Implements AIDE Intrusion Detection System

Introduces a puppet service to configure AIDE Intrusion Detection. This service init's the database and copies the new database to the active naming. It also sets a cron job, using email is `AideEmail` is populated, otherwise the reports are sent to /var/log/aide/. AIDE rules can be supplied as a hash, and should the rules ever be changed, the service will populate the new rules and re-init a fresh integrity database. Related-Blueprint: tripleo-aide-database Change-Id: Iac2ceb7fc6b610f8920ae6f75faa2885f3edf6eb
2017-07-12 17:18:23 +01:00 · 2017-07-12 17:18:23 +01:00 · 4b0bdc2d9a
commit 4b0bdc2d9a
parent 9b3ff05900
6 changed files with 379 additions and 0 deletions
--- a/manifests/profile/base/aide.pp
+++ b/manifests/profile/base/aide.pp
@ -0,0 +1,79 @@
+#########################################################################
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Author: Luke Hinds  <lhinds@redhat.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::aide
+#
+# Aide profile for TripleO
+#
+# === Parameters
+#
+# [*step*]
+#   (Optional) The current step in deployment. See tripleo-heat-templates
+#   for more details.
+#   Defaults to hiera('step')
+#
+# [*aide_conf_path*]
+#   The aide configuration file to use for rules and db path
+#   Defaults to hiera('aide_conf_path', '/etc/aide.conf')
+#
+# [*aide_db_path*]
+#   (Optional) The location of AIDE's integrity database file
+#   Defaults to hiera('aide_db_path', '/var/lib/aide/aide.db')
+#
+# [*aide_db_temp_path*]
+#   (Optional) The staging location during integrity database creation
+#   Defaults to hiera('aide_db_temp_path', '/var/lib/aide/aide.db.new')
+#
+# [*aide_rules*]
+#   A hiera based hash of aides integrity rules
+#   Defaults to  hiera('rules', {})
+#
+class tripleo::profile::base::aide (
+  $step              = Integer(hiera('step')),
+  $aide_conf_path    = hiera('aide_conf_path', '/etc/aide.conf'),
+  $aide_db_path      = hiera('aide_db_path', '/var/lib/aide/aide.db'),
+  $aide_db_temp_path = hiera('aide_db_temp_path', '/var/lib/aide/aide.db.new'),
+  $aide_rules        = hiera('aide_rules', {})
+) {
+
+  if $step >=5 {
+    package { 'aide':
+      ensure => 'present'
+    }
+
+    contain ::tripleo::profile::base::aide::installdb
+
+    concat { 'aide.conf':
+      path           => $aide_conf_path,
+      owner          => 'root',
+      group          => 'root',
+      mode           => '0600',
+      ensure_newline => true,
+      require        => Package['aide']
+    }
+
+    concat::fragment { 'aide.conf.header':
+      target  => 'aide.conf',
+      order   => 0,
+      content => template( 'tripleo/aide/aide.conf.erb')
+    }
+
+    create_resources('tripleo::profile::base::aide::rules', $aide_rules)
+
+    contain ::tripleo::profile::base::aide::cron
+  }
+}
--- a/manifests/profile/base/aide/cron.pp
+++ b/manifests/profile/base/aide/cron.pp
@ -0,0 +1,78 @@
+#########################################################################
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::aide::cron
+#
+# Aide cron profile for tripleo
+#
+# === Parameters
+#
+# [*step*]
+#   (Optional) The current step in deployment. See tripleo-heat-templates
+#   for more details.
+#   Defaults to hiera('step')
+#
+# [*aide_command*]
+#   Path to aide binary
+#
+# [*aide_cron_user*]
+#   User for cron job to run aide
+#   Defaults to 'root'
+#
+# [*aide_hour*]
+#   The hour value used for cron entry
+#   Defaults to 3
+#
+# [*aide_minute*]
+#   The minute value used for cron entry
+#   Defaults to 0
+#
+# [*aide_email*]
+#   Send AIDE reports generated with cron job to this email address
+#   Defaults to undef
+#
+# [*aide_mua_path*]
+#   Use the following path to a MUA client to send email
+#   Defaults to mailx
+#
+class tripleo::profile::base::aide::cron (
+  $step           = Integer(hiera('step')),
+  $aide_command   = '/usr/sbin/aide',
+  $aide_cron_user = hiera('aide_cron_user', 'root'),
+  $aide_hour      = hiera('aide_hour', 3),
+  $aide_minute    = hiera('aide_minute', 0),
+  $aide_email     = hiera('aide_email', undef),
+  $aide_mua_path  = hiera('aide_mua_path', '/bin/mailx')
+  ) {
+
+  include ::tripleo::profile::base::aide
+
+  if '@' in $aide_email {
+    $cron_entry = "${aide_command} --check --config ${::tripleo::profile::base::aide::aide_conf_path} | ${aide_mua_path} \
+-s \"\$HOSTNAME - AIDE integrity check\" ${aide_email}"
+  }
+  else {
+    $cron_entry = "${aide_command} --check --config ${::tripleo::profile::base::aide::aide_conf_path} \
+> /var/log/audit/aide_`date +%Y-%m-%d`.log"
+  }
+
+  cron { 'aide':
+    command => $cron_entry,
+    user    => $aide_cron_user,
+    hour    => $aide_hour,
+    minute  => $aide_minute,
+    require => [Package['aide'], Exec['install aide db']]
+  }
+}
--- a/manifests/profile/base/aide/installdb.pp
+++ b/manifests/profile/base/aide/installdb.pp
@ -0,0 +1,56 @@
+#########################################################################
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::aide::installdb
+#
+# Aide profile for tripleo
+#
+# === Parameters
+#
+# [*step*]
+#   (Optional) The current step in deployment. See tripleo-heat-templates
+#   for more details.
