Browse Source
This change imports the aide content from the tripleo-heat-templates project and creates a role which can be used throughout the tripleo project ecosystem. The role will test in docker containers running both fedora28 and centos7. Change-Id: I3a34152dd0cd7363a6f138d6e1c6fd0f062a3ac6 Signed-off-by: Kevin Carter <kevin@cloudnull.com> Signed-off-by: Kevin Carter <kecarter@redhat.com>changes/72/664772/8
20 changed files with 545 additions and 0 deletions
@ -0,0 +1,23 @@
|
||||
=========================== |
||||
TripleO-Ansible Role - aide |
||||
=========================== |
||||
|
||||
This role provides for the following services: |
||||
|
||||
* aide |
||||
|
||||
|
||||
Default variables |
||||
~~~~~~~~~~~~~~~~~ |
||||
|
||||
.. literalinclude:: ../../../tripleo_ansible/roles/aide/defaults/main.yml |
||||
:language: yaml |
||||
:start-after: under the License. |
||||
|
||||
|
||||
Example playbook |
||||
~~~~~~~~~~~~~~~~ |
||||
|
||||
.. literalinclude:: ../../../tripleo_ansible/roles/aide/molecule/default/playbook.yml |
||||
:language: yaml |
||||
:start-after: under the License. |
@ -0,0 +1,4 @@
|
||||
Aide |
||||
==== |
||||
|
||||
Ansible role to install and configure aide |
@ -0,0 +1,52 @@
|
||||
--- |
||||
# Copyright 2019 Red Hat, Inc. |
||||
# All Rights Reserved. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
||||
# not use this file except in compliance with the License. You may obtain |
||||
# a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
||||
# License for the specific language governing permissions and limitations |
||||
# under the License. |
||||
|
||||
|
||||
# All variables intended for modification should place placed in this file. |
||||
|
||||
# All variables within this role should have a prefix of "aide" |
||||
aide_debug: false |
||||
|
||||
# Packages installed on the local system. Allows user to define this list |
||||
# otherwise it will inherit from the OS specific variable file(s). |
||||
aide_system_packages: "{{ _aide_system_packages | default([]) }}" |
||||
|
||||
# A hash of Aide rules |
||||
aide_rules: {} |
||||
|
||||
# Aide configuration file |
||||
aide_conf_path: /etc/aide.conf |
||||
|
||||
# Aide integrity database location |
||||
aide_db_path: /var/lib/aide/aide.db |
||||
|
||||
# Aide integrity database temp location |
||||
aide_db_temp_path: /var/lib/aide/aide.db.new |
||||
|
||||
# User which creates and runs the cron job for aide |
||||
aide_cron_user: root |
||||
|
||||
# Hour value for Cron Job |
||||
aide_hour: 11 |
||||
|
||||
# Minute value for Cron Job |
||||
aide_minute: 30 |
||||
|
||||
# Email address to send reports on Cron Job |
||||
aide_email: '' |
||||
|
||||
# Full POSIX path to mail binary |
||||
aide_mua_path: /bin/mail |
@ -0,0 +1,15 @@
|
||||
--- |
||||
# Copyright 2019 Red Hat, Inc. |
||||
# All Rights Reserved. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
||||
# not use this file except in compliance with the License. You may obtain |
||||
# a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
||||
# License for the specific language governing permissions and limitations |
||||
# under the License. |
@ -0,0 +1,44 @@
|
||||
--- |
||||
# Copyright 2019 Red Hat, Inc. |
||||
# All Rights Reserved. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
||||
# not use this file except in compliance with the License. You may obtain |
||||
# a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
||||
# License for the specific language governing permissions and limitations |
||||
# under the License. |
||||
|
||||
|
||||
galaxy_info: |
||||
author: OpenStack |
||||
description: TripleO OpenStack Role -- aide |
||||
company: Red Hat |
||||
license: Apache-2.0 |
||||
min_ansible_version: 2.7 |
||||
# |
||||
