Auditing directory content not managed by Puppet

23 views
Skip to first unread message

Miroslav Kalina

unread,
Apr 28, 2020, 10:00:28 AM4/28/20
to Puppet Users
Hello guys,

I am trying to audit directory on server and automaticaly regenerate (with custom script run by *exec*) it's content whenever user touches it. With single files it's easy to do with

file {'/etc/myconfig':
  audit => content,
}

-> exec {'/usr/local/bin/generate-myconfig.sh':
  refreshonly => true,
}

Unfortunately when I try to audit directory, content of it's file is not audited (which I kinda understand) and even list of files is not audited (which I can understand less). When I try to switch to `audit => mtime`, I am getting strange errors with `transaction.yaml` format and missing class Time.

file {'/etc/mysoft/conf.d':
  ensure => directory,
  audit  => mtime,
}

-> exec {'/usr/local/bin/generate-mysoft-conf.sh':
  refreshonly => true,
}

On first puppet agent run everything is completely fine, in verbose run I got notice
Notice: /Stage[main]/MySoftModule::Config/File[/etc/mysoft/conf.d]/mtime: audit change: previously recorded value '2020-04-28 11:11:00 +0200' has been changed to '2020-04-28 11:27:16 +0200'

but another runs gives me always an error
Error: Transaction store file /opt/puppetlabs/puppet/cache/state/transactionstore.yaml is corrupt ((/opt/puppetlabs/puppet/cache/state/transactionstore.yaml): Tried to load unspecified class: Time); replacing
Wrapped exception:
Tried to load unspecified class: Time

and when I searched `transactionstore.yaml` I can found this section, which I belive is related to this error
  File[/etc/mysoft/conf.d]:
    parameters:
      ensure:
        system_value:
        - :directory
      mtime:
        system_value:
        - 2020-04-28 11:27:16.291317766 +02:00

Do you have any idea what am I doing wrong? I believe it's supposed to be used like that, but I cannot find much oficial reference and examples to audit metaparameter usage. I am using oficial puppetlabs packages, currently in version 6.14.0-buster1, but this behaves exactly same at in previous versions.

Thank you for any advice.

Josh Cooper

unread,
May 8, 2020, 2:11:09 PM5/8/20
to Puppet Users
Puppet safely loads YAML by restricting which classes can be loaded. The Time class isn't in that list, and the code that loads the transactionstore doesn't explicitly allow it, so the load fails. Puppet should probably allow the Time class, in addition to Symbol. Could you file a PUP ticket? Also pull requests are welcome!

Josh
Reply all
Reply to author
Forward
0 new messages