Module shouldn't install auditd by default nor should it manage the auditd service

[bschonec]

Installing auditd package by default can (and does) cause a duplicate resource definition when you are also installing auditd from the auditd Puppet module.

In addition, it should not be the responsiblity of this module to manage the auditd service.

At least, this module should have variables that can be set to install auditd and manage its rules but this module must not manage the auditd service; that is the job of the audit module.

[nvergottini]

Thanks for the feedback. The Insight agent by default needs auditd installed, but the service must be disabled unless the Insight agent is running in auditd compatibility mode. If it is running in auditd compatibility mode, then auditd needs to be properly configured to work with the Insight agent. My preference would be to have a single parameter to enable/disable having this module manage auditd (including the service). If you choose to have this module manage auditd, then it will do exactly what it does now. If you choose not to have this module manage auditd, then it will be entirely on you to make sure auditd is properly configured to work with the Insight agent (including making sure the auditd service is disabled if not using auditd compatibility mode).

It might take me a few weeks to get around to making the modifications.

[bschonec]

I'm using your module in a test environment now. If my boss allows, I'll make some changes.

[DBACHRY13]

Agreed, the package resource should honor the manage_auditd param IMO. If it is true, install the package, if it is false, do not install the package. I have SIMP Auditd managing the module, and even setting manage_auditd => false it will still cause duplicate resource definition errors on compile.

At minimum, if !defined(Package['auditd']) would do nicely in eliminating the issue, but realistically I feel it should honor the manage_auditd param,

Maybe a separate one if you feel manage_auditd should not be used, manage_auditd_package?

For now I had to download and make changes to it locally, but I would rather be able to use Puppetfile without having to host all of it in my source control.

[nvergottini]

@DBACHRY13 I was actually planning on switching to using ensure_packages from stdlib to install auditd. I could do both and install it only if manage_auditd = true, but at this point that could be a breaking change, so I think just going with ensure_packages is probably the safest option. Now that I think about it, just using if !defined(Package['auditd']) as you suggested is the safest option with stdlib deprecating ensure_packages in favor of stdlib::ensure_packages with stdlib 8.x.

[DBACHRY13]

If breaking change is a concern, I would say might be safest then to add a new param - manage_auditd_package - that defaults to true, and the install runs on that bool being true; but, it also does the 'if ! defined' portion to ensure that it wont cause dupe resource errors.

Happy to lend an assist if needed, and thanks for the response! :)