(SIMP-8341) Accept percentages for *space_left (#127)

Allow auditd space_left and admin_space_left to accept percentages on
supported auditd versions.

SIMP-8341 #close

CHANGELOG

@@ -1,3 +1,7 @@
+* Wed Sep 23 2020 Trevor Vaughan <[email protected]> - 8.6.1-0
+- Allow auditd space_left and admin_space_left to accept percentages on
+  supported versions
+
 * Wed Aug 12 2020 Trevor Vaughan <[email protected]> - 8.6.0-0
 - Ensure that the auditd service is not managed if the kernel is not enforcing
   auditing

REFERENCE.md

@@ -30,7 +30,9 @@ can be sent to syslog in addition the audit partition.
 
 ### Functions
 
+* [`auditd::calculate_space_left`](#auditdcalculate_space_left): Calculates the correct default value for 'space_left' based on the value of 'admin_space_left'.
 * [`auditd::get_array_index`](#auditdget_array_index): Returns a string that represents the first index of the specified element within the Array.
+* [`auditd::validate_init_params`](#auditdvalidate_init_params): Validates selected params from the main auditd class.
 
 ### Data types
 
@@ -185,7 +187,7 @@ Default value: `'root'`
 
 ##### `admin_space_left`
 
-Data type: `Integer[0]`
+Data type: `Variant[Integer[0],Pattern['^\d+%$']]`
 
 
 
@@ -459,11 +461,14 @@ Default value: `'auditd'`
 
 ##### `space_left`
 
-Data type: `Integer[0]`
+Data type: `Variant[Integer[0],Pattern['^\d+%$']]`
 
+Must be larger than `$admin_space_left`.
 
+* If `$admin_space_left` is an `Integer`, will be set to `30 + $admin_space_left`
+* If `$admin_space_left` is a percentage (auditd >= 2.8.5), will be set to `1% + $admin_space_left`
 
-Default value: `+`
+Default value: `auditd::calculate_space_left($admin_space_left)`
 
 ##### `space_left_action`
 
@@ -2092,18 +2097,39 @@ The following parameters are available in the `auditd::service` class.
 
 ##### `ensure`
 
-Data type: `Any`
+Data type: `Variant[String[1],Boolean]`
 
 ``ensure`` state from the service resource
 
-Default value: `'running'`
+Default value: `pick(getvar('auditd::enable'), 'running')`
 
 ##### `enable`
 
-Data type: `Any`
+Data type: `Boolean`
 
 ``enable`` state from the service resource
 
+Default value: `pick(getvar('auditd::enable'), true)`
+
+##### `bypass_kernel_check`
+
+Data type: `Boolean`
+
+Do not check to see if the kernel is enforcing auditing before trying to
+manage the service.
+
+* This may be required if auditing is not being actively managed in the
+  kernel and someone has stopped the auditd service by hand.
+
+Default value: ``false``
+
+##### `warn_if_reboot_required`
+
+Data type: `Boolean`
+
+Add a ``reboot_notify`` warning if the system requires a reboot before the
+service can be managed.
+
 Default value: ``true``
 
 ## Defined types
@@ -2166,6 +2192,24 @@ Default value: ``false``
 
 ## Functions
 
+### `auditd::calculate_space_left`
+
+Type: Puppet Language
+
+Calculates the correct default value for 'space_left' based on the value of 'admin_space_left'.
+
+#### `auditd::calculate_space_left(Variant[Integer[0],Pattern['^\d+%$']] $admin_space_left)`
+
+The auditd::calculate_space_left function.
+
+Returns: `Variant[Integer[0],Pattern['^\d+%$']]`
+
+##### `admin_space_left`
+
+Data type: `Variant[Integer[0],Pattern['^\d+%$']]`
+
+
+
 ### `auditd::get_array_index`
 
 Type: Ruby 4.x API
@@ -2204,6 +2248,22 @@ Data type: `Optional[Integer]`
 The minimum number of digits the index should be. 
 It will be '0'-padded to meet this number.
 
