Merge "Allow AppArmor to be enabled" into stable/mitaka

2016-06-14 10:51:02 +00:00
parent cc45bade6a 744e9b9ca7
commit f9c19d993f
7 changed files with 73 additions and 27 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -228,6 +228,14 @@ postfix_inet_interfaces: localhost                # V-38622
 #
 #root_forward_email: user@example.com

+## Linux Security Module (LSM)
+# AppArmor and provides additional security controls on a Linux system
+# by setting policies for allowed actions. By setting the following variable
+# to 'yes', AppArmor will automatically by enabled.
+#
+# See the openstack-ansible-security documentation for more details.
+security_enable_linux_security_module: no         # V-51337
+
 ## PAM and authentication
 # V-38497 requires that accounts with null passwords aren't allowed to
 # authenticate via PAM. Ubuntu 14.04's default allows these logins -- see the
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -142,6 +142,16 @@ default, but deployers can adjust this by changing ``disable_ipv6`` to ``yes``.

 Core dumps are also disabled by default in the openstack-ansible-security role.

+Linux Security Module (LSM)
+---------------------------
+
+The STIG requires that SELinux is in enforcing mode to provide additional
+security against attacks. The security role will enable AppArmor on Ubuntu
+systems to meet this requirement.
+
+For more information on how these changes are applied, refer to the
+documentation for V-51337.
+
 Mail
 ----

--- a/doc/source/developer-notes/V-51337.rst
+++ b/doc/source/developer-notes/V-51337.rst
@@ -1,10 +1,16 @@
-Ubuntu loads the AppArmor module by default starting with version 8.04. For
-more information, review the `AppArmor documentation`_ on Ubuntu's site.
-In addition, the openstack-ansible project configures AppArmor policies
-for the LXC containers which run the OpenStack infrastructure.
+**Opt-in required**

-The tasks for this STIG will verify that AppArmor is enabled via the
-``apparmor_status``. The playbook will fail if AppArmor is found to be
-disabled on the host.
+The tasks in the security role can enable the Linux Security Module (LSM) that
+is appropriate for the Linux distribution in use. For Ubuntu, the default LSM
+is AppArmor.  Refer to Ubuntu's `AppArmor documentation`_ for more details on
+how AppArmor works.
+
+Deployers can opt in for this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_enable_linux_security_module: yes
+
+Setting the variable to ``yes`` will run the tasks that enable AppArmor.

 .. _AppArmor documentation: https://help.ubuntu.com/community/AppArmor
--- a/tasks/lsm.yml
+++ b/tasks/lsm.yml
@@ -0,0 +1,40 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Install packages for AppArmor support (for V-51337)
+  apt:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - apparmor
+    - apparmor-profiles
+    - apparmor-utils
+  when:
+    - security_enable_linux_security_module | bool
+  tags:
+    - cat2
+    - V-51337
+
+- name: Ensure AppArmor is running (for V-51337)
+  service:
+    name: apparmor
+    state: started
+    enabled: yes
+  when:
+    - security_enable_linux_security_module | bool
+    - not check_mode
+  tags:
+    - cat2
+    - V-51337
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -32,6 +32,7 @@
  - include: console.yml
  - include: file_perms.yml
  - include: kernel.yml
+  - include: lsm.yml
  - include: mail.yml
  - include: misc.yml
  - include: nfsd.yml
--- a/tasks/misc.yml
+++ b/tasks/misc.yml
@@ -306,20 +306,3 @@
  tags:
    - cat2
    - V-38674
-
- name: Check if AppArmor is running (for V-51337)
-  shell: "apparmor_status 2>&1 | head -n 1"
-  register: v51337_result
-  changed_when: False
-  always_run: True
-  tags:
-    - cat2
-    - V-51337
-
- name: V-51337 - The system must use a Linux Security Module at boot time
-  fail:
-    msg: "FAILED: AppArmor isn't enabled"
-  when: "'apparmor module is loaded' not in v51337_result.stdout"
-  tags:
-    - cat2
-    - V-51337
--- a/tox.ini
+++ b/tox.ini
@@ -103,8 +103,6 @@ commands =
 # NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now building
 #                   images with apt config Apt::Get::AllowUnauthenticated set
 #                   to true.
-# NOTE(mhayden):    Some infra images don't have AppArmor enabled, so V-51337
-#                   must be skipped.
 commands =
    rm -rf {homedir}/.ansible
    git clone https://git.openstack.org/openstack/openstack-ansible-plugins \
@@ -112,7 +110,7 @@ commands =
    ansible-playbook -i {toxinidir}/tests/inventory \
                     -e "rolename={toxinidir}" \
                     {toxinidir}/tests/test.yml \
-                     --skip-tag V-38462,V-51337
+                     --skip-tag V-38462


 [testenv:linters]