# Provide a list of supported platforms, and for each platform a list of versions. |
||||
# If you don't wish to enumerate all versions for a particular platform, use 'all'. |
||||
# To view available platforms and versions (or releases), visit: |
||||
# https://galaxy.ansible.com/api/v1/platforms/ |
||||
# |
||||
platforms: |
||||
- name: Fedora |
||||
versions: |
||||
- 28 |
||||
- name: CentOS |
||||
versions: |
||||
- 7 |
||||
|
||||
galaxy_tags: |
||||
- tripleo |
||||
|
||||
|
||||
# List your role dependencies here, one per line. Be sure to remove the '[]' above, |
||||
# if you add dependencies to this list. |
||||
dependencies: [] |
@ -0,0 +1,37 @@
|
||||
# Molecule managed |
||||
# Copyright 2019 Red Hat, Inc. |
||||
# All Rights Reserved. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
||||
# not use this file except in compliance with the License. You may obtain |
||||
# a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
||||
# License for the specific language governing permissions and limitations |
||||
# under the License. |
||||
|
||||
|
||||
{% if item.registry is defined %} |
||||
FROM {{ item.registry.url }}/{{ item.image }} |
||||
{% else %} |
||||
FROM {{ item.image }} |
||||
{% endif %} |
||||
|
||||
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ |
||||
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \ |
||||
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ |
||||
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \ |
||||
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \ |
||||
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi |
||||
|
||||
{% for pkg in item.easy_install | default([]) %} |
||||
# install pip for centos where there is no python-pip rpm in default repos |
||||
RUN easy_install {{ pkg }} |
||||
{% endfor %} |
||||
|
||||
|
||||
CMD ["sh", "-c", "while true; do sleep 10000; done"] |
@ -0,0 +1,48 @@
|
||||
--- |
||||
driver: |
||||
name: docker |
||||
|
||||
log: true |
||||
|
||||
platforms: |
||||
- name: centos7 |
||||
hostname: centos7 |
||||
image: centos:7 |
||||
dockerfile: Dockerfile |
||||
pkg_extras: python-setuptools |
||||
easy_install: |
||||
- pip |
||||
environment: &env |
||||
http_proxy: "{{ lookup('env', 'http_proxy') }}" |
||||
https_proxy: "{{ lookup('env', 'https_proxy') }}" |
||||
|
||||
- name: fedora28 |
||||
hostname: fedora28 |
||||
image: fedora:28 |
||||
dockerfile: Dockerfile |
||||
pkg_extras: python*-setuptools |
||||
environment: |
||||
<<: *env |
||||
|
||||
provisioner: |
||||
name: ansible |
||||
log: true |
||||
env: |
||||
ANSIBLE_STDOUT_CALLBACK: yaml |
||||
|
||||
scenario: |
||||
test_sequence: |
||||
- destroy |
||||
- create |
||||
- prepare |
||||
- converge |
||||
- verify |
||||
- destroy |
||||
|
||||
lint: |
||||
enabled: false |
||||
|
||||
verifier: |
||||
name: testinfra |
||||
lint: |
||||
name: flake8 |
@ -0,0 +1,24 @@
|
||||
--- |
||||
# Copyright 2019 Red Hat, Inc. |
||||
# All Rights Reserved. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
||||
# not use this file except in compliance with the License. You may obtain |
||||
# a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
||||
# License for the specific language governing permissions and limitations |
||||
# under the License. |
||||
|
||||
|
||||
- name: Converge |
||||
hosts: all |
||||
roles: |
||||
- role: "aide" |
||||
post_tasks: |
||||
- include_role: |
||||
name: aide # Role is include as a post task to test upgrade logic |
@ -0,0 +1,26 @@
|
||||
--- |
||||
# Copyright 2019 Red Hat, Inc. |
||||
# All Rights Reserved. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
||||
# not use this file except in compliance with the License. You may obtain |
||||
# a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
||||
# License for the specific language governing permissions and limitations |
||||
