[auditd_manager] audit_rule_files variable needs multi: true #10000
Description
The audit_rules_files variable is apparently expected to a be an array if you look at the description (says “A list”) and the way it’s used in the handlebar file (with a loop). So the variable declaration is missing multi: true.
When I view the rendered Agent policy, mine has a audit_rule_files: null.
inputs:
- id: audit/auditd-auditd-616b2972-663e-48fc-88a5-4abed592931e
name: auditd_manager-1
revision: 1
type: audit/auditd
use_output: default
meta:
package:
name: auditd_manager
version: 1.16.3
data_stream:
namespace: default
package_policy_id: 616b2972-663e-48fc-88a5-4abed592931e
streams:
- id: >-
audit/auditd-auditd_manager.auditd-616b2972-663e-48fc-88a5-4abed592931e
type: audit/auditd
data_stream:
dataset: auditd_manager.auditd
type: logs
condition: '${host.platform} == ''linux'''
include_raw_message: true
socket_type: ''
immutable: false
resolve_ids: true
failure_mode: silent
audit_rules: '-a always,exit -F arch=b64 -S execve,execveat -k exec'
audit_rule_files: null
backlog_limit: 8192
rate_limit: 0
include_warnings: false
backpressure_strategy: auto
tags:
- auditd_manager-auditdDespite having used:
References
integrations/packages/auditd_manager/data_stream/auditd/manifest.yml
Lines 84 to 92 in a19f4a5