Merge "Adding V-38438 (auditd during boot)"

defaults/main.yml

@@ -49,6 +49,16 @@ security_aide_exclude_dirs:
 security_initialize_aide: false
 
 ## Audit daemon
+# V-38438 requires that auditd is enabled at boot time with a parameter in the
+# GRUB configuration.
+#
+# If 'security_enable_audit_during_boot' is set to 'yes', then the 'audit=1'
+# parameter will be added in /etc/default/grub.d/.
+# If 'security_enable_grub_update is set to 'yes', the grub.cfg will be
+# updated automatically.
+security_enable_audit_during_boot: yes            # V-38438
+security_enable_grub_update: yes                  # V-38438
+
 # The following booleans control the rule sets added to auditd's default
 # set of auditing rules.  To see which rules will be added for each boolean,
 # refer to the templates/osas-auditd.j2 file.

doc/source/stig-notes/V-38438_developer.rst

@@ -1,8 +1,18 @@
-**Exception**
+The role will add ``audit=1`` to the ``GRUB_CMDLINE_LINUX_DEFAULT`` variable
+in the GRUB configuration within ``/etc/default/grub.d/`` and it will also
+update the active ``grub.cfg`` so that the change takes effect on the next
+boot.
 
-Adjusting the bootloader configuration can cause issues with reboots and this
+To opt-out of the change, set the following variable:
-work is left up to the deployer.  Enabling auditing at boot time is helpful,
-but the risk may not be worth the change in most environments.
 
-The ``auditd`` process starts very early during the boot process to catch
+.. code-block:: yaml
-events already, and this should be sufficient for most environments.
+
+   security_enable_audit_during_boot: no
+
+Deployers may opt-in for the change without automatically updating the active
+``grub.cfg`` file by setting the following Ansible variables:
+
+.. code-block:: yaml
+
+   security_enable_audit_during_boot: yes
+   security_enable_grub_update: no

handlers/main.yml

@@ -61,3 +61,17 @@
 
 - name: rehash aliases
   command: newaliases
+
+- name: update grub config
+  command: "{{ grub_update_cmd }}"
+  when:
+    - security_enable_grub_update | bool
+  notify:
+    - set bootloader file permissions after updating grub config
+
+# NOTE(mhayden): Running `update-grub` causes the bootloader permissions to
+# change, which breaks V-38583.
+- name: set bootloader file permissions after updating grub config
+  file:
+    path: "{{ grub_conf_file }}"
+    mode: 0644

releasenotes/notes/add-v38438-3f7e905892be4b4f.yaml

@@ -0,0 +1,21 @@
+---
+features:
+  - |
+    The role now enables auditing during early boot to comply with the
+    requirements in V-38438. By default, the GRUB configuration variables in
+    ``/etc/default/grub.d/`` will be updated and the active ``grub.cfg`` will
+    be updated.
+
+    Deployers can opt-out of the change entirely by setting a variable:
+
+    .. code-block:: yaml
+
+       security_enable_audit_during_boot: no
+
+    Deployers may opt-in for the change without automatically updating the
+    active ``grub.cfg`` file by setting the following Ansible variables:
+
+    .. code-block:: yaml
+
+       security_enable_audit_during_boot: yes
+       security_enable_grub_update: no

tasks/boot.yml

@@ -19,6 +19,20 @@
   register: grub_cfg
   always_run: True
 
+- name: V-38438 - Auditing must be enabled at boot by setting a kernel parameter
+  lineinfile:
+    dest: /etc/default/grub.d/99-enable-auditd.cfg
+    line: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT audit=1"'
+    create: yes
+  notify:
+    - update grub config
+  tags:
+    - boot
+    - cat1
+    - V-38438
+  when:
+    - security_enable_audit_during_boot | bool
+
 - name: V-38579 - Bootloader configuration files must be owned by root
   file:
     path: "{{ grub_conf_file }}"
@@ -27,7 +41,8 @@
     - boot
     - cat2
     - V-38579
-  when: grub_cfg.stat.exists
+  when:
+    - grub_cfg.stat.exists
 
 - name: V-38581 - Bootloader configuration files must be group-owned by root
   file:
@@ -37,7 +52,8 @@
     - boot
     - cat2
     - V-38581
-  when: grub_cfg.stat.exists
+  when:
+    - grub_cfg.stat.exists
 
 - name: V-38583 - Bootloader configuration files must have mode 0644 or less
   file:

vars/redhat.yml

@@ -33,3 +33,6 @@ ypserv_pkg: ypserv
 cron_service: crond
 ssh_service: sshd
 chrony_service: chronyd
+
+# Commands
+grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf"

vars/ubuntu.yml

@@ -36,3 +36,6 @@ ypserv_pkg: nis
 cron_service: cron
 ssh_service: ssh
 chrony_service: chrony
+
+# Commands
+grub_update_cmd: "update-grub"