+#   Defaults to hiera('step')
+#
+class tripleo::profile::base::aide::installdb (
+  $step = Integer(hiera('step')),
+  ) {
+
+  include ::tripleo::profile::base::aide
+
+  exec { 'aide init':
+    path        =>  '/usr/sbin/',
+    command     => "aide --init --config ${::tripleo::profile::base::aide::aide_conf_path}",
+    user        => 'root',
+    refreshonly => true,
+    subscribe   => Concat['aide.conf']
+  }
+
+  exec { 'install aide db':
+    path        =>  '/bin/',
+    command     => "cp -f ${::tripleo::profile::base::aide::aide_db_temp_path} ${::tripleo::profile::base::aide::aide_db_path}",
+    user        => 'root',
+    refreshonly => true,
+    subscribe   => Exec['aide init']
+  }
+
+  file { $::tripleo::profile::base::aide::aide_db_path:
+    ensure  => present,
+    owner   => root,
+    group   => root,
+    mode    => '0600',
+    require => Exec['install aide db']
+  }
+}
--- a/manifests/profile/base/aide/rules.pp
+++ b/manifests/profile/base/aide/rules.pp
@ -0,0 +1,61 @@
+#########################################################################
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::aide::rules
+#
+# Aide rules hash profile for tripleo
+#
+# === Parameters
+#
+# [*step*]
+#   (Optional) The current step in deployment. See tripleo-heat-templates
+#   for more details.
+#   Defaults to hiera('step')
+#
+# [*content*]
+#   Used by concat to populate aide.conf
+#
+# [*body*]
+#   Used by concat to populate aide conf file
+#
+# [*order*]
+# Specifies a method for sorting fragments by name within aide conf file
+#
+define tripleo::profile::base::aide::rules (
+  $step    = Integer(hiera('step')),
+  $content = '',
+  $order   = 10,
+) {
+
+  include ::tripleo::profile::base::aide
+
+  if $content == '' {
+    $body = $name
+  } else {
+    $body = $content
+  }
+
+  if (!is_numeric($order) and !is_string($order))
+  {
+    fail('$order must be a string or an integer')
+  }
+  validate_string($body)
+
+  concat::fragment{ "aide_fragment_${name}":
+    target  => 'aide.conf',
+    order   => $order,
+    content => $body,
+  }
+}
--- a/spec/classes/tripleo_profile_base_aide_spec.rb
+++ b/spec/classes/tripleo_profile_base_aide_spec.rb
@ -0,0 +1,102 @@
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::aide' do
+
+  shared_examples_for 'tripleo::profile::base::aide' do
+    before :each do
+      facts.merge!({ :step => params[:step] })
+    end
+
+    context 'with step less than 5' do
+      let(:params) { { :step => 1 } }
+
+      it 'should do nothing' do
+        is_expected.to contain_class('tripleo::profile::base::aide')
+        is_expected.to_not contain_class('tripleo::profile::base::aide::cron')
+        is_expected.to_not contain_class('tripleo::profile::base::aide::rules')
+        is_expected.to_not contain_class('tripleo::profile::base::aide::installdb')
+      end
+    end
+
+    context 'with step greater of 5' do
+      let(:params) { {
+          :step => 5
+      } }
+
+      it 'should configure aide' do
+        is_expected.to contain_class('tripleo::profile::base::aide')
+        is_expected.to contain_class('tripleo::profile::base::aide::cron')
+        is_expected.to contain_class('tripleo::profile::base::aide::installdb')
+        is_expected.to_not contain_class('tripleo::profile::base::aide::rules')
+      end
+
+      it 'should concat aide.conf' do
+        is_expected.to contain_concat('aide.conf').with({
+           "ensure" => "present",
+           "ensure_newline" => "true",
+           "owner"=>"root",
+           "group"=>"root",
+           "mode"=>"0600"})
+      end
+
+      it 'should concat fragment aide.conf' do
+        should contain_concat__fragment('aide.conf.header').with({
+          :target => 'aide.conf'
+        })
+      end
+
+      it 'should initiate aide database' do
+        should contain_exec('aide init').with({
+          :command => "aide --init --config /etc/aide.conf"
+       })
+      end
+
+      it 'should set new database to main database' do
+        should contain_exec('install aide db').with({
+          :command => "cp -f /var/lib/aide/aide.db.new /var/lib/aide/aide.db"
+       })
+      end
+
+      it 'should contain database file' do
+        should contain_file('/var/lib/aide/aide.db').with({
+        'ensure' => 'present',
+        'owner'  => 'root',
+        'group'  => 'root',
+        'mode'   => '0600'
+       })
+      end
+
+      it 'should configure cron' do
+        should contain_cron('aide').with({
+          :user => 'root',
+          :hour => 3,
+          :minute => 0
+        })
+      end
+    end
+  end
+
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let (:facts) {
+        facts
+      }
+        it_behaves_like 'tripleo::profile::base::aide'
+    end
+  end
+end
--- a/templates/aide/aide.conf.erb
+++ b/templates/aide/aide.conf.erb
@ -0,0 +1,3 @@
+database=file:<%= @aide_db_path %>
+database_out=file:<%= @aide_db_temp_path %>
+database_new=file:<%= @aide_db_temp_path %>