Browse Source

Create an aide role

This change imports the aide content from the tripleo-heat-templates
project and creates a role which can be used throughout the tripleo
project ecosystem.

The role will test in docker containers running both fedora28 and
centos7.

Change-Id: I3a34152dd0cd7363a6f138d6e1c6fd0f062a3ac6
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Signed-off-by: Kevin Carter <kecarter@redhat.com>
changes/72/664772/8
Kevin Carter 3 years ago committed by Kevin Carter (cloudnull)
parent
commit
be85c6e135
  1. 23
      doc/source/roles/role-aide.rst
  2. 6
      tox.ini
  3. 4
      tripleo_ansible/roles/aide/README.md
  4. 52
      tripleo_ansible/roles/aide/defaults/main.yml
  5. 0
      tripleo_ansible/roles/aide/files/.gitkeep
  6. 15
      tripleo_ansible/roles/aide/handlers/main.yml
  7. 44
      tripleo_ansible/roles/aide/meta/main.yml
  8. 37
      tripleo_ansible/roles/aide/molecule/default/Dockerfile
  9. 48
      tripleo_ansible/roles/aide/molecule/default/molecule.yml
  10. 24
      tripleo_ansible/roles/aide/molecule/default/playbook.yml
  11. 26
      tripleo_ansible/roles/aide/molecule/default/prepare.yml
  12. 15
      tripleo_ansible/roles/aide/molecule/default/verify.yml
  13. 94
      tripleo_ansible/roles/aide/tasks/aide_config.yml
  14. 23
      tripleo_ansible/roles/aide/tasks/aide_install.yml
  15. 40
      tripleo_ansible/roles/aide/tasks/aide_upgrade.yml
  16. 45
      tripleo_ansible/roles/aide/tasks/main.yml
  17. 22
      tripleo_ansible/roles/aide/vars/main.yml
  18. 18
      tripleo_ansible/roles/aide/vars/redhat.yml
  19. 8
      zuul.d/jobs.yaml
  20. 1
      zuul.d/layout.yaml

23
doc/source/roles/role-aide.rst

@ -0,0 +1,23 @@
===========================
TripleO-Ansible Role - aide
===========================
This role provides for the following services:
* aide
Default variables
~~~~~~~~~~~~~~~~~
.. literalinclude:: ../../../tripleo_ansible/roles/aide/defaults/main.yml
:language: yaml
:start-after: under the License.
Example playbook
~~~~~~~~~~~~~~~~
.. literalinclude:: ../../../tripleo_ansible/roles/aide/molecule/default/playbook.yml
:language: yaml
:start-after: under the License.

6
tox.ini

@ -119,6 +119,12 @@ deps =
molecule>=2.22rc1
selinux
[testenv:mol-aide]
basepython = {[testenv:mol]basepython}
deps = {[testenv:mol]deps}
changedir = {toxinidir}/tripleo_ansible/roles/aide
commands = python -m pytest --color=yes --html={envlogdir}/reports.html --self-contained-html {tty:-s} {toxinidir}/tests/test_molecule.py
[testenv:mol-test_deps]
basepython={[testenv:mol]basepython}
deps={[testenv:mol]deps}

4
tripleo_ansible/roles/aide/README.md

@ -0,0 +1,4 @@
Aide
====
Ansible role to install and configure aide

52
tripleo_ansible/roles/aide/defaults/main.yml

@ -0,0 +1,52 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# All variables intended for modification should place placed in this file.
# All variables within this role should have a prefix of "aide"
aide_debug: false
# Packages installed on the local system. Allows user to define this list
# otherwise it will inherit from the OS specific variable file(s).
aide_system_packages: "{{ _aide_system_packages | default([]) }}"
# A hash of Aide rules
aide_rules: {}
# Aide configuration file
aide_conf_path: /etc/aide.conf
# Aide integrity database location
aide_db_path: /var/lib/aide/aide.db
# Aide integrity database temp location
aide_db_temp_path: /var/lib/aide/aide.db.new
# User which creates and runs the cron job for aide
aide_cron_user: root
# Hour value for Cron Job
aide_hour: 11
# Minute value for Cron Job
aide_minute: 30
# Email address to send reports on Cron Job
aide_email: ''
# Full POSIX path to mail binary
aide_mua_path: /bin/mail

0
tripleo_ansible/roles/aide/files/.gitkeep

15
tripleo_ansible/roles/aide/handlers/main.yml

@ -0,0 +1,15 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

44
tripleo_ansible/roles/aide/meta/main.yml

@ -0,0 +1,44 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
galaxy_info:
author: OpenStack
description: TripleO OpenStack Role -- aide
company: Red Hat
license: Apache-2.0
min_ansible_version: 2.7
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
platforms:
- name: Fedora
versions:
- 28
- name: CentOS
versions:
- 7
galaxy_tags:
- tripleo
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
dependencies: []

37
tripleo_ansible/roles/aide/molecule/default/Dockerfile

@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

48
tripleo_ansible/roles/aide/molecule/default/molecule.yml

@ -0,0 +1,48 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
dockerfile: Dockerfile
pkg_extras: python-setuptools
easy_install:
- pip
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: fedora28
hostname: fedora28
image: fedora:28
dockerfile: Dockerfile
pkg_extras: python*-setuptools
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
lint:
enabled: false
verifier:
name: testinfra
lint:
name: flake8

24
tripleo_ansible/roles/aide/molecule/default/playbook.yml

@ -0,0 +1,24 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
roles:
- role: "aide"
post_tasks:
- include_role:
name: aide # Role is include as a post task to test upgrade logic

