Fix audit log permissions using group-based access (development)

debian/changelog

@@ -1,3 +1,15 @@
+puppet-code (0.1.0-1build267) noble; urgency=medium
+
+  * commit event. see changes history in git log
+
+ -- root <packager@infrahouse.com>  Fri, 26 Dec 2025 17:59:04 +0000
+
+puppet-code (0.1.0-1build266) noble; urgency=medium
+
+  * commit event. see changes history in git log
+
+ -- root <packager@infrahouse.com>  Fri, 26 Dec 2025 17:58:57 +0000
+
 puppet-code (0.1.0-1build265) noble; urgency=medium
 
   * commit event. see changes history in git log

environments/development/modules/profile/manifests/auditd.pp

@@ -15,7 +15,7 @@
   String $log_file       = '/var/log/audit/audit.log',
   String $log_file_mode  = '0640',
   String $log_file_owner = 'root',
-  String $log_file_group = 'root',
+  String $log_file_group = 'adm',
 ) {
 
   package { 'auditd':

environments/development/modules/profile/manifests/cloudwatch_agent.pp

@@ -2,9 +2,7 @@
 #
 # Provides common resources and configuration for CloudWatch agent:
 # - CloudWatch agent package, user, and service
-# - ACL package for audit log access
-# - Scripts for setting and verifying ACLs
-# - Systemd drop-in for supplementary groups
+# - Systemd drop-in for supplementary groups (adm group for log access)
 # - Monitoring script
 # - Common logs and metrics configuration
 #
@@ -69,41 +67,6 @@
     require => Package['amazon-cloudwatch-agent'],
   }
 
-  # Ensure acl package is installed for setting file ACLs
-  package { 'acl':
-    ensure => installed,
-  }
-
-  # Deploy ACL setup script
-  file { '/usr/local/bin/set-audit-acl':
-    ensure  => file,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0755',
-    content => template('profile/cloudwatch_agent/set-audit-acl.sh.erb'),
-  }
-
-  # Deploy ACL verification script
-  file { '/usr/local/bin/check-audit-acl':
-    ensure  => file,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0755',
-    content => template('profile/cloudwatch_agent/check-audit-acl.sh.erb'),
-  }
-
-  # Allow CloudWatch agent to read audit logs
-  exec { 'set-audit-log-acl':
-    command => '/usr/local/bin/set-audit-acl',
-    unless  => '/usr/local/bin/check-audit-acl',
-    require => [
-      Class['sudo'],
-      File['/usr/local/bin/set-audit-acl'],
-      File['/usr/local/bin/check-audit-acl'],
-      User['cwagent'],
-    ],
-  }
-
   # Systemd drop-in to ensure CloudWatch agent gets supplementary groups
   # The default unit file doesn't call initgroups(), so we must specify groups explicitly
   file { '/etc/systemd/system/amazon-cloudwatch-agent.service.d':

environments/development/modules/profile/templates/auditd/auditd.conf.erb

@@ -12,8 +12,8 @@ log_file = <%= @log_file %>
 # Log format (raw or enriched - enriched provides more detail for compliance)
 log_format = enriched
 
-# Log group (for permissions)
-log_group = root
+# Log group (for permissions - adm group allows CloudWatch agent to read)
+log_group = <%= @log_file_group %>
 
 # Priority boost for daemon
 priority_boost = 4

environments/development/modules/profile/templates/auditd/logrotate.erb

@@ -1,6 +1,6 @@
 # Managed by Puppet
 # Logrotate configuration for audit logs
-# Size-based rotation (auditd rotation is disabled to allow postrotate ACL restore)
+# Size-based rotation (auditd built-in rotation is disabled)
 
 <%= File.dirname(@log_file) %>/*.log {
     size 50M
@@ -13,9 +13,5 @@
     postrotate
         # Tell auditd to reopen its log file
         /usr/sbin/service auditd rotate
-        # Restore ACLs if CloudWatch agent is configured
-        if [ -x /usr/local/bin/set-audit-acl ]; then
-            /usr/local/bin/set-audit-acl
-        fi
     endscript
 }