Merge "Adding V-38438 (auditd during boot)"
This commit is contained in:
commit
a99ad6b60d
@ -49,6 +49,16 @@ security_aide_exclude_dirs:
|
|||||||
security_initialize_aide: false
|
security_initialize_aide: false
|
||||||
|
|
||||||
## Audit daemon
|
## Audit daemon
|
||||||
|
# V-38438 requires that auditd is enabled at boot time with a parameter in the
|
||||||
|
# GRUB configuration.
|
||||||
|
#
|
||||||
|
# If 'security_enable_audit_during_boot' is set to 'yes', then the 'audit=1'
|
||||||
|
# parameter will be added in /etc/default/grub.d/.
|
||||||
|
# If 'security_enable_grub_update is set to 'yes', the grub.cfg will be
|
||||||
|
# updated automatically.
|
||||||
|
security_enable_audit_during_boot: yes # V-38438
|
||||||
|
security_enable_grub_update: yes # V-38438
|
||||||
|
|
||||||
# The following booleans control the rule sets added to auditd's default
|
# The following booleans control the rule sets added to auditd's default
|
||||||
# set of auditing rules. To see which rules will be added for each boolean,
|
# set of auditing rules. To see which rules will be added for each boolean,
|
||||||
# refer to the templates/osas-auditd.j2 file.
|
# refer to the templates/osas-auditd.j2 file.
|
||||||
|
@ -1,8 +1,18 @@
|
|||||||
**Exception**
|
The role will add ``audit=1`` to the ``GRUB_CMDLINE_LINUX_DEFAULT`` variable
|
||||||
|
in the GRUB configuration within ``/etc/default/grub.d/`` and it will also
|
||||||
|
update the active ``grub.cfg`` so that the change takes effect on the next
|
||||||
|
boot.
|
||||||
|
|
||||||
Adjusting the bootloader configuration can cause issues with reboots and this
|
To opt-out of the change, set the following variable:
|
||||||
work is left up to the deployer. Enabling auditing at boot time is helpful,
|
|
||||||
but the risk may not be worth the change in most environments.
|
|
||||||
|
|
||||||
The ``auditd`` process starts very early during the boot process to catch
|
.. code-block:: yaml
|
||||||
events already, and this should be sufficient for most environments.
|
|
||||||
|
security_enable_audit_during_boot: no
|
||||||
|
|
||||||
|
Deployers may opt-in for the change without automatically updating the active
|
||||||
|
``grub.cfg`` file by setting the following Ansible variables:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
security_enable_audit_during_boot: yes
|
||||||
|
security_enable_grub_update: no
|
||||||
|
@ -61,3 +61,17 @@
|
|||||||
|
|
||||||
- name: rehash aliases
|
- name: rehash aliases
|
||||||
command: newaliases
|
command: newaliases
|
||||||
|
|
||||||
|
- name: update grub config
|
||||||
|
command: "{{ grub_update_cmd }}"
|
||||||
|
when:
|
||||||
|
- security_enable_grub_update | bool
|
||||||
|
notify:
|
||||||
|
- set bootloader file permissions after updating grub config
|
||||||
|
|
||||||
|
# NOTE(mhayden): Running `update-grub` causes the bootloader permissions to
|
||||||
|
# change, which breaks V-38583.
|
||||||
|
- name: set bootloader file permissions after updating grub config
|
||||||
|
file:
|
||||||
|
path: "{{ grub_conf_file }}"
|
||||||
|
mode: 0644
|
||||||
|
21
releasenotes/notes/add-v38438-3f7e905892be4b4f.yaml
Normal file
21
releasenotes/notes/add-v38438-3f7e905892be4b4f.yaml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
The role now enables auditing during early boot to comply with the
|
||||||
|
requirements in V-38438. By default, the GRUB configuration variables in
|
||||||
|
``/etc/default/grub.d/`` will be updated and the active ``grub.cfg`` will
|
||||||
|
be updated.
|
||||||
|
|
||||||
|
Deployers can opt-out of the change entirely by setting a variable:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
security_enable_audit_during_boot: no
|
||||||
|
|
||||||
|
Deployers may opt-in for the change without automatically updating the
|
||||||
|
active ``grub.cfg`` file by setting the following Ansible variables:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
security_enable_audit_during_boot: yes
|
||||||
|
security_enable_grub_update: no
|
@ -19,6 +19,20 @@
|
|||||||
register: grub_cfg
|
register: grub_cfg
|
||||||
always_run: True
|
always_run: True
|
||||||
|
|
||||||
|
- name: V-38438 - Auditing must be enabled at boot by setting a kernel parameter
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/default/grub.d/99-enable-auditd.cfg
|
||||||
|
line: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT audit=1"'
|
||||||
|
create: yes
|
||||||
|
notify:
|
||||||
|
- update grub config
|
||||||
|
tags:
|
||||||
|
- boot
|
||||||
|
- cat1
|
||||||
|
- V-38438
|
||||||
|
when:
|
||||||
|
- security_enable_audit_during_boot | bool
|
||||||
|
|
||||||
- name: V-38579 - Bootloader configuration files must be owned by root
|
- name: V-38579 - Bootloader configuration files must be owned by root
|
||||||
file:
|
file:
|
||||||
path: "{{ grub_conf_file }}"
|
path: "{{ grub_conf_file }}"
|
||||||
@ -27,7 +41,8 @@
|
|||||||
- boot
|
- boot
|
||||||
- cat2
|
- cat2
|
||||||
- V-38579
|
- V-38579
|
||||||
when: grub_cfg.stat.exists
|
when:
|
||||||
|
- grub_cfg.stat.exists
|
||||||
|
|
||||||
- name: V-38581 - Bootloader configuration files must be group-owned by root
|
- name: V-38581 - Bootloader configuration files must be group-owned by root
|
||||||
file:
|
file:
|
||||||
@ -37,7 +52,8 @@
|
|||||||
- boot
|
- boot
|
||||||
- cat2
|
- cat2
|
||||||
- V-38581
|
- V-38581
|
||||||
when: grub_cfg.stat.exists
|
when:
|
||||||
|
- grub_cfg.stat.exists
|
||||||
|
|
||||||
- name: V-38583 - Bootloader configuration files must have mode 0644 or less
|
- name: V-38583 - Bootloader configuration files must have mode 0644 or less
|
||||||
file:
|
file:
|
||||||
|
@ -33,3 +33,6 @@ ypserv_pkg: ypserv
|
|||||||
cron_service: crond
|
cron_service: crond
|
||||||
ssh_service: sshd
|
ssh_service: sshd
|
||||||
chrony_service: chronyd
|
chrony_service: chronyd
|
||||||
|
|
||||||
|
# Commands
|
||||||
|
grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf"
|
||||||
|
@ -36,3 +36,6 @@ ypserv_pkg: nis
|
|||||||
cron_service: cron
|
cron_service: cron
|
||||||
ssh_service: ssh
|
ssh_service: ssh
|
||||||
chrony_service: chrony
|
chrony_service: chrony
|
||||||
|
|
||||||
|
# Commands
|
||||||
|
grub_update_cmd: "update-grub"
|
||||||
|
Loading…
Reference in New Issue
Block a user