# under the License. |
||||
|
||||
|
||||
- name: Prepare |
||||
hosts: all |
||||
roles: |
||||
- role: test_deps |
||||
post_tasks: |
||||
- name: Ensure cronie is installed |
||||
package: |
||||
name: cronie |
||||
state: present |
@ -0,0 +1,15 @@
|
||||
--- |
||||
# Copyright 2019 Red Hat, Inc. |
||||
# All Rights Reserved. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
||||
# not use this file except in compliance with the License. You may obtain |
||||
# a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
||||
# License for the specific language governing permissions and limitations |
||||
# under the License. |
@ -0,0 +1,94 @@
|
||||
--- |
||||
# Copyright 2019 Red Hat, Inc. |
||||
# All Rights Reserved. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
||||
# not use this file except in compliance with the License. You may obtain |
||||
# a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
||||
# License for the specific language governing permissions and limitations |
||||
# under the License. |
||||
|
||||
|
||||
- name: Check for aide db |
||||
stat: |
||||
path: "{{ aide_db_path }}" |
||||
register: aide_db_path_check |
||||
|
||||
- name: Ensure aide DB config is set |
||||
lineinfile: |
||||
path: "{{ aide_conf_path }}" |
||||
line: "{{ item.line }}" |
||||
create: true |
||||
when: |
||||
- item.condition | bool |
||||
with_items: |
||||
- line: "database=file:{{ aide_db_path }}" |
||||
condition: true |
||||
- line: "database_out=file:{{ aide_db_temp_path }}" |
||||
condition: "{{ not (aide_db_path_check.stat.exists | bool) }}" |
||||
- line: "database_new=file:{{ aide_db_temp_path }}" |
||||
condition: "{{ not (aide_db_path_check.stat.exists | bool) }}" |
||||
|
||||
- name: Initialize aide database |
||||
command: >- |
||||
/usr/sbin/aide --init --config {{ aide_conf_path }} |
||||
changed_when: false |
||||
no_log: true |
||||
args: |
||||
creates: "{{ aide_db_path }}" |
||||
|
||||
- name: Check for tmp aide db |
||||
stat: |
||||
path: "{{ aide_db_temp_path }}" |
||||
register: aide_db_temp_path_check |
||||
|
||||
- name: Copy aide db |
||||
copy: |
||||
src: "{{ aide_db_temp_path }}" |
||||
dest: "{{ aide_db_path }}" |
||||
remote_src: true |
||||
when: |
||||
- aide_db_temp_path_check.stat.exists | bool |
||||
- not (aide_db_path_check.stat.exists | bool) |
||||
|
||||
- name: Set aide command fact with email |
||||
set_fact: |
||||
aide_command: >- |
||||
/usr/sbin/aide |
||||
--check |
||||
--config {{ aide_conf_path }} |
||||
| {{ aide_mua_path }} |
||||
-s '{{ ansible_fqdn }} - AIDE integrity check' {{ aide_email }} |
||||
when: |
||||
- aide_email.find("v=" ~ "@") == -1 |
||||
|
||||
- name: Email aide block |
||||
when: |
||||
- aide_email.find("v=" ~ "@") != -1 |
||||
block: |
||||
- name: Ensure audit directory exists |
||||
file: |
||||
path: "/var/log/audit" |
||||
state: directory |
||||
|
||||
- name: Set aide command fact |
||||
set_fact: |
||||
aide_command: >- |
||||
/usr/sbin/aide |
||||
--check |
||||
--config {{ aide_conf_path }} |
||||
> /var/log/audit/aide_$(date +%Y-%m-%d).log |
||||
|
||||
- name: Create aide cron entry |
||||
cron: |
||||
name: "aide" |
||||
job: "{{ aide_command }}" |
||||
user: "{{ aide_cron_user }}" |
||||
hour: "{{ aide_hour | string }}" |
||||
minute: "{{ aide_minute | string }}" |
@ -0,0 +1,23 @@
|
||||
--- |
||||
# Copyright 2019 Red Hat, Inc. |
||||
# All Rights Reserved. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
||||
# not use this file except in compliance with the License. You may obtain |
||||
# a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
||||
# License for the specific language governing permissions and limitations |
||||
# under the License. |
||||
|
||||
|
||||
- name: Ensure Aide is installed |
||||
