Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.22.1 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-incron', '0.6.0'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
- Description
- Setup - The basics of getting started with incron
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Description
This module manages the incron packages, service, and /etc/incron.allow.
WARNING:
There were issues in early versions of incron 0.5.12. Please ensure that you are using at least version 0.5.12-10 or later on EL 7+.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
It is designed to be used within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used as an independent module, all SIMP-managed security subsystems are
disabled by default and must be explicitly opted into by administrators.
Please review the parameters in [
simp/simp_options
][simp_simp_options] for details.
If you run into problems, please let us know by filing an issue at https://simp-project.atlassian.net/.
Setup
What incron affects
- incron package
- incrond service
/etc/incron.deny
/etc/incron.allow
Usage
To use this module, just call the class. This example adds it to a class list in hiera:
---
classes:
- incron
Users can also be added to /etc/incron.allow
with the incron::user
defined type, or
the incron::users
array in hiera. The following example adds a few users to /etc/incron.allow
:
incron::users:
- foo
- bar
New system table entries can be added to /etc/incron.d/
directory with the incron::system_table
defined type, or
with the incron::system_table
hash in hiera. The following example adds two new system table entries to /etc/incron.d/
directory:
incron::system_table:
allowrw:
path: '/data/'
command: '/usr/bin/chmod -R 774 $@/$#'
mask: ['IN_CREATE']
deletelog:
path: '/var/run/daemon'
command: '/usr/bin/rm /var/log/daemon.log'
mask: ['IN_DELETE']
Reference
Please refer to the inline documentation within each source file, or to the module's generated YARD documentation for reference material.
Limitations
SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json
file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.
Development
Please read our [Contribution Guide] (https://simp.readthedocs.io/en/stable/contributors_guide/index.html).
Acceptance tests
This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:
bundle install
bundle exec rake beaker:suites
Please refer to the SIMP Beaker Helpers documentation for more information.
Reference
Table of Contents
Classes
incron
: This class manages /etc/incron.allow and /etc/incron.deny and the incrond service.incron::service
: This class wraps the incrond service
Defined types
incron::system_table
: Add a system table $name to /etc/incron.d If multiplepath
and/orcommand
options are specified, they will be expanded into all matcincron::user
: Add the user$name
to/etc/incron.allow
Resource types
incron_system_table
: Creates an 'incrond' compatible system table Line order will be preserved Any paths that contain globs '*' will be expanded into the approp
Data types
Incron::Mask
: Valid incron masks
Classes
incron
This class manages /etc/incron.allow and /etc/incron.deny and the incrond service.
Parameters
The following parameters are available in the incron
class.
package_ensure
Data type: String
The ensure
parameter of Package
resources in the incron
namespace.
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
users
Data type: Array[String[1]]
An Array of additional incron users, using the defined type incron::user.
Default value: []
max_open_files
Data type: Variant[Enum['unlimited'],Integer[0]]
The maximum open files limit that should be set for incrond
- This should generally be left as unlimited since incrond could be watching a great number of events. However, you may need to lower this if you find that it is simply overwhelming your system (and analyze your incrond rules).
Default value: 'unlimited'
system_table
Data type: Hash
Create incron::system_table resources with hiera
Default value: {}
purge
Data type: Boolean
Whether or not to purge unknown incron tables
Default value: false
incron::service
This class wraps the incrond service
Defined types
incron::system_table
Add a system table $name to /etc/incron.d
If multiple path
and/or command
options are specified, they will be
expanded into all matching possibilities.
Examples
Multiplexed Path and Command
incron::system_table { 'test':
path => ['/foo/bar', '/foo2/bar2'],
command => ['/bin/baz', '/bin/baz2']
}
Results in /etc/incron.d/test with contents:
/foo/bar IN_MODIFY,IN_MOVE,IN_CREATE,IN_DELETE /bin/baz
/foo/bar IN_MODIFY,IN_MOVE,IN_CREATE,IN_DELETE /bin/baz2
/foo2/bar2 IN_MODIFY,IN_MOVE,IN_CREATE,IN_DELETE /bin/baz
/foo2/bar2 IN_MODIFY,IN_MOVE,IN_CREATE,IN_DELETE /bin/baz2
Path Globbing
For the following directory structure:
/foo/bar/one/one_more/baz/one.txt
/foo/bar/one/one_other/baz/ignore.me
/foo/bar/two/baz/two.txt
incron::system_table { 'glob':
path => '/foo/bar/**/baz/*.txt',
command => '/bin/baz'
}
Results in /etc/incron.d/glob with contents:
/foo/bar/one/one_more/baz/one.txt IN_MODIFY,IN_MOVE,IN_CREATE,IN_DELETE /bin/baz
/foo/bar/two/baz/two.txt IN_MODIFY,IN_MOVE,IN_CREATE,IN_DELETE /bin/baz
Parameters
The following parameters are available in the incron::system_table
defined type.
enable
Data type: Boolean
Whether to enable or disable the table
Default value: true
path
Data type: Optional[Variant[Array[String], String]]
Filesystem path(s) to monitor
- May contain Ruby
Dir.glob
compatible Strings
Default value: undef
mask
Data type: Array[String]
Symbolic array or numeric mask for events
Default value: ['IN_MODIFY','IN_MOVE','IN_CREATE','IN_DELETE']
command
Data type: Optional[Variant[Array[String], String]]
Command(s) to run on detection of event in $path
Default value: undef
custom_content
Data type: Optional[String]
Custom content to add to /etc/incron.d/$name. Defining this disables validation on the content and take priority.
