New role, replacing puppet-auditd
It allows to take the same rules as the former puppet-auditd, ensuring the order is respected. Note: this isn't a 1:1 port of the puppet-auditd. While the actual rules parameter is 100% compatible, the auditd configuration isn't, and uses a simple dict to apply configurations (tripleo_auditd_config). Closes-Bug: #1964733 Change-Id: I725de465cfe62550288f8780057f54443722e6c1
This commit is contained in:
parent
e5826bb5a4
commit
3ed814e21f
|
@ -0,0 +1,6 @@
|
|||
=====================
|
||||
Role - tripleo_auditd
|
||||
=====================
|
||||
|
||||
.. ansibleautoplugin::
|
||||
:role: tripleo_ansible/roles/tripleo_auditd
|
|
@ -0,0 +1,59 @@
|
|||
---
|
||||
# Copyright 2022 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
tripleo_auditd_pkg: 'audit'
|
||||
tripleo_auditd_service: 'auditd'
|
||||
tripleo_auditd_rules:
|
||||
"Default - Delete all rules":
|
||||
content: '-D'
|
||||
order: 0
|
||||
"Default - Set Buffer size":
|
||||
content: '-b 8192'
|
||||
order: 1
|
||||
"Default - Set failure mode":
|
||||
content: "-f 1"
|
||||
order: 2
|
||||
"Default - Set backlog time":
|
||||
content: "--backlog_wait_time 60000"
|
||||
order: 3
|
||||
|
||||
tripleo_auditd_config: {}
|
||||
tripleo_auditd_config_default:
|
||||
log_file: '/var/log/audit/audit.log'
|
||||
log_format: 'RAW'
|
||||
log_group: 'root'
|
||||
write_logs: 'yes'
|
||||
priority_boost: '4'
|
||||
flush: 'incremental_async'
|
||||
freq: '20'
|
||||
num_logs: '5'
|
||||
disp_qos: 'lossy'
|
||||
dispatcher: '/sbin/audispd'
|
||||
name_format: 'none'
|
||||
max_log_file: '6'
|
||||
max_log_file_action: 'rotate'
|
||||
space_left: '75'
|
||||
space_left_action: 'syslog'
|
||||
action_mail_acct: 'root'
|
||||
admin_space_left: '50'
|
||||
admin_space_left_action: 'suspend'
|
||||
disk_full_action: 'suspend'
|
||||
disk_error_action: 'suspend'
|
||||
tcp_listen_queue: '5'
|
||||
tcp_max_per_addr: '1'
|
||||
tcp_client_max_idle: '0'
|
||||
enable_krb5: 'no'
|
||||
krb5_principal: 'auditd'
|
|
@ -0,0 +1,43 @@
|
|||
---
|
||||
# Copyright 2022 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
galaxy_info:
|
||||
author: OpenStack
|
||||
description: TripleO OpenStack Role -- tripleo_auditd
|
||||
company: Red Hat
|
||||
license: Apache-2.0
|
||||
min_ansible_version: 2.7
|
||||
namespace: openstack
|
||||
#
|
||||
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||
# To view available platforms and versions (or releases), visit:
|
||||
# https://galaxy.ansible.com/api/v1/platforms/
|
||||
#
|
||||
platforms:
|
||||
- name: CentOS
|
||||
versions:
|
||||
- 8
|
||||
- 9
|
||||
|
||||
galaxy_tags:
|
||||
- tripleo
|
||||
|
||||
|
||||
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
||||
# if you add dependencies to this list.
|
||||
dependencies: []
|
|
@ -0,0 +1,49 @@
|
|||
---
|
||||
# Copyright 2022 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Converge
|
||||
hosts: all
|
||||
vars:
|
||||
ordered_rules:
|
||||
- '-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules'
|
||||
- '-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules'
|
||||
- '-a always,exit -F arch=b64 -S clock_settime -F key=audit_time_rules'
|
||||
tasks:
|
||||
- name: Push some rules
|
||||
vars:
|
||||
tripleo_auditd_rules:
|
||||
'Record attempts to alter time through settimeofday':
|
||||
content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules'
|
||||
order : 2
|
||||
'Record attempts to alter time through adjtimex':
|
||||
content: '-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules'
|
||||
order : 1
|
||||
'Record Attempts to Alter Time Through clock_settime':
|
||||
content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules'
|
||||
order : 3
|
||||
include_role:
|
||||
name: "tripleo_auditd"
|
||||
|
||||
- name: Get auditd rules
|
||||
become: true
|
||||
register: auditctl_listing
|
||||
command: /sbin/auditctl -l
|
||||
|
||||
- name: Ensure rules are present in the correct order
|
||||
assert:
|
||||
that:
|
||||
- auditctl_listing.stdout_lines == ordered_rules
|
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
provisioner:
|
||||
name: ansible
|
||||
inventory:
|
||||
hosts:
|
||||
all:
|
||||
hosts:
|
||||
instance:
|
||||
ansible_host: localhost
|
||||
log: true
|
||||
env:
|
||||
ANSIBLE_STDOUT_CALLBACK: yaml
|
||||
|
||||
scenario:
|
||||
name: custom_rules
|
||||
test_sequence:
|
||||
- destroy
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- destroy
|
||||
|
||||
verifier:
|
||||
name: testinfra
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
# Copyright 2022 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
become: true
|
||||
roles:
|
||||
- role: test_deps
|
||||
test_deps_extra_packages:
|
||||
- audit
|
||||
- role: env_data
|
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
# Copyright 2022 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Converge
|
||||
hosts: all
|
||||
tasks:
|
||||
- name: Default install without custom rules
