Create an aide role

This change imports the aide content from the tripleo-heat-templates
project and creates a role which can be used throughout the tripleo
project ecosystem.

The role will test in docker containers running both fedora28 and
centos7.

Change-Id: I3a34152dd0cd7363a6f138d6e1c6fd0f062a3ac6
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Signed-off-by: Kevin Carter <kecarter@redhat.com>

doc/source/roles/role-aide.rst

@@ -0,0 +1,23 @@
+===========================
+TripleO-Ansible Role - aide
+===========================
+
+This role provides for the following services:
+
+    * aide
+
+
+Default variables
+~~~~~~~~~~~~~~~~~
+
+.. literalinclude:: ../../../tripleo_ansible/roles/aide/defaults/main.yml
+  :language: yaml
+  :start-after: under the License.
+
+
+Example playbook
+~~~~~~~~~~~~~~~~
+
+.. literalinclude:: ../../../tripleo_ansible/roles/aide/molecule/default/playbook.yml
+  :language: yaml
+  :start-after: under the License.

tox.ini

@@ -119,6 +119,12 @@ deps =
     molecule>=2.22rc1
     selinux
 
+[testenv:mol-aide]
+basepython = {[testenv:mol]basepython}
+deps = {[testenv:mol]deps}
+changedir = {toxinidir}/tripleo_ansible/roles/aide
+commands = python -m pytest --color=yes --html={envlogdir}/reports.html --self-contained-html {tty:-s} {toxinidir}/tests/test_molecule.py
+
 [testenv:mol-test_deps]
 basepython={[testenv:mol]basepython}
 deps={[testenv:mol]deps}

tripleo_ansible/roles/aide/README.md

@@ -0,0 +1,4 @@
+Aide
+====
+
+Ansible role to install and configure aide

tripleo_ansible/roles/aide/defaults/main.yml

@@ -0,0 +1,52 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+# All variables intended for modification should place placed in this file.
+
+# All variables within this role should have a prefix of "aide"
+aide_debug: false
+
+# Packages installed on the local system. Allows user to define this list
+# otherwise it will inherit from the OS specific variable file(s).
+aide_system_packages: "{{ _aide_system_packages | default([]) }}"
+
+# A hash of Aide rules
+aide_rules: {}
+
+# Aide configuration file
+aide_conf_path: /etc/aide.conf
+
+# Aide integrity database location
+aide_db_path: /var/lib/aide/aide.db
+
+# Aide integrity database temp location
+aide_db_temp_path: /var/lib/aide/aide.db.new
+
+# User which creates and runs the cron job for aide
+aide_cron_user: root
+
+# Hour value for Cron Job
+aide_hour: 11
+
+# Minute value for Cron Job
+aide_minute: 30
+
+# Email address to send reports on Cron Job
+aide_email: ''
+
+# Full POSIX path to mail binary
+aide_mua_path: /bin/mail

tripleo_ansible/roles/aide/handlers/main.yml

@@ -0,0 +1,15 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.

tripleo_ansible/roles/aide/meta/main.yml

@@ -0,0 +1,44 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+galaxy_info:
+  author: OpenStack
+  description: TripleO OpenStack Role -- aide
+  company: Red Hat
+  license: Apache-2.0
+  min_ansible_version: 2.7
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  platforms:
+    - name: Fedora
+      versions:
+        - 28
+    - name: CentOS
+      versions:
+        - 7
+
+  galaxy_tags:
+    - tripleo
+
+
+# List your role dependencies here, one per line. Be sure to remove the '[]' above,
+# if you add dependencies to this list.
+dependencies: []

tripleo_ansible/roles/aide/molecule/default/Dockerfile

@@ -0,0 +1,37 @@
+# Molecule managed
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+{% if item.registry is defined %}
+FROM {{ item.registry.url }}/{{ item.image }}
+{% else %}
+FROM {{ item.image }}
+{% endif %}
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
+    elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+    elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
+    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
+    elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
+
+{% for pkg in item.easy_install | default([]) %}
+# install pip for centos where there is no python-pip rpm in default repos
+RUN easy_install {{ pkg }}
+{% endfor %}
+
+
+CMD ["sh", "-c", "while true; do sleep 10000; done"]

