Configure AIDE before initial run

This patch ensures that AIDE is fully configured before the first database initialization process begins. Manual backport of I209b88afb305828fa6e46de255ef11f5a6645427 was required due to the STIG renaming done in Pike. Change-Id: I41c65e16b61721fecb2aac2251126ce21d7a4353 Closes-Bug: 1686110
2017-05-16 10:32:13 -05:00 · 2017-05-16 10:32:13 -05:00 · 7db180f801
parent 3a2486f51b
commit 7db180f801
2 changed files with 31 additions and 32 deletions
--- a/files/aide_extra.conf
+++ b/files/aide_extra.conf
@ -1,14 +0,0 @@
-# Rules borrowed from CentOS/RHEL AIDE configuration
-# (SELinux was removed for Ubuntu compatibility.)
-FIPSR = p+i+n+u+g+s+m+c+acl+xattrs+sha256
-NORMAL = FIPSR+sha512
-
-# The following two lines apply the NORMAL rule (above this line) to the
-# /bin and /sbin directories to meet the requirements of two STIG controls:
-#
-#   RHEL-07-021600 - Verify ACLs
-#   RHEL-07-021610 - Verify extended attributes
-#
-/bin    NORMAL
-/sbin   NORMAL
-
--- a/tasks/rhel7stig/aide.yml
+++ b/tasks/rhel7stig/aide.yml
@ -31,6 +31,37 @@
    - aide
    - RHEL-07-020130

+# NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration
+# that meets the requirements of V-72069 and V-72071. That config
+# is borrowed for Ubuntu 16.04 here.
+- name: Configure AIDE to verify additional properties
+  blockinfile:
+    dest: "{{ aide_conf }}"
+    insertbefore: EOF
+    marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
+    block: |
+      # Rules borrowed from CentOS/RHEL AIDE configuration
+      # (SELinux was removed for Ubuntu compatibility.)
+      FIPSR = p+i+n+u+g+s+m+c+acl+xattrs+sha256
+      NORMAL = FIPSR+sha512
+
+      # The following two lines apply the NORMAL rule (above this line) to the
+      # /bin and /sbin directories to meet the requirements of two STIG controls:
+      #
+      #   RHEL-07-021600 - Verify ACLs
+      #   RHEL-07-021610 - Verify extended attributes
+      #
+      /bin    NORMAL
+      /sbin   NORMAL
+  when:
+    - ansible_os_family | lower == 'ubuntu'
+  tags:
+    - low
+    - aide
+    - RHEL-07-021600
+    - RHEL-07-021610
+    - RHEL-07-021620
+
 - name: Check to see if AIDE database is already in place
  stat:
    path: "{{ aide_database_file }}"
@ -82,21 +113,3 @@
    - medium
    - aide
    - RHEL-07-020140
-
-# NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration
-# that meets the requirements of RHEL-07-021600 and RHEL-07-021610. That config
-# is borrowed for Ubuntu 16.04 here.
- name: Configure AIDE to verify additional properties
-  blockinfile:
-    dest: "{{ aide_conf }}"
-    insertbefore: EOF
-    marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
-    block: "{{ lookup('file', 'aide_extra.conf') }}"
-  when:
-    - ansible_os_family | lower == 'ubuntu'
-  tags:
-    - low
-    - aide
-    - RHEL-07-021600
-    - RHEL-07-021610
-    - RHEL-07-021620