Default value: undef
incron::user
Add the user $name
to /etc/incron.allow
Resource types
incron_system_table
Creates an 'incrond' compatible system table
Line order will be preserved
Any paths that contain globs '*' will be expanded into the appropriate number of rules based on glob expansion on the target system
Globbed paths that do not result in a valid path expansion will be ignored
Globs starting with /** will also be ignored due to the burden placed on the system
WARNING: TAKE CARE THAT YOU KNOW WHAT YOUR GLOBS WILL EXPAND TO!
Properties
The following properties are available in the incron_system_table
type.
ensure
Valid values: present, absent
The state that should be enforced for the table
Default value: present
Parameters
The following parameters are available in the incron_system_table
type.
name
namevar
The filename to use for the table - Non-word characters will be replaced
path
Path(s) to watch and apply the command
mask
The incron "masks" to apply
command
The command(s) to apply when the paths change
If multiple paths and commands are specified, they will create multiple lines that contain all possible combinations
content
Raw content to add to the file - Will be validated
Data types
Incron::Mask
Valid incron masks
Alias of Enum['IN_ACCESS', 'IN_ALL_EVENTS', 'IN_ATTRIB', 'IN_CLOSE', 'IN_CLOSE_NOWRITE', 'IN_CLOSE_WRITE', 'IN_CREATE', 'IN_DELETE', 'IN_DELETE_SELF', 'IN_DONT_FOLLOW', 'IN_MODIFY', 'IN_MOVE', 'IN_MOVED_FROM', 'IN_MOVED_TO', 'IN_MOVE_SELF', 'IN_NO_LOOP', 'IN_ONESHOT', 'IN_ONLYDIR', 'IN_OPEN', 'loopable=true', 'recursive=false', 'dotdirs=true']
- Tue Jun 15 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 0.6.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Fri Dec 18 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 0.5.1
- Removed EL6 support
- Tue Dec 10 2019 Trevor Vaughan tvaughan@onyxpoint.com - 0.5.0-0
- Add EL8 support
- Remove pinned versions of incron since the upstream packages have been fixed
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 0.5.0-0
- Remove Puppet 4 support
- Add Puppet 6 support
- Add puppetlabs-stdlib 6 support
- Add puppetlabs/concat 6 support
- Tue Feb 26 2019 Liz Nemsick lnemsick.simp@gmail.com - 0.4.1-0
- Fixed a bug in the incrond_version fact in which an error message was displayed during fact resolution, on systems for which incron was not installed.
- Expanded the upper limits of the concat and stdlib Puppet module versions
- Sun Jan 20 2019 Trevor Vaughan tvaughan@onyxpoint.com - 0.4.0-0
- Add the ability to set the 'max_open_files' ulimit
- Add Incron::Mask Data Type denoting valid incron masks
- Add
incron::purge
parameter to optionally delete all unmanaged files in/etc/incron.d
. This may be enabled by default in the future but is currently disabled to preserve the existing functionality. - Added support for the new options starting with 0.5.12
- Automatically strip out options that are not supported by earlier versions for seamless backward compatibility
- Thu Nov 01 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 0.3.1-0
- Update static assets for puppet 5
- Update badges in README.md
- Thu Jul 05 2018 Trevor Vaughan tvaughan@onyxpoint.com - 0.3.1-0
- Add support for OEL and Puppet 5
- Tue Jun 19 2018 Nick Miller nick.miller@onyxpoint.com - 0.3.0-0
- Stop managing the systemd unit file, because deviating from the RPM defaults violates the STIG
- Set /etc/incron.d to 0755, the RPM default
- Fri May 04 2018 Trevor Vaughan tvaughan@onyxpoint.com - 0.3.0-0
- Added a native type
incron_system_table
to allow for client side glob expansion on paths - Pushed all validation of parameters off to the native type from
incron::system_table
- Updated acceptance tests to verify that incron is actually working
- Bumped the supported puppet version to '< 6'
- Mon Apr 02 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 0.2.0-0
- Fixed permission on incrond service file to clear errors in system log.
- Updated package to use package ensure to control updates. This changed the default ensure of package to installed from latest.
- Mon Feb 12 2018 Liz Nemsick lnemsick.simp@gmail.com - 0.1.0-0
- Update upperbound on puppetlabs/concat version to < 5.0.0
- Mon Jan 08 2018 Rurik Yla-Onnenvuori rurik.ylae-onnenvuori@baloise.com - 0.1.0-0
- Add support for defining system table entries in hiera
- Remove dependency to simplib
- Fri Aug 18 2017 Liz Nemsick lnemsick.simp@gmail.com - 0.0.3-0
- Update concat version in metadata.json
- Thu Jul 06 2017 Liz Nemsick lnemsick.simp@gmail.com - 0.0.2-0
- Update puppet dependency in metadata.json
- Remove OBE pe dependency in metadata.json
- Wed Dec 7 2016 Nick Miller nick.miller@onxypoint.com - 0.0.1
- First cut
- Content moved from simplib, added tests
Dependencies
- puppetlabs/concat (>= 6.4.0 < 8.0.0)
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
- simp/simplib (>= 3.4.0 < 5.0.0)
incron - A SIMP Puppet module for managing incron Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.