+### `auditd::validate_init_params`
+
+Type: Puppet Language
+
+Moved into a function to reduce class clutter.
+
+Fails on discovered errors.
+
+#### `auditd::validate_init_params()`
+
+Moved into a function to reduce class clutter.
+
+Fails on discovered errors.
+
+Returns: `None`
+
 ## Data types
 
 ### `Auditd::AuditProfile`

functions/calculate_space_left.pp

@@ -0,0 +1,16 @@
+# @summary Calculates the correct default value for 'space_left' based on the value of 'admin_space_left'.
+#
+# @return [Variant[Integer[0],Pattern['^\d+%$']]]
+#
+function auditd::calculate_space_left (
+  Variant[Integer[0],Pattern['^\d+%$']] $admin_space_left
+){
+  if $admin_space_left.is_a(Integer) {
+    $admin_space_left + 30
+  }
+  elsif $admin_space_left =~ /(\d+)%/ {
+    $_space_left = Integer($1) + 1
+
+    "${_space_left}%"
+  }
+}

functions/validate_init_params.pp

@@ -0,0 +1,25 @@
+# @summary Validates selected params from the main auditd class.
+#
+# Moved into a function to reduce class clutter.
+#
+# Fails on discovered errors.
+#
+# @return [None]
+#
+function auditd::validate_init_params {
+  if (( '%' in $auditd::space_left ) or ( '%' in $auditd::admin_space_left ))
+  {
+    if $facts['auditd_version'] and ( versioncmp($facts['auditd_version'], '2.8.5') < 0 ) {
+      fail('$space_left and $admin_space_left cannot contain "%" in auditd < 2.8.5')
+    }
+  }
+
+  if $auditd::space_left.type('generalized') == $auditd::admin_space_left.type('generalized') {
+    if $auditd::admin_space_left > $auditd::space_left {
+      fail('Auditd requires $space_left to be greater than $admin_space_left, otherwise it will not start')
+    }
+  }
+  else {
+    debug('$auditd::space_left and $auditd::admin_space_left are not of the same data type, cannot compare for sanity')
+  }
+}

manifests/init.pp

@@ -156,6 +156,11 @@
 #   The name of the auditd service.
 #
 # @param space_left
+#   Must be larger than `$admin_space_left`.
+#
+#   * If `$admin_space_left` is an `Integer`, will be set to `30 + $admin_space_left`
+#   * If `$admin_space_left` is a percentage (auditd >= 2.8.5), will be set to `1% + $admin_space_left`
+#
 # @param space_left_action
 #
 # @param syslog
@@ -214,7 +219,7 @@
 
   # Configuration Parameters
   String[1]                               $action_mail_acct         = 'root', # CCE-27241-9
-  Integer[0]                              $admin_space_left         = 50,
+  Variant[Integer[0],Pattern['^\d+%$']]   $admin_space_left         = 50,
   Auditd::SpaceLeftAction                 $admin_space_left_action  = 'SUSPEND', # CCE-27239-3 : No guarantee of e-mail server so sending to syslog.
   Boolean                                 $at_boot                  = true, # CCE-26785-6
   Integer[0]                              $buffer_size              = 16384,
@@ -234,10 +239,10 @@
   Boolean                                 $loginuid_immutable       = true,
   Integer[0]                              $max_log_file             = 24, # CCE-27550-3
   Auditd::MaxLogFileAction                $max_log_file_action      = 'ROTATE', # CCE-27237-7
-  Optional[Integer[1]]                    $max_restarts             = undef,           #data            = 10, #auditd version 3.0 and later
+  Optional[Integer[1]]                    $max_restarts             = undef, #data in module, #auditd version 3.0 and later
   Auditd::NameFormat                      $name_format              = 'USER',
   Integer[0]                              $num_logs                 = 5, # CCE-27522-2
-  Optional[Auditd::Overflowaction]        $overflow_action          = undef,         # data in module
+  Optional[Auditd::Overflowaction]        $overflow_action          = undef, # data in module
   String[1]                               $package_name             = 'audit',
   Simplib::PackageEnsure                  $package_ensure           = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }),
   Stdlib::Absolutepath                    $plugin_dir,              # data in module
@@ -246,7 +251,7 @@
   Integer[0]                              $rate                     = 0,
   Auditd::RootAuditLevel                  $root_audit_level         = 'basic',
   String[1]                               $service_name             = 'auditd',
-  Integer[0]                              $space_left               = $admin_space_left + 25, # needs to be larger than $admin_space_left or auditd will not start
+  Variant[Integer[0],Pattern['^\d+%$']]   $space_left               = auditd::calculate_space_left($admin_space_left),
   Auditd::SpaceLeftAction                 $space_left_action        = 'SYSLOG', # CCE-27238-5 : No guarantee of e-mail server so sending to syslog.
   Boolean                                 $syslog                   = simplib::lookup('simp_options::syslog', {'default_value' => false }),   # CCE-26933-2
   Optional[Array[Pattern['^.*_t$']]]      $target_selinux_types     = undef,
@@ -258,9 +263,10 @@
   include 'auditd::service'
 
