target_selinux_types     = undef,
   Integer[0]                              $uid_min                  = Integer(pick(fact('uid_min'), 1000)),
   Optional[Boolean]                       $verify_email             = undef,
-  Boolean                                 $write_logs               = $log_format ? { /^(?i:nolog)$/ => false, default => true }
+  Boolean                                 $write_logs               = $log_format ? { /^(?i:nolog)$/ => false, default => true },
+  Boolean                                 $purge_auditd_rules       = true,
 ) {
 
   include 'auditd::service'

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "simp-auditd",
-  "version": "8.13.0",
+  "version": "8.14.0",
   "author": "SIMP Team",
   "summary": "A SIMP puppet module for managing auditd and audispd",
   "license": "Apache-2.0",

spec/classes/config_spec.rb

@@ -66,6 +66,22 @@
           it { is_expected.to_not contain_class('auditd::config::audisp::syslog') }
         end   # Default params
 
+        context 'with purge behaviour false' do
+          let(:params) {{ :purge_auditd_rules => false }}
+
+          it { is_expected.to compile.with_all_deps }
+          it {
+            is_expected.to contain_file('/etc/audit/rules.d').with({
+              :ensure  => 'directory',
+              :owner   => 'root',
+              :group   => 'root',
+              :mode    => '0600',
+              :recurse => true,
+              :purge   => false
+            })
+          }
+        end
+
         context 'with empty default_audit_profiles' do
           let(:params) {{ :default_audit_profiles => [] }}