Merge "Adding V-38438 (auditd during boot)"

This commit is contained in:
Jenkins 2016-09-09 03:51:05 +00:00 committed by Gerrit Code Review
commit a99ad6b60d
7 changed files with 85 additions and 8 deletions

View File

@ -49,6 +49,16 @@ security_aide_exclude_dirs:
security_initialize_aide: false security_initialize_aide: false
## Audit daemon ## Audit daemon
# V-38438 requires that auditd is enabled at boot time with a parameter in the
# GRUB configuration.
#
# If 'security_enable_audit_during_boot' is set to 'yes', then the 'audit=1'
# parameter will be added in /etc/default/grub.d/.
# If 'security_enable_grub_update is set to 'yes', the grub.cfg will be
# updated automatically.
security_enable_audit_during_boot: yes # V-38438
security_enable_grub_update: yes # V-38438
# The following booleans control the rule sets added to auditd's default # The following booleans control the rule sets added to auditd's default
# set of auditing rules. To see which rules will be added for each boolean, # set of auditing rules. To see which rules will be added for each boolean,
# refer to the templates/osas-auditd.j2 file. # refer to the templates/osas-auditd.j2 file.

View File

@ -1,8 +1,18 @@
**Exception** The role will add ``audit=1`` to the ``GRUB_CMDLINE_LINUX_DEFAULT`` variable
in the GRUB configuration within ``/etc/default/grub.d/`` and it will also
update the active ``grub.cfg`` so that the change takes effect on the next
boot.
Adjusting the bootloader configuration can cause issues with reboots and this To opt-out of the change, set the following variable:
work is left up to the deployer. Enabling auditing at boot time is helpful,
but the risk may not be worth the change in most environments.
The ``auditd`` process starts very early during the boot process to catch .. code-block:: yaml
events already, and this should be sufficient for most environments.
security_enable_audit_during_boot: no
Deployers may opt-in for the change without automatically updating the active
``grub.cfg`` file by setting the following Ansible variables:
.. code-block:: yaml
security_enable_audit_during_boot: yes
security_enable_grub_update: no

View File

@ -61,3 +61,17 @@
- name: rehash aliases - name: rehash aliases
command: newaliases command: newaliases
- name: update grub config
command: "{{ grub_update_cmd }}"
when:
- security_enable_grub_update | bool
notify:
- set bootloader file permissions after updating grub config
# NOTE(mhayden): Running `update-grub` causes the bootloader permissions to
# change, which breaks V-38583.
- name: set bootloader file permissions after updating grub config
file:
path: "{{ grub_conf_file }}"
mode: 0644

View File

@ -0,0 +1,21 @@
---
features:
- |
The role now enables auditing during early boot to comply with the
requirements in V-38438. By default, the GRUB configuration variables in
``/etc/default/grub.d/`` will be updated and the active ``grub.cfg`` will
be updated.
Deployers can opt-out of the change entirely by setting a variable:
.. code-block:: yaml
security_enable_audit_during_boot: no
Deployers may opt-in for the change without automatically updating the
active ``grub.cfg`` file by setting the following Ansible variables:
.. code-block:: yaml
security_enable_audit_during_boot: yes
security_enable_grub_update: no

View File

@ -19,6 +19,20 @@
register: grub_cfg register: grub_cfg
always_run: True always_run: True
- name: V-38438 - Auditing must be enabled at boot by setting a kernel parameter
lineinfile:
dest: /etc/default/grub.d/99-enable-auditd.cfg
line: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT audit=1"'
create: yes
notify:
- update grub config
tags:
- boot
- cat1
- V-38438
when:
- security_enable_audit_during_boot | bool
- name: V-38579 - Bootloader configuration files must be owned by root - name: V-38579 - Bootloader configuration files must be owned by root
file: file:
path: "{{ grub_conf_file }}" path: "{{ grub_conf_file }}"
@ -27,7 +41,8 @@
- boot - boot
- cat2 - cat2
- V-38579 - V-38579
when: grub_cfg.stat.exists when:
- grub_cfg.stat.exists
- name: V-38581 - Bootloader configuration files must be group-owned by root - name: V-38581 - Bootloader configuration files must be group-owned by root
file: file:
@ -37,7 +52,8 @@
- boot - boot
- cat2 - cat2
- V-38581 - V-38581
when: grub_cfg.stat.exists when:
- grub_cfg.stat.exists
- name: V-38583 - Bootloader configuration files must have mode 0644 or less - name: V-38583 - Bootloader configuration files must have mode 0644 or less
file: file:

View File

@ -33,3 +33,6 @@ ypserv_pkg: ypserv
cron_service: crond cron_service: crond
ssh_service: sshd ssh_service: sshd
chrony_service: chronyd chrony_service: chronyd
# Commands
grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf"

View File

@ -36,3 +36,6 @@ ypserv_pkg: nis
cron_service: cron cron_service: cron
ssh_service: ssh ssh_service: ssh
chrony_service: chrony chrony_service: chrony
# Commands
grub_update_cmd: "update-grub"