Configure AIDE before initial run
This patch ensures that AIDE is fully configured before the first database initialization process begins. Manual backport of I209b88afb305828fa6e46de255ef11f5a6645427 was required due to the STIG renaming done in Pike. Change-Id: I41c65e16b61721fecb2aac2251126ce21d7a4353 Closes-Bug: 1686110
This commit is contained in:
parent
3a2486f51b
commit
7db180f801
|
@ -1,14 +0,0 @@
|
|||
# Rules borrowed from CentOS/RHEL AIDE configuration
|
||||
# (SELinux was removed for Ubuntu compatibility.)
|
||||
FIPSR = p+i+n+u+g+s+m+c+acl+xattrs+sha256
|
||||
NORMAL = FIPSR+sha512
|
||||
|
||||
# The following two lines apply the NORMAL rule (above this line) to the
|
||||
# /bin and /sbin directories to meet the requirements of two STIG controls:
|
||||
#
|
||||
# RHEL-07-021600 - Verify ACLs
|
||||
# RHEL-07-021610 - Verify extended attributes
|
||||
#
|
||||
/bin NORMAL
|
||||
/sbin NORMAL
|
||||
|
|
@ -31,6 +31,37 @@
|
|||
- aide
|
||||
- RHEL-07-020130
|
||||
|
||||
# NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration
|
||||
# that meets the requirements of V-72069 and V-72071. That config
|
||||
# is borrowed for Ubuntu 16.04 here.
|
||||
- name: Configure AIDE to verify additional properties
|
||||
blockinfile:
|
||||
dest: "{{ aide_conf }}"
|
||||
insertbefore: EOF
|
||||
marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
|
||||
block: |
|
||||
# Rules borrowed from CentOS/RHEL AIDE configuration
|
||||
# (SELinux was removed for Ubuntu compatibility.)
|
||||
FIPSR = p+i+n+u+g+s+m+c+acl+xattrs+sha256
|
||||
NORMAL = FIPSR+sha512
|
||||
|
||||
# The following two lines apply the NORMAL rule (above this line) to the
|
||||
# /bin and /sbin directories to meet the requirements of two STIG controls:
|
||||
#
|
||||
# RHEL-07-021600 - Verify ACLs
|
||||
# RHEL-07-021610 - Verify extended attributes
|
||||
#
|
||||
/bin NORMAL
|
||||
/sbin NORMAL
|
||||
when:
|
||||
- ansible_os_family | lower == 'ubuntu'
|
||||
tags:
|
||||
- low
|
||||
- aide
|
||||
- RHEL-07-021600
|
||||
- RHEL-07-021610
|
||||
- RHEL-07-021620
|
||||
|
||||
- name: Check to see if AIDE database is already in place
|
||||
stat:
|
||||
path: "{{ aide_database_file }}"
|
||||
|
@ -82,21 +113,3 @@
|
|||
- medium
|
||||
- aide
|
||||
- RHEL-07-020140
|
||||
|
||||
# NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration
|
||||
# that meets the requirements of RHEL-07-021600 and RHEL-07-021610. That config
|
||||
# is borrowed for Ubuntu 16.04 here.
|
||||
- name: Configure AIDE to verify additional properties
|
||||
blockinfile:
|
||||
dest: "{{ aide_conf }}"
|
||||
insertbefore: EOF
|
||||
marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
|
||||
block: "{{ lookup('file', 'aide_extra.conf') }}"
|
||||
when:
|
||||
- ansible_os_family | lower == 'ubuntu'
|
||||
tags:
|
||||
- low
|
||||
- aide
|
||||
- RHEL-07-021600
|
||||
- RHEL-07-021610
|
||||
- RHEL-07-021620
|
||||
|
|
Loading…
Reference in New Issue