|
||||
include_role:
|
||||
name: "tripleo_auditd"
|
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
provisioner:
|
||||
name: ansible
|
||||
inventory:
|
||||
hosts:
|
||||
all:
|
||||
hosts:
|
||||
instance:
|
||||
ansible_host: localhost
|
||||
log: true
|
||||
env:
|
||||
ANSIBLE_STDOUT_CALLBACK: yaml
|
||||
|
||||
scenario:
|
||||
test_sequence:
|
||||
- destroy
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- destroy
|
||||
|
||||
verifier:
|
||||
name: testinfra
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
# Copyright 2022 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
become: true
|
||||
roles:
|
||||
- role: test_deps
|
||||
test_deps_extra_packages:
|
||||
- audit
|
||||
- role: env_data
|
|
@ -0,0 +1,26 @@
|
|||
---
|
||||
# Copyright 2022 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
- name: Push auditd configuration file
|
||||
register: auditd_config
|
||||
template:
|
||||
dest: /etc/audit/auditd.conf
|
||||
src: auditd.conf.j2
|
||||
|
||||
- name: Generate auditd rules
|
||||
template:
|
||||
dest: /etc/audit/rules.d/tripleo.rules
|
||||
src: audit.rules.j2
|
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
# Copyright 2022 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
- name: Ensure package is installed
|
||||
package:
|
||||
name: "{{ tripleo_auditd_pkg }}"
|
||||
state: present
|
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
# Copyright 2022 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
- name: All is to be launched as root
|
||||
become: true
|
||||
block:
|
||||
- include_tasks: install.yaml
|
||||
- include_tasks: configure.yaml
|
||||
- include_tasks: run.yaml
|
|
@ -0,0 +1,33 @@
|
|||
---
|
||||
# Copyright 2022 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
- name: Ensure auditd service is enabled and running
|
||||
register: service_startup
|
||||
systemd:
|
||||
name: "{{ tripleo_auditd_service }}"
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
# We cannot restart auditd using systemctl. The only way to make it reload
|
||||
# its configuration is with a SIGHUP.
|
||||
- name: Reload service configuration
|
||||
when:
|
||||
- service_startup is not changed
|
||||
- auditd_config is changed
|
||||
command: "killall -HUP {{ tripleo_auditd_service }}"
|
||||
|
||||
- name: Reload ruleset if needed
|
||||
command: /sbin/augenrules --load
|
|
@ -0,0 +1,6 @@
|
|||
# File managed by tripleo_ansible
|
||||
{% set rules = tripleo_auditd_rules|dict2items|sort(attribute='value.order') %}
|
||||
{% for rule in rules %}
|
||||
# {{ rule['value']['order'] }} {{ rule['key'] }}
|
||||
{{ rule['value']['content'] }}
|
||||
{% endfor %}
|
|
@ -0,0 +1,7 @@
|
|||
# File managed by tripleo_ansible
|
||||
{% set merged_config = tripleo_auditd_config_default | combine(tripleo_auditd_config) %}
|
||||
{% for key, value in merged_config.items() %}
|
||||
{% if value != '' %}
|
||||
{{ key }} = {{ value }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
|
@ -13,6 +13,7 @@
|
|||
- tripleo-ansible-centos-stream-molecule-test_deps
|
||||
- tripleo-ansible-centos-stream-molecule-test_package_action
|
||||
- tripleo-ansible-centos-stream-molecule-tripleo-modules
|
||||
- tripleo-ansible-centos-stream-molecule-tripleo_auditd
|
||||
- tripleo-ansible-centos-stream-molecule-tripleo_bootstrap
|
||||
- tripleo-ansible-centos-stream-molecule-tripleo_cellv2
|
||||
- tripleo-ansible-centos-stream-molecule-tripleo_ceph_client
|
||||
|
@ -82,6 +83,7 @@
|
|||
- tripleo-ansible-centos-stream-molecule-test_deps
|
||||
- tripleo-ansible-centos-stream-molecule-test_package_action
|
||||
- tripleo-ansible-centos-stream-molecule-tripleo-modules
|
||||
- tripleo-ansible-centos-stream-molecule-tripleo_auditd
|
||||
- tripleo-ansible-centos-stream-molecule-tripleo_bootstrap
|
||||
- tripleo-ansible-centos-stream-molecule-tripleo_cellv2
|
||||
- tripleo-ansible-centos-stream-molecule-tripleo_ceph_client
|
||||
|
@ -151,6 +153,7 @@
|
|||
- tripleo-ansible-centos-stream-molecule-snapshot_and_revert
|
||||
- tripleo-ansible-centos-stream-molecule-test_deps
|
||||
- tripleo-ansible-centos-stream-molecule-test_package_action
|
||||
- tripleo-ansible-centos-stream-molecule-tripleo_auditd
|
||||
- tripleo-ansible-centos-stream-molecule-tripleo_bootstrap
|
||||
- tripleo-ansible-centos-stream-molecule-tripleo_cellv2
|
||||
- tripleo-ansible-centos-stream-molecule-tripleo_ceph_client
|
||||
|
@ -277,6 +280,13 @@
|
|||
name: tripleo-ansible-centos-stream-molecule-tripleo-modules
|
||||
parent: tripleo-ansible-centos-stream-base
|
||||
voting: false
|
||||
- job:
|
||||
files:
|
||||
- ^tripleo_ansible/roles/tripleo_auditd/(?!meta).*
|
||||
name: tripleo-ansible-centos-stream-molecule-tripleo_auditd
|
||||
parent: tripleo-ansible-centos-stream-base
|
||||
vars:
|
||||
tripleo_role_name: tripleo_auditd
|
||||
- job:
|
||||
files:
|
||||
- ^tripleo_ansible/roles/tripleo_bootstrap/(?!meta).*
|
||||
|
|
Loading…
Reference in New Issue