As Trevor mentioned above this is something you want to control externally via cron and not puppet. I took a slightly different approach and used an external fact which allowed be to write a fact in bash. There is no reason why you couldn't do this in a Ruby based fact but since all the original code was written in bash I used external facts simply to save time.
https://gist.github.com/logicminds/2389d980f00333dcb48d The key item is that this fact alone takes 37 seconds to run so I decided to cache the result for 12 hours which obviously speeds up fact values retrieval. I wasn't crazy about having a bunch of random cron jobs to cache the value of 10+ facts so I built the control mechanism into the fact code itself so that it doesn't rely on cron or some other service. Hit me up privately as I might have more code to share that could be useful to you. Corey On Sunday, September 6, 2015 at 7:22:28 AM UTC-7, Trevor Vaughan wrote: > > This rule will let you know when an SUID binary is *executed* > https://github.com/simp/pupmod-simp-auditd/blob/master/templates/base.erb#L50:L55 > . > > I would not run any filesystem searches from Puppet, I would relegate > those to cron+syslog so that you can better control the amount of I/O churn > on your system over time. > > Thanks, > > Trevor > > On Fri, Sep 4, 2015 at 2:54 PM, Sean <[email protected] <javascript:>> > wrote: > >> Hi, >> >> I'm using a module from the Forge to manage auditd rules, the module >> works quite well and managing rules is very easy. The hard part is that >> there's a requirement to audit use SUID files on each system. With out >> knowing exactly what files are SUID on every server in the field, since >> there are several linux flavors and versions, I'm finding myself thinking >> the only way to accomplish this is to write a custom fact to hold all the >> SUID files as an array, then pass the array to the resource creator. I >> just don't relish the idea of running a find command from / every 30 >> minutes. >> >> Might anyone have any better ideas? >> >> Thank you kindly! >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/e848e8ab-0a96-4934-9382-42f3b828d529%40googlegroups.com >> >> <https://groups.google.com/d/msgid/puppet-users/e848e8ab-0a96-4934-9382-42f3b828d529%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 > > -- This account not approved for unencrypted proprietary information -- > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/b3f67609-2abb-431d-bd77-29860fc909ea%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
