New role, replacing puppet-auditd

It allows to take the same rules as the former puppet-auditd, ensuring
the order is respected.

Note: this isn't a 1:1 port of the puppet-auditd. While the actual rules
parameter is 100% compatible, the auditd configuration isn't, and uses a
simple dict to apply configurations (tripleo_auditd_config).

Closes-Bug: #1964733
Change-Id: I725de465cfe62550288f8780057f54443722e6c1

doc/source/roles/role-tripleo_auditd.rst

@@ -0,0 +1,6 @@
+=====================
+Role - tripleo_auditd
+=====================
+
+.. ansibleautoplugin::
+  :role: tripleo_ansible/roles/tripleo_auditd

tripleo_ansible/roles/tripleo_auditd/defaults/main.yml

@@ -0,0 +1,59 @@
+---
+# Copyright 2022 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+tripleo_auditd_pkg: 'audit'
+tripleo_auditd_service: 'auditd'
+tripleo_auditd_rules:
+  "Default - Delete all rules":
+    content: '-D'
+    order: 0
+  "Default - Set Buffer size":
+    content: '-b 8192'
+    order: 1
+  "Default - Set failure mode":
+    content: "-f 1"
+    order: 2
+  "Default - Set backlog time":
+    content: "--backlog_wait_time 60000"
+    order: 3
+
+tripleo_auditd_config: {}
+tripleo_auditd_config_default:
+  log_file: '/var/log/audit/audit.log'
+  log_format: 'RAW'
+  log_group: 'root'
+  write_logs: 'yes'
+  priority_boost: '4'
+  flush: 'incremental_async'
+  freq: '20'
+  num_logs: '5'
+  disp_qos: 'lossy'
+  dispatcher: '/sbin/audispd'
+  name_format: 'none'
+  max_log_file: '6'
+  max_log_file_action: 'rotate'
+  space_left: '75'
+  space_left_action: 'syslog'
+  action_mail_acct: 'root'
+  admin_space_left: '50'
+  admin_space_left_action: 'suspend'
+  disk_full_action: 'suspend'
+  disk_error_action: 'suspend'
+  tcp_listen_queue: '5'
+  tcp_max_per_addr: '1'
+  tcp_client_max_idle: '0'
+  enable_krb5: 'no'
+  krb5_principal: 'auditd'

tripleo_ansible/roles/tripleo_auditd/meta/main.yml

@@ -0,0 +1,43 @@
+---
+# Copyright 2022 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+galaxy_info:
+  author: OpenStack
+  description: TripleO OpenStack Role -- tripleo_auditd
+  company: Red Hat
+  license: Apache-2.0
+  min_ansible_version: 2.7
+  namespace: openstack
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  platforms:
+    - name: CentOS
+      versions:
+        - 8
+        - 9
+
+  galaxy_tags:
+    - tripleo
+
+
+# List your role dependencies here, one per line. Be sure to remove the '[]' above,
+# if you add dependencies to this list.
+dependencies: []

tripleo_ansible/roles/tripleo_auditd/molecule/custom-rules/converge.yml

@@ -0,0 +1,49 @@
+---
+# Copyright 2022 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Converge
+  hosts: all
+  vars:
+    ordered_rules:
+      - '-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules'
+      - '-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules'
+      - '-a always,exit -F arch=b64 -S clock_settime -F key=audit_time_rules'
+  tasks:
+    - name: Push some rules
+      vars:
+        tripleo_auditd_rules:
+          'Record attempts to alter time through settimeofday':
+            content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules'
+            order  : 2
+          'Record attempts to alter time through adjtimex':
+            content: '-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules'
+            order  : 1
+          'Record Attempts to Alter Time Through clock_settime':
+            content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules'
+            order  : 3
+      include_role:
+        name: "tripleo_auditd"
+
+    - name: Get auditd rules
+      become: true
+      register: auditctl_listing
+      command: /sbin/auditctl -l
+
+    - name: Ensure rules are present in the correct order
+      assert:
+        that:
+          - auditctl_listing.stdout_lines == ordered_rules

tripleo_ansible/roles/tripleo_auditd/molecule/custom-rules/molecule.yml

@@ -0,0 +1,24 @@
+---
+provisioner:
+  name: ansible
+  inventory:
+    hosts:
+      all:
+        hosts:
+          instance:
+            ansible_host: localhost
+  log: true
+  env:
+    ANSIBLE_STDOUT_CALLBACK: yaml
+
+scenario:
+  name: custom_rules
+  test_sequence:
+    - destroy
+    - create
+    - prepare
+    - converge
+    - destroy
+
+verifier:
+  name: testinfra

tripleo_ansible/roles/tripleo_auditd/molecule/custom-rules/prepare.yml

@@ -0,0 +1,25 @@
+---
+# Copyright 2022 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Prepare
+  hosts: all
+  become: true
+  roles:
+    - role: test_deps
+      test_deps_extra_packages:
+        - audit
+    - role: env_data

tripleo_ansible/roles/tripleo_auditd/molecule/default/converge.yml

@@ -0,0 +1,23 @@
+---
+# Copyright 2022 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Converge
+  hosts: all
+  tasks:
+    - name: Default install without custom rules
+      include_role:
+        name: "tripleo_auditd"

