(#207) Removed el7 support, added el10 support (#208)

* (#207) Removed el7 support, added el10 support
* Switched the default behavior of service restarts so that it will
  simply restart the service instead of telling customers they need to
  restart their machines

Fixes #207

---------

Co-authored-by: Steven Pritchard <steve@sicura.us>

Author: michael-riddle

.github/workflows/pr_tests.yml

@@ -26,9 +26,6 @@ on:
   pull_request:
     types: [opened, reopened, synchronize]
 
-env:
-  PUPPET_VERSION: '~> 7'
-
 jobs:
   puppet-syntax:
     name: 'Puppet Syntax'
@@ -130,12 +127,34 @@ jobs:
       - run: 'bundle exec rake spec'
         continue-on-error: ${{matrix.puppet.experimental}}
 
-#  dump_contexts:
-#    name: 'Examine Context contents'
-#    runs-on: ubuntu-latest
-#    steps:
-#      - name: Dump contexts
-#        env:
-#          GITHUB_CONTEXT: ${{ toJson(github) }}
-#        run: echo "$GITHUB_CONTEXT"
-#
+  acceptance:
+    runs-on:
+      - ubuntu-latest
+    strategy:
+      matrix:
+        node:
+          - almalinux9
+          - almalinux10
+      fail-fast: false
+    steps:
+      - name: checkout repo
+        uses: actions/checkout@v4
+      - name: setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.2
+      - name: bundle install
+        run: |
+          bundle install
+      - name: Setup libvirt for Vagrant
+        run: |
+          sudo add-apt-repository ppa:evgeni/vagrant
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends vagrant vagrant-libvirt libvirt-daemon-system libvirt-daemon qemu-system-x86 qemu-utils dnsmasq
+          sudo chmod 666 /var/run/libvirt/libvirt-sock
+      - name: beaker
+        env:
+          BEAKER_HYPERVISOR: 'vagrant_libvirt'
+          VAGRANT_DEFAULT_PROVIDER: 'libvirt'
+        run: |
+          bundle exec rake beaker:suites[default,${{ matrix.node }}]

.rubocop.yml

@@ -1,12 +1,12 @@
 ---
-require:
+plugins:
   - rubocop-performance
   - rubocop-rake
   - rubocop-rspec
 AllCops:
   NewCops: enable
   DisplayCopNames: true
-  TargetRubyVersion: "2.7"
+  TargetRubyVersion: 2.7
   Include:
     - "**/*.rb"
   Exclude:
@@ -697,3 +697,5 @@ Style/StringChars:
   Enabled: false
 Style/SwapValues:
   Enabled: false
+Naming/PredicatePrefix:
+  Enabled: false

CHANGELOG

@@ -1,3 +1,7 @@
+* Tue Jul 22 2025 Mike Riddle <mike@sicura.us> - 9.0.0
+- Removed EL 7 support
+- Added EL 10 support
+
 * Wed Aug 27 2025 Steven Pritchard <steve@sicura.us> - 8.14.5
 - Clean up for rubocop
 

Gemfile

@@ -36,6 +36,7 @@ group :test do
   gem 'simp-rake-helpers', ENV.fetch('SIMP_RAKE_HELPERS_VERSION', '~> 5.24.0')
   # renovate: datasource=rubygems versioning=ruby
   gem 'simp-rspec-puppet-facts', ENV.fetch('SIMP_RSPEC_PUPPET_FACTS_VERSION', '~> 4.0.0')
+  gem 'syslog'
 end
 
 group :development do
@@ -47,6 +48,7 @@ end
 group :system_tests do
   gem 'bcrypt_pbkdf'
   gem 'beaker'
+  gem 'beaker_puppet_helpers'
   gem 'beaker-rspec'
   # renovate: datasource=rubygems versioning=ruby
   gem 'simp-beaker-helpers', ENV.fetch('SIMP_BEAKER_HELPERS_VERSION', '~> 2.0.0')

REFERENCE.md

@@ -117,6 +117,8 @@ The following parameters are available in the `auditd` class:
 * [`verify_email`](#-auditd--verify_email)
 * [`write_logs`](#-auditd--write_logs)
 * [`purge_auditd_rules`](#-auditd--purge_auditd_rules)
+* [`auditctl_command`](#-auditd--auditctl_command)
+* [`warn_if_reboot_required`](#-auditd--warn_if_reboot_required)
 
 ##### <a name="-auditd--enable"></a>`enable`
 
@@ -148,7 +150,7 @@ of audit rules.
 - @see `auditd::config::audit_profiles` for more details about this
   configuration.
 
-Default value: `[ 'simp' ]`
+Default value: `['simp']`
 
 ##### <a name="-auditd--audit_auditd_config"></a>`audit_auditd_config`
 
@@ -547,7 +549,7 @@ to be backwards compatable.  If you want to ensure the plugin is disabled,
 set auditd::config::audisp::syslog::enable to false.
 If this is set to false the plugin settings are not managed by puppet.
 