tripleo_ansible/roles/aide/molecule/default/molecule.yml

@@ -0,0 +1,48 @@
+---
+driver:
+  name: docker
+
+log: true
+
+platforms:
+  - name: centos7
+    hostname: centos7
+    image: centos:7
+    dockerfile: Dockerfile
+    pkg_extras: python-setuptools
+    easy_install:
+      - pip
+    environment: &env
+      http_proxy: "{{ lookup('env', 'http_proxy') }}"
+      https_proxy: "{{ lookup('env', 'https_proxy') }}"
+
+  - name: fedora28
+    hostname: fedora28
+    image: fedora:28
+    dockerfile: Dockerfile
+    pkg_extras: python*-setuptools
+    environment:
+      <<: *env
+
+provisioner:
+  name: ansible
+  log: true
+  env:
+    ANSIBLE_STDOUT_CALLBACK: yaml
+
+scenario:
+  test_sequence:
+    - destroy
+    - create
+    - prepare
+    - converge
+    - verify
+    - destroy
+
+lint:
+  enabled: false
+
+verifier:
+  name: testinfra
+  lint:
+    name: flake8

tripleo_ansible/roles/aide/molecule/default/playbook.yml

@@ -0,0 +1,24 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Converge
+  hosts: all
+  roles:
+    - role: "aide"
+  post_tasks:
+    - include_role:
+        name: aide  # Role is include as a post task to test upgrade logic

tripleo_ansible/roles/aide/molecule/default/prepare.yml

@@ -0,0 +1,26 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Prepare
+  hosts: all
+  roles:
+    - role: test_deps
+  post_tasks:
+    - name: Ensure cronie is installed
+      package:
+        name: cronie
+        state: present

tripleo_ansible/roles/aide/molecule/default/verify.yml

@@ -0,0 +1,15 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.

tripleo_ansible/roles/aide/tasks/aide_config.yml

@@ -0,0 +1,94 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Check for aide db
+  stat:
+    path: "{{ aide_db_path }}"
+  register: aide_db_path_check
+
+- name: Ensure aide DB config is set
+  lineinfile:
+    path: "{{ aide_conf_path }}"
+    line: "{{ item.line }}"
+    create: true
+  when:
+    - item.condition | bool
+  with_items:
+    - line: "database=file:{{ aide_db_path }}"
+      condition: true
+    - line: "database_out=file:{{ aide_db_temp_path }}"
+      condition: "{{ not (aide_db_path_check.stat.exists | bool) }}"
+    - line: "database_new=file:{{ aide_db_temp_path }}"
+      condition: "{{ not (aide_db_path_check.stat.exists | bool) }}"
+
+- name: Initialize aide database
+  command: >-
+    /usr/sbin/aide --init --config {{ aide_conf_path }}
+  changed_when: false
+  no_log: true
+  args:
+    creates: "{{ aide_db_path }}"
+
+- name: Check for tmp aide db
+  stat:
+    path: "{{ aide_db_temp_path }}"
+  register: aide_db_temp_path_check
+
+- name: Copy aide db
+  copy:
+    src: "{{ aide_db_temp_path }}"
+    dest: "{{ aide_db_path }}"
+    remote_src: true
+  when:
+    - aide_db_temp_path_check.stat.exists | bool
+    - not (aide_db_path_check.stat.exists | bool)
+
+- name: Set aide command fact with email
+  set_fact:
+    aide_command: >-
+      /usr/sbin/aide
+      --check
+      --config {{ aide_conf_path }}
+      | {{ aide_mua_path }}
+      -s '{{ ansible_fqdn }} - AIDE integrity check' {{ aide_email }}
+  when:
+    - aide_email.find("v=" ~ "@") == -1
+
+- name: Email aide block
+  when:
+    - aide_email.find("v=" ~ "@") != -1
+  block:
+    - name: Ensure audit directory exists
+      file:
+        path: "/var/log/audit"
+        state: directory
+
+    - name: Set aide command fact
+      set_fact:
+        aide_command: >-
+          /usr/sbin/aide
+          --check
+          --config {{ aide_conf_path }}
+          > /var/log/audit/aide_$(date +%Y-%m-%d).log
+
+- name: Create aide cron entry
+  cron:
+    name: "aide"
+    job: "{{ aide_command }}"
+    user: "{{ aide_cron_user }}"
+    hour: "{{ aide_hour | string }}"
+    minute: "{{ aide_minute | string }}"