tripleo_ansible/roles/tripleo_auditd/molecule/default/molecule.yml

@@ -0,0 +1,23 @@
+---
+provisioner:
+  name: ansible
+  inventory:
+    hosts:
+      all:
+        hosts:
+          instance:
+            ansible_host: localhost
+  log: true
+  env:
+    ANSIBLE_STDOUT_CALLBACK: yaml
+
+scenario:
+  test_sequence:
+    - destroy
+    - create
+    - prepare
+    - converge
+    - destroy
+
+verifier:
+  name: testinfra

tripleo_ansible/roles/tripleo_auditd/molecule/default/prepare.yml

@@ -0,0 +1,25 @@
+---
+# Copyright 2022 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Prepare
+  hosts: all
+  become: true
+  roles:
+    - role: test_deps
+      test_deps_extra_packages:
+        - audit
+    - role: env_data

tripleo_ansible/roles/tripleo_auditd/tasks/configure.yaml

@@ -0,0 +1,26 @@
+---
+# Copyright 2022 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Push auditd configuration file
+  register: auditd_config
+  template:
+    dest: /etc/audit/auditd.conf
+    src: auditd.conf.j2
+
+- name: Generate auditd rules
+  template:
+    dest: /etc/audit/rules.d/tripleo.rules
+    src: audit.rules.j2

tripleo_ansible/roles/tripleo_auditd/tasks/install.yaml

@@ -0,0 +1,20 @@
+---
+# Copyright 2022 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Ensure package is installed
+  package:
+    name: "{{ tripleo_auditd_pkg }}"
+    state: present

tripleo_ansible/roles/tripleo_auditd/tasks/main.yaml

@@ -0,0 +1,22 @@
+---
+# Copyright 2022 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: All is to be launched as root
+  become: true
+  block:
+    - include_tasks: install.yaml
+    - include_tasks: configure.yaml
+    - include_tasks: run.yaml

tripleo_ansible/roles/tripleo_auditd/tasks/run.yaml

@@ -0,0 +1,33 @@
+---
+# Copyright 2022 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Ensure auditd service is enabled and running
+  register: service_startup
+  systemd:
+    name: "{{ tripleo_auditd_service }}"
+    state: started
+    enabled: true
+
+# We cannot restart auditd using systemctl. The only way to make it reload
+# its configuration is with a SIGHUP.
+- name: Reload service configuration
+  when:
+    - service_startup is not changed
+    - auditd_config is changed
+  command: "killall -HUP {{ tripleo_auditd_service }}"
+
+- name: Reload ruleset if needed
+  command: /sbin/augenrules --load

tripleo_ansible/roles/tripleo_auditd/templates/audit.rules.j2

@@ -0,0 +1,6 @@
+# File managed by tripleo_ansible
+{% set rules = tripleo_auditd_rules|dict2items|sort(attribute='value.order') %}
+{% for rule in rules %}
+# {{ rule['value']['order'] }} {{ rule['key'] }}
+{{ rule['value']['content'] }}
+{% endfor %}

tripleo_ansible/roles/tripleo_auditd/templates/auditd.conf.j2

@@ -0,0 +1,7 @@
+# File managed by tripleo_ansible
+{% set merged_config = tripleo_auditd_config_default | combine(tripleo_auditd_config) %}
+{% for key, value in merged_config.items() %}
+{% if value != '' %}
+{{ key }} = {{ value }}
+{% endif %}
+{% endfor %}

zuul.d/molecule.yaml

@@ -13,6 +13,7 @@
       - tripleo-ansible-centos-stream-molecule-test_deps
       - tripleo-ansible-centos-stream-molecule-test_package_action
       - tripleo-ansible-centos-stream-molecule-tripleo-modules
+      - tripleo-ansible-centos-stream-molecule-tripleo_auditd
       - tripleo-ansible-centos-stream-molecule-tripleo_bootstrap
       - tripleo-ansible-centos-stream-molecule-tripleo_cellv2
       - tripleo-ansible-centos-stream-molecule-tripleo_ceph_client
@@ -82,6 +83,7 @@
       - tripleo-ansible-centos-stream-molecule-test_deps
       - tripleo-ansible-centos-stream-molecule-test_package_action
       - tripleo-ansible-centos-stream-molecule-tripleo-modules
+      - tripleo-ansible-centos-stream-molecule-tripleo_auditd
       - tripleo-ansible-centos-stream-molecule-tripleo_bootstrap
       - tripleo-ansible-centos-stream-molecule-tripleo_cellv2
       - tripleo-ansible-centos-stream-molecule-tripleo_ceph_client
@@ -151,6 +153,7 @@
       - tripleo-ansible-centos-stream-molecule-snapshot_and_revert
       - tripleo-ansible-centos-stream-molecule-test_deps
       - tripleo-ansible-centos-stream-molecule-test_package_action
+      - tripleo-ansible-centos-stream-molecule-tripleo_auditd
       - tripleo-ansible-centos-stream-molecule-tripleo_bootstrap
       - tripleo-ansible-centos-stream-molecule-tripleo_cellv2
       - tripleo-ansible-centos-stream-molecule-tripleo_ceph_client
@@ -277,6 +280,13 @@
     name: tripleo-ansible-centos-stream-molecule-tripleo-modules
     parent: tripleo-ansible-centos-stream-base
     voting: false
+- job:
+    files:
+    - ^tripleo_ansible/roles/tripleo_auditd/(?!meta).*
+    name: tripleo-ansible-centos-stream-molecule-tripleo_auditd
+    parent: tripleo-ansible-centos-stream-base
+    vars:
+      tripleo_role_name: tripleo_auditd
 - job:
     files:
     - ^tripleo_ansible/roles/tripleo_bootstrap/(?!meta).*