26
tripleo_ansible/roles/aide/molecule/default/prepare.yml

@ -0,0 +1,26 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
roles:
- role: test_deps
post_tasks:
- name: Ensure cronie is installed
package:
name: cronie
state: present

15
tripleo_ansible/roles/aide/molecule/default/verify.yml

@ -0,0 +1,15 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

94
tripleo_ansible/roles/aide/tasks/aide_config.yml

@ -0,0 +1,94 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Check for aide db
stat:
path: "{{ aide_db_path }}"
register: aide_db_path_check
- name: Ensure aide DB config is set
lineinfile:
path: "{{ aide_conf_path }}"
line: "{{ item.line }}"
create: true
when:
- item.condition | bool
with_items:
- line: "database=file:{{ aide_db_path }}"
condition: true
- line: "database_out=file:{{ aide_db_temp_path }}"
condition: "{{ not (aide_db_path_check.stat.exists | bool) }}"
- line: "database_new=file:{{ aide_db_temp_path }}"
condition: "{{ not (aide_db_path_check.stat.exists | bool) }}"
- name: Initialize aide database
command: >-
/usr/sbin/aide --init --config {{ aide_conf_path }}
changed_when: false
no_log: true
args:
creates: "{{ aide_db_path }}"
- name: Check for tmp aide db
stat:
path: "{{ aide_db_temp_path }}"
register: aide_db_temp_path_check
- name: Copy aide db
copy:
src: "{{ aide_db_temp_path }}"
dest: "{{ aide_db_path }}"
remote_src: true
when:
- aide_db_temp_path_check.stat.exists | bool
- not (aide_db_path_check.stat.exists | bool)
- name: Set aide command fact with email
set_fact:
aide_command: >-
/usr/sbin/aide
--check
--config {{ aide_conf_path }}
| {{ aide_mua_path }}
-s '{{ ansible_fqdn }} - AIDE integrity check' {{ aide_email }}
when:
- aide_email.find("v=" ~ "@") == -1
- name: Email aide block
when:
- aide_email.find("v=" ~ "@") != -1
block:
- name: Ensure audit directory exists
file:
path: "/var/log/audit"
state: directory
- name: Set aide command fact
set_fact:
aide_command: >-
/usr/sbin/aide
--check
--config {{ aide_conf_path }}
> /var/log/audit/aide_$(date +%Y-%m-%d).log
- name: Create aide cron entry
cron:
name: "aide"
job: "{{ aide_command }}"
user: "{{ aide_cron_user }}"
hour: "{{ aide_hour | string }}"
minute: "{{ aide_minute | string }}"

23
tripleo_ansible/roles/aide/tasks/aide_install.yml

@ -0,0 +1,23 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Ensure Aide is installed
package:
name: "{{ aide_system_packages }}"
state: present
- include_tasks: aide_config.yml

40
tripleo_ansible/roles/aide/tasks/aide_upgrade.yml

@ -0,0 +1,40 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Ensure Aide is installed and updated
package:
name: "{{ aide_system_packages }}"
state: latest
- name: Initialize aide database
command: >-
/usr/sbin/aide --init --config {{ aide_conf_path }}
changed_when: false
no_log: true
- name: Check for tmp aide db
stat:
path: "{{ aide_db_temp_path }}"
register: aide_db_temp_path_check
- name: Copy new aide db
copy:
src: "{{ aide_db_temp_path }}"
dest: "{{ aide_db_path }}"
remote_src: true
when:
- aide_db_temp_path_check.stat.exists | bool

45
tripleo_ansible/roles/aide/tasks/main.yml

@ -0,0 +1,45 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# "aide" will search for and load any operating system variable file
# found within the "vars/" path. If no OS files are found the task will skip.
- name: Gather variables for each operating system
include_vars: "{{ item }}"
with_first_found:
- skip: true
files:
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_distribution | lower }}.yml"
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
- "{{ ansible_os_family | lower }}.yml"
tags:
- always
- name: Check for aide
stat:
path: "/usr/sbin/aide"
register: aide_path_check
- include_tasks: "aide_install.yml"
when:
- not (aide_path_check.stat.exists | bool)
- include_tasks: "aide_upgrade.yml"
when:
- aide_path_check.stat.exists | bool

22
tripleo_ansible/roles/aide/vars/main.yml

@ -0,0 +1,22 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# While options found within the vars/ path can be overridden using extra
# vars, items within this path are considered part of the role and not
# intended to be modified.
# All variables within this role should have a prefix of "{{ role_name }}"

18
tripleo_ansible/roles/aide/vars/redhat.yml

@ -0,0 +1,18 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
_aide_system_packages:
- aide

8
zuul.d/jobs.yaml

@ -14,6 +14,14 @@
- ^tripleo_ansible/doc/.*
- ^tripleo_ansible/README.rst
- job:
name: tripleo-ansible-centos-7-molecule-aide
parent: tripleo-ansible-centos
files:
- ^tripleo_ansible/roles/aide/.*
vars:
tox_envlist: mol-aide
- job:
name: tripleo-ansible-centos-7-molecule-test_deps
parent: tripleo-ansible-centos

1
zuul.d/layout.yaml

@ -3,6 +3,7 @@
check:
jobs:
- openstack-tox-linters
- tripleo-ansible-centos-7-molecule-aide
- tripleo-ansible-centos-7-molecule-test_deps
- tripleo-ansible-centos-7-molecule-test_json_error_callback
- tripleo-ansible-centos-7-molecule-test_package_action

Loading…
Cancel
Save