tripleo_ansible/roles/aide/tasks/aide_install.yml

@@ -0,0 +1,23 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Ensure Aide is installed
+  package:
+    name: "{{ aide_system_packages }}"
+    state: present
+
+- include_tasks: aide_config.yml

tripleo_ansible/roles/aide/tasks/aide_upgrade.yml

@@ -0,0 +1,40 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Ensure Aide is installed and updated
+  package:
+    name: "{{ aide_system_packages }}"
+    state: latest
+
+- name: Initialize aide database
+  command: >-
+    /usr/sbin/aide --init --config {{ aide_conf_path }}
+  changed_when: false
+  no_log: true
+
+- name: Check for tmp aide db
+  stat:
+    path: "{{ aide_db_temp_path }}"
+  register: aide_db_temp_path_check
+
+- name: Copy new aide db
+  copy:
+    src: "{{ aide_db_temp_path }}"
+    dest: "{{ aide_db_path }}"
+    remote_src: true
+  when:
+    - aide_db_temp_path_check.stat.exists | bool

tripleo_ansible/roles/aide/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+# "aide" will search for and load any operating system variable file
+# found within the "vars/" path. If no OS files are found the task will skip.
+- name: Gather variables for each operating system
+  include_vars: "{{ item }}"
+  with_first_found:
+    - skip: true
+      files:
+        - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
+        - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
+        - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
+        - "{{ ansible_distribution | lower }}.yml"
+        - "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
+        - "{{ ansible_os_family | lower }}.yml"
+  tags:
+    - always
+
+- name: Check for aide
+  stat:
+    path: "/usr/sbin/aide"
+  register: aide_path_check
+
+- include_tasks: "aide_install.yml"
+  when:
+    - not (aide_path_check.stat.exists | bool)
+
+- include_tasks: "aide_upgrade.yml"
+  when:
+    - aide_path_check.stat.exists | bool

tripleo_ansible/roles/aide/vars/main.yml

@@ -0,0 +1,22 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+# While options found within the vars/ path can be overridden using extra
+# vars, items within this path are considered part of the role and not
+# intended to be modified.
+
+# All variables within this role should have a prefix of "{{ role_name }}"

tripleo_ansible/roles/aide/vars/redhat.yml

@@ -0,0 +1,18 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+_aide_system_packages:
+  - aide

zuul.d/jobs.yaml

@@ -14,6 +14,14 @@
       - ^tripleo_ansible/doc/.*
       - ^tripleo_ansible/README.rst
 
+- job:
+    name: tripleo-ansible-centos-7-molecule-aide
+    parent: tripleo-ansible-centos
+    files:
+      - ^tripleo_ansible/roles/aide/.*
+    vars:
+      tox_envlist: mol-aide
+
 - job:
     name: tripleo-ansible-centos-7-molecule-test_deps
     parent: tripleo-ansible-centos

zuul.d/layout.yaml

@@ -3,6 +3,7 @@
     check:
       jobs:
       - openstack-tox-linters
+      - tripleo-ansible-centos-7-molecule-aide
       - tripleo-ansible-centos-7-molecule-test_deps
       - tripleo-ansible-centos-7-molecule-test_json_error_callback
       - tripleo-ansible-centos-7-molecule-test_package_action