3942b20fb1
This patch addresses two issues that are blocking the security role CI jobs from completing: The OpenStack CI image is missing the default audit.rules file and this causes augenrules to fail when it loads new rules. The first line in the default rules file deletes existing rules and this must be in place before loading new rulesets. The contents of the default file are now in the template file, which is safer anyway. The default file provided by the OS is removed. The task that updates the apt cache in test.yml was running more than once during the CI job run when the gate ran slowly. That's fine, but it breaks the idempotence checks. A `changed_when` is added to the task to ensure that the idempotence tests aren't affected by an apt cache update. Change-Id: I9c2b50389cc2e4fa81717dcceccf6da1d973d34c
187 lines
4.4 KiB
YAML
187 lines
4.4 KiB
YAML
---
|
|
# Copyright 2016, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Verify that auditd.conf exists
|
|
stat:
|
|
path: /etc/audit/auditd.conf
|
|
register: auditd_conf
|
|
check_mode: no
|
|
tags:
|
|
- always
|
|
|
|
- name: Verify that audisp-remote.conf exists
|
|
stat:
|
|
path: /etc/audisp/audisp-remote.conf
|
|
register: audisp_remote_conf
|
|
check_mode: no
|
|
tags:
|
|
- always
|
|
|
|
- name: RHEL-07-030330 - The operating system must off-load audit records onto a different system or media from the system being audited
|
|
lineinfile:
|
|
dest: /etc/audisp/audisp-remote.conf
|
|
regexp: "^(#)?remote_server"
|
|
line: "remote_server = {{ security_audisp_remote_server }}"
|
|
when:
|
|
- security_audisp_remote_server is defined
|
|
- auditd_conf.stat.exists
|
|
notify:
|
|
- restart auditd
|
|
tags:
|
|
- medium
|
|
- auditd
|
|
- RHEL-07-030330
|
|
|
|
- name: RHEL-07-030331 - The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited
|
|
lineinfile:
|
|
dest: /etc/audisp/audisp-remote.conf
|
|
regexp: "^(#)?enable_krb5"
|
|
line: "enable_krb5 = yes"
|
|
when:
|
|
- security_audisp_enable_krb5 is defined
|
|
- auditd_conf.stat.exists
|
|
notify:
|
|
- restart auditd
|
|
tags:
|
|
- medium
|
|
- auditd
|
|
- RHEL-07-030331
|
|
|
|
- name: Get valid system architectures for audit rules
|
|
set_fact:
|
|
auditd_architectures: "{{ (ansible_architecture == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}"
|
|
check_mode: no
|
|
tags:
|
|
- always
|
|
|
|
- name: Remove system default audit.rules file
|
|
file:
|
|
path: /etc/audit/rules.d/audit.rules
|
|
state: absent
|
|
when:
|
|
- auditd_conf.stat.exists
|
|
notify:
|
|
- generate auditd rules
|
|
tags:
|
|
- always
|
|
|
|
- name: Remove old RHEL 6 audit rules file
|
|
file:
|
|
path: /etc/audit/rules.d/osas-auditd.rules
|
|
state: absent
|
|
when:
|
|
- auditd_conf.stat.exists
|
|
notify:
|
|
- generate auditd rules
|
|
tags:
|
|
- always
|
|
|
|
- name: Deploy rules for auditd based on STIG requirements
|
|
template:
|
|
src: osas-auditd-rhel7.j2
|
|
dest: /etc/audit/rules.d/osas-auditd-rhel7.rules
|
|
when:
|
|
- auditd_conf.stat.exists
|
|
notify:
|
|
- generate auditd rules
|
|
tags:
|
|
- auditd
|
|
- RHEL-07-030525
|
|
- RHEL-07-030513
|
|
- RHEL-07-030443
|
|
- RHEL-07-030390
|
|
- RHEL-07-030380
|
|
- RHEL-07-030420
|
|
- RHEL-07-030561
|
|
- RHEL-07-030671
|
|
- RHEL-07-030391
|
|
- RHEL-07-030392
|
|
- RHEL-07-030381
|
|
- RHEL-07-030383
|
|
- RHEL-07-030404
|
|
- RHEL-07-030401
|
|
- RHEL-07-030425
|
|
- RHEL-07-030670
|
|
- RHEL-07-030512
|
|
- RHEL-07-030382
|
|
- RHEL-07-030405
|
|
- RHEL-07-030402
|
|
- RHEL-07-030530
|
|
- RHEL-07-030524
|
|
- RHEL-07-030421
|
|
- RHEL-07-030422
|
|
- RHEL-07-030423
|
|
- RHEL-07-030630
|
|
- RHEL-07-030510
|
|
- RHEL-07-030540
|
|
- RHEL-07-030541
|
|
- RHEL-07-030560
|
|
- RHEL-07-030403
|
|
- RHEL-07-030750
|
|
- RHEL-07-030751
|
|
- RHEL-07-030444
|
|
- RHEL-07-030752
|
|
- RHEL-07-030441
|
|
- RHEL-07-030442
|
|
- RHEL-07-030400
|
|
- RHEL-07-030550
|
|
- RHEL-07-030521
|
|
- RHEL-07-030522
|
|
- RHEL-07-030526
|
|
- RHEL-07-030424
|
|
- RHEL-07-030531
|
|
- RHEL-07-030511
|
|
- RHEL-07-030753
|
|
- RHEL-07-030754
|
|
- RHEL-07-030514
|
|
- RHEL-07-030490
|
|
- RHEL-07-030523
|
|
- RHEL-07-030672
|
|
- RHEL-07-030673
|
|
- RHEL-07-030674
|
|
- RHEL-07-030710
|
|
- RHEL-07-030090
|
|
|
|
- name: Adjust auditd/audispd configurations
|
|
lineinfile:
|
|
dest: "{{ item.config }}"
|
|
regexp: '^#?{{ item.parameter }}\s*='
|
|
line: "{{ item.parameter }} = {{ item.value }}"
|
|
with_items: "{{ auditd_config }}"
|
|
when:
|
|
- auditd_conf.stat.exists
|
|
- audisp_remote_conf.stat.exists
|
|
notify:
|
|
- restart auditd
|
|
tags:
|
|
- high
|
|
- auditd
|
|
- RHEL-07-030340
|
|
- RHEL-07 030350
|
|
- RHEL-07 030351
|
|
- RHEL-07 030352
|
|
|
|
- name: Ensure auditd is running and enabled at boot time
|
|
service:
|
|
name: auditd
|
|
state: started
|
|
enabled: yes
|
|
when:
|
|
- auditd_conf.stat.exists
|
|
tags:
|
|
- high
|
|
- auditd
|
|
- RHEL-07-030010
|