Merge "Adding V-38438 (auditd during boot)"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
a99ad6b60d
|
|
@ -49,6 +49,16 @@ security_aide_exclude_dirs:
|
|||
security_initialize_aide: false
|
||||
|
||||
## Audit daemon
|
||||
# V-38438 requires that auditd is enabled at boot time with a parameter in the
|
||||
# GRUB configuration.
|
||||
#
|
||||
# If 'security_enable_audit_during_boot' is set to 'yes', then the 'audit=1'
|
||||
# parameter will be added in /etc/default/grub.d/.
|
||||
# If 'security_enable_grub_update is set to 'yes', the grub.cfg will be
|
||||
# updated automatically.
|
||||
security_enable_audit_during_boot: yes # V-38438
|
||||
security_enable_grub_update: yes # V-38438
|
||||
|
||||
# The following booleans control the rule sets added to auditd's default
|
||||
# set of auditing rules. To see which rules will be added for each boolean,
|
||||
# refer to the templates/osas-auditd.j2 file.
|
||||
|
|
|
|||
|
|
@ -1,8 +1,18 @@
|
|||
**Exception**
|
||||
The role will add ``audit=1`` to the ``GRUB_CMDLINE_LINUX_DEFAULT`` variable
|
||||
in the GRUB configuration within ``/etc/default/grub.d/`` and it will also
|
||||
update the active ``grub.cfg`` so that the change takes effect on the next
|
||||
boot.
|
||||
|
||||
Adjusting the bootloader configuration can cause issues with reboots and this
|
||||
work is left up to the deployer. Enabling auditing at boot time is helpful,
|
||||
but the risk may not be worth the change in most environments.
|
||||
To opt-out of the change, set the following variable:
|
||||
|
||||
The ``auditd`` process starts very early during the boot process to catch
|
||||
events already, and this should be sufficient for most environments.
|
||||
.. code-block:: yaml
|
||||
|
||||
security_enable_audit_during_boot: no
|
||||
|
||||
Deployers may opt-in for the change without automatically updating the active
|
||||
``grub.cfg`` file by setting the following Ansible variables:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_enable_audit_during_boot: yes
|
||||
security_enable_grub_update: no
|
||||
|
|
|
|||
|
|
@ -61,3 +61,17 @@
|
|||
|
||||
- name: rehash aliases
|
||||
command: newaliases
|
||||
|
||||
- name: update grub config
|
||||
command: "{{ grub_update_cmd }}"
|
||||
when:
|
||||
- security_enable_grub_update | bool
|
||||
notify:
|
||||
- set bootloader file permissions after updating grub config
|
||||
|
||||
# NOTE(mhayden): Running `update-grub` causes the bootloader permissions to
|
||||
# change, which breaks V-38583.
|
||||
- name: set bootloader file permissions after updating grub config
|
||||
file:
|
||||
path: "{{ grub_conf_file }}"
|
||||
mode: 0644
|
||||
|
|
|
|||
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
The role now enables auditing during early boot to comply with the
|
||||
requirements in V-38438. By default, the GRUB configuration variables in
|
||||
``/etc/default/grub.d/`` will be updated and the active ``grub.cfg`` will
|
||||
be updated.
|
||||
|
||||
Deployers can opt-out of the change entirely by setting a variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_enable_audit_during_boot: no
|
||||
|
||||
Deployers may opt-in for the change without automatically updating the
|
||||
active ``grub.cfg`` file by setting the following Ansible variables:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_enable_audit_during_boot: yes
|
||||
security_enable_grub_update: no
|
||||
|
|
@ -19,6 +19,20 @@
|
|||
register: grub_cfg
|
||||
always_run: True
|
||||
|
||||
- name: V-38438 - Auditing must be enabled at boot by setting a kernel parameter
|
||||
lineinfile:
|
||||
dest: /etc/default/grub.d/99-enable-auditd.cfg
|
||||
line: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT audit=1"'
|
||||
create: yes
|
||||
notify:
|
||||
- update grub config
|
||||
tags:
|
||||
- boot
|
||||
- cat1
|
||||
- V-38438
|
||||
when:
|
||||
- security_enable_audit_during_boot | bool
|
||||
|
||||
- name: V-38579 - Bootloader configuration files must be owned by root
|
||||
file:
|
||||
path: "{{ grub_conf_file }}"
|
||||
|
|
@ -27,7 +41,8 @@
|
|||
- boot
|
||||
- cat2
|
||||
- V-38579
|
||||
when: grub_cfg.stat.exists
|
||||
when:
|
||||
- grub_cfg.stat.exists
|
||||
|
||||
- name: V-38581 - Bootloader configuration files must be group-owned by root
|
||||
file:
|
||||
|
|
@ -37,7 +52,8 @@
|
|||
- boot
|
||||
- cat2
|
||||
- V-38581
|
||||
when: grub_cfg.stat.exists
|
||||
when:
|
||||
- grub_cfg.stat.exists
|
||||
|
||||
- name: V-38583 - Bootloader configuration files must have mode 0644 or less
|
||||
file:
|
||||
|
|
|
|||
|
|
@ -33,3 +33,6 @@ ypserv_pkg: ypserv
|
|||
cron_service: crond
|
||||
ssh_service: sshd
|
||||
chrony_service: chronyd
|
||||
|
||||
# Commands
|
||||
grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf"
|
||||
|
|
|
|||
|
|
@ -36,3 +36,6 @@ ypserv_pkg: nis
|
|||
cron_service: cron
|
||||
ssh_service: ssh
|
||||
chrony_service: chrony
|
||||
|
||||
# Commands
|
||||
grub_update_cmd: "update-grub"
|
||||
|
|
|
|||
Loading…
Reference in New Issue