package: |
||||
name: "{{ aide_system_packages }}" |
||||
state: present |
||||
|
||||
- include_tasks: aide_config.yml |
@ -0,0 +1,40 @@
|
||||
--- |
||||
# Copyright 2019 Red Hat, Inc. |
||||
# All Rights Reserved. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
||||
# not use this file except in compliance with the License. You may obtain |
||||
# a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
||||
# License for the specific language governing permissions and limitations |
||||
# under the License. |
||||
|
||||
|
||||
- name: Ensure Aide is installed and updated |
||||
package: |
||||
name: "{{ aide_system_packages }}" |
||||
state: latest |
||||
|
||||
- name: Initialize aide database |
||||
command: >- |
||||
/usr/sbin/aide --init --config {{ aide_conf_path }} |
||||
changed_when: false |
||||
no_log: true |
||||
|
||||
- name: Check for tmp aide db |
||||
stat: |
||||
path: "{{ aide_db_temp_path }}" |
||||
register: aide_db_temp_path_check |
||||
|
||||
- name: Copy new aide db |
||||
copy: |
||||
src: "{{ aide_db_temp_path }}" |
||||
dest: "{{ aide_db_path }}" |
||||
remote_src: true |
||||
when: |
||||
- aide_db_temp_path_check.stat.exists | bool |
@ -0,0 +1,45 @@
|
||||
--- |
||||
# Copyright 2019 Red Hat, Inc. |
||||
# All Rights Reserved. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
||||
# not use this file except in compliance with the License. You may obtain |
||||
# a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
||||
# License for the specific language governing permissions and limitations |
||||
# under the License. |
||||
|
||||
|
||||
# "aide" will search for and load any operating system variable file |
||||
# found within the "vars/" path. If no OS files are found the task will skip. |
||||
- name: Gather variables for each operating system |
||||
include_vars: "{{ item }}" |
||||
with_first_found: |
||||
- skip: true |
||||
files: |
||||
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml" |
||||
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml" |
||||
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml" |
||||
- "{{ ansible_distribution | lower }}.yml" |
||||
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml" |
||||
- "{{ ansible_os_family | lower }}.yml" |
||||
tags: |
||||
- always |
||||
|
||||
- name: Check for aide |
||||
stat: |
||||
path: "/usr/sbin/aide" |
||||
register: aide_path_check |
||||
|
||||
- include_tasks: "aide_install.yml" |
||||
when: |
||||
- not (aide_path_check.stat.exists | bool) |
||||
|
||||
- include_tasks: "aide_upgrade.yml" |
||||
when: |
||||
- aide_path_check.stat.exists | bool |
@ -0,0 +1,22 @@
|
||||
--- |
||||
# Copyright 2019 Red Hat, Inc. |
||||
# All Rights Reserved. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
||||
# not use this file except in compliance with the License. You may obtain |
||||
# a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
||||
# License for the specific language governing permissions and limitations |
||||
# under the License. |
||||
|
||||
|
||||
# While options found within the vars/ path can be overridden using extra |
||||
# vars, items within this path are considered part of the role and not |
||||
# intended to be modified. |
||||
|
||||
# All variables within this role should have a prefix of "{{ role_name }}" |
@ -0,0 +1,18 @@
|
||||
--- |
||||
# Copyright 2019 Red Hat, Inc. |
||||
# All Rights Reserved. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
||||
# not use this file except in compliance with the License. You may obtain |
||||
# a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
||||
# License for the specific language governing permissions and limitations |
||||
# under the License. |
||||
|
||||
_aide_system_packages: |
||||
- aide |
Loading…
Reference in new issue