-Default value: `simplib::lookup('simp_options::syslog', {'default_value' => false })`
+Default value: `simplib::lookup('simp_options::syslog', { 'default_value' => false })`
 
 ##### <a name="-auditd--target_selinux_types"></a>`target_selinux_types`
 
@@ -602,6 +604,22 @@ Whether or not to purge existing auditd rules under /etc/audit/rules.d
 
 Default value: `true`
 
+##### <a name="-auditd--auditctl_command"></a>`auditctl_command`
+
+Data type: `String[1]`
+
+
+
+Default value: `'/usr/sbin/auditctl'`
+
+##### <a name="-auditd--warn_if_reboot_required"></a>`warn_if_reboot_required`
+
+Data type: `Boolean`
+
+
+
+Default value: `false`
+
 ### <a name="auditd--config"></a>`auditd::config`
 
 NOTE: THIS IS A [PRIVATE](https://github.com/puppetlabs/puppetlabs-stdlib#assert_private) CLASS**
@@ -2354,36 +2372,32 @@ Data type: `Variant[String[1],Boolean]`
 
 ``ensure`` state from the service resource
 
-Default value: `pick(getvar('auditd::enable'), 'running')`
+Default value: `$auditd::enable`
 
 ##### <a name="-auditd--service--enable"></a>`enable`
 
 Data type: `Boolean`
 
 ``enable`` state from the service resource
 
-Default value: `pick(getvar('auditd::enable'), true)`
+Default value: `$auditd::enable`
 
 ##### <a name="-auditd--service--bypass_kernel_check"></a>`bypass_kernel_check`
 
-Data type: `Boolean`
-
 Do not check to see if the kernel is enforcing auditing before trying to
 manage the service.
 
 * This may be required if auditing is not being actively managed in the
   kernel and someone has stopped the auditd service by hand.
 
-Default value: `false`
-
 ##### <a name="-auditd--service--warn_if_reboot_required"></a>`warn_if_reboot_required`
 
 Data type: `Boolean`
 
 Add a ``reboot_notify`` warning if the system requires a reboot before the
 service can be managed.
 
-Default value: `true`
+Default value: `$auditd::warn_if_reboot_required`
 
 ## Defined types
 
@@ -2505,7 +2519,7 @@ The array
 
 Data type: `Optional[Integer]`
 
-The minimum number of digits the index should be. 
+The minimum number of digits the index should be.
 It will be '0'-padded to meet this number.
 
 ### <a name="auditd--validate_init_params"></a>`auditd::validate_init_params`

data/os/CentOS-7.yaml renamed to data/os/AlmaLinux-10.yaml

@@ -1,8 +1,9 @@
 ---
-# Default to version 2 settings
-auditd::dispatcher: '/sbin/audispd'
-auditd::disp_qos: 'lossy'
-auditd::plugin_dir: '/etc/audisp/plugins.d'
+#  Default to auditd version 3 settings
+auditd::plugin_dir: '/etc/audit/plugins.d'
+auditd::config::audisp::syslog::type: 'always'
+auditd::config::audisp::syslog::syslog_path: '/sbin/audisp-syslog'
+auditd::config::audisp::syslog::pkg_name: 'audispd-plugins'
 
 auditd::config::audit_profiles::stig::default_suid_sgid_cmds:
   - "/usr/bin/at"

data/os/OracleLinux-7.yaml renamed to data/os/CentOS-10.yaml

@@ -1,8 +1,9 @@
 ---
-# Default to auditd version 2 settings
-auditd::dispatcher: '/sbin/audispd'
-auditd::disp_qos: 'lossy'
-auditd::plugin_dir: '/etc/audisp/plugins.d'
+#  Default to auditd version 3 settings
+auditd::plugin_dir: '/etc/audit/plugins.d'
+auditd::config::audisp::syslog::type: 'always'
+auditd::config::audisp::syslog::syslog_path: '/sbin/audisp-syslog'
+auditd::config::audisp::syslog::pkg_name: 'audispd-plugins'
 
 auditd::config::audit_profiles::stig::default_suid_sgid_cmds:
   - "/usr/bin/at"

data/os/RedHat-7.yaml renamed to data/os/RedHat-10.yaml

@@ -1,8 +1,9 @@
 ---
-# Default to auditd version 2 settings
-auditd::dispatcher: '/sbin/audispd'
-auditd::disp_qos: 'lossy'
-auditd::plugin_dir: '/etc/audisp/plugins.d'
+#  Default to auditd version 3 settings
+auditd::plugin_dir: '/etc/audit/plugins.d'
+auditd::config::audisp::syslog::type: 'always'
+auditd::config::audisp::syslog::syslog_path: '/sbin/audisp-syslog'
+auditd::config::audisp::syslog::pkg_name: 'audispd-plugins'
 
 auditd::config::audit_profiles::stig::default_suid_sgid_cmds:
   - "/usr/bin/at"

lib/facter/auditd_sample_ruleset_location.rb

@@ -7,14 +7,13 @@
 Facter.add('auditd_sample_ruleset_location') do
   confine kernel: 'Linux'
 
-  confine do
-    File.directory?('/usr/share/audit/sample-rules') || !Dir.glob('/usr/share/doc/audit*/rules').empty?
-  end
-
   setcode do
-    retval = '/usr/share/audit/sample-rules' if File.directory?('/usr/share/audit/sample-rules')
-    retval = Dir.glob('/usr/share/doc/audit*/rules').first unless Dir.glob('/usr/share/doc/audit*/rules').empty?
+    candidates = [
+      '/usr/share/audit/sample-rules',
+      '/usr/share/audit-rules',
+      '/usr/share/doc/auditd/examples/rules',
+    ] + Dir.glob('/usr/share/doc/audit*/rules')
 
-    retval
+    candidates.find { |d| File.directory?(d) && !Dir.glob("#{d}/*.rules").empty? }
   end
 end

manifests/config.pp

@@ -68,7 +68,7 @@
     }
   } else {
     # If auditd version is unknown use 'best guess' at default OS version
-    $_auditd_conf_main = $facts['os']['release']['major'] < '8' ? {
+    $_auditd_conf_main = Integer($facts['os']['release']['major']) < 8 ? {
       false   => epp("${module_name}/etc/audit/auditd.3.conf.epp"),
       default => epp("${module_name}/etc/audit/auditd.2.conf.epp")
     }