   if $enable {
-    unless $space_left > $admin_space_left {
-      fail('Auditd requires $space_left to be greater than $admin_space_left, otherwise it will not start')
-    }
+    simplib::assert_metadata($module_name)
+
+    auditd::validate_init_params()
+
     if $facts['auditd_version'] and ( versioncmp($facts['auditd_version'], '2.6.0') < 0 ) {
       if ( versioncmp($facts['auditd_version'], '2.5.2') < 0 ) {
         unless $write_logs {
@@ -298,8 +304,6 @@
       $_write_logs = $write_logs
     }
 
-    simplib::assert_metadata($module_name)
-
     # This is done here so that the kernel option can be properly removed if
     # auditing is to be disabled on the system.
     if $at_boot {

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "simp-auditd",
-  "version": "8.6.0",
+  "version": "8.6.1",
   "author": "SIMP Team",
   "summary": "A SIMP puppet module for managing auditd and audispd",
   "license": "Apache-2.0",

spec/classes/config_spec.rb

@@ -207,7 +207,7 @@
               name = #{facts[:fqdn]}
               max_log_file = 24
               max_log_file_action = ROTATE
-              space_left = 75
+              space_left = 80
               space_left_action = SYSLOG
               admin_space_left = 50
               admin_space_left_action = SUSPEND

spec/classes/init_spec.rb

@@ -13,9 +13,11 @@
   context 'supported operating systems' do
     on_supported_os.each do |os, os_facts|
       context "on #{os}" do
-        let(:facts) do
+        let(:base_facts) do
           os_facts.merge(
             {
+              # Oldest version shipping with EL7
+              :auditd_version => '2.4.1',
               :simplib__auditd => {
                 'enabled' => true,
                 'kernel_enforcing' => true
@@ -24,6 +26,10 @@
           )
         end
 
+        let(:facts) do
+          base_facts
+        end
+
         context 'auditd with default parameters' do
           let(:params) {{ }}
           it_behaves_like 'a structured module'
@@ -50,6 +56,61 @@
           it { is_expected.to compile.and_raise_error(/Auditd requires \$space_left to be greater than \$admin_space_left, otherwise it will not start/) }
         end
 
+        context 'with space_left as a percentage' do
+          let(:params) do
+            {
+              :space_left => '20%'
+            }
+          end
+
+          it { is_expected.to compile.and_raise_error(/cannot contain "%"/) }
+        end
+
+        context 'with space_left as a percentage' do
+          let(:params) do
+            {
+              :admin_space_left => '20%'
+            }
+          end
+
+          it { is_expected.to compile.and_raise_error(/cannot contain "%"/) }
+        end
+
+        context 'auditd 2.8.5' do
+          context 'with space_left as a percentage' do
+            let(:facts) do
+              base_facts.merge({
+                :auditd_version => '2.8.5'
+              })
+            end
+
+            let(:params) do
+              {
+                :space_left => '20%'
+              }
+            end
+
+            it { is_expected.to compile.with_all_deps }
+          end
+
+          context 'with admin_space_left as a percentage' do
+            let(:facts) do
+              base_facts.merge({
+                :auditd_version => '2.8.5'
+              })
+            end
+
+            let(:params) do
+              {
+                :admin_space_left => '20%'
+              }
+            end
+
+            it { is_expected.to compile.with_all_deps }
+            it { is_expected.to contain_class('auditd').with_space_left('21%') }
+          end
+        end
+
         context 'auditd with auditing disabled' do
           let(:params) {{
             :enable => false
@@ -60,7 +121,6 @@
           it { is_expected.to_not contain_class('auditd::config') }
           it { is_expected.to contain_class('auditd::service') }
         end
-
       end
     end
   end