diff --git a/capabilities-map.yaml b/capabilities-map.yaml index f0380d5321..a00c7c0db8 100644 --- a/capabilities-map.yaml +++ b/capabilities-map.yaml @@ -464,7 +464,6 @@ topics: requires: - overcloud-resource-registry-puppet.yaml - - title: Security description: Security Hardening Options environment_groups: @@ -543,6 +542,11 @@ topics: environments: - file: environments/login-defs.yaml title: login.defs Values + - title: Advanced Intrusion Detection Environment + description: Enable AIDE - Advanced Intrusion Detection Environment + environments: + - file: environments/aide.yaml + title: AIDE Values - title: Additional Services description: diff --git a/environments/hyperconverged-ceph.yaml b/environments/hyperconverged-ceph.yaml index b7d52cc2b4..5986542c25 100644 --- a/environments/hyperconverged-ceph.yaml +++ b/environments/hyperconverged-ceph.yaml @@ -14,6 +14,7 @@ resource_registry: parameter_defaults: ComputeServices: + - OS::TripleO::Services::Aide - OS::TripleO::Services::CACerts - OS::TripleO::Services::CertmongerUser - OS::TripleO::Services::CephClient diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 9cef418b3f..1067013781 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -112,6 +112,7 @@ resource_registry: # services OS::TripleO::Services: common/services.yaml + OS::TripleO::Services::Aide: OS::Heat::None OS::TripleO::Services::Apache: puppet/services/apache.yaml OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml OS::TripleO::Services::CephMds: OS::Heat::None diff --git a/puppet/services/aide.yaml b/puppet/services/aide.yaml new file mode 100644 index 0000000000..e95526129a --- /dev/null +++ b/puppet/services/aide.yaml @@ -0,0 +1,96 @@ +heat_template_version: queens +description: > + Aide service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceData: + default: {} + description: Dictionary packing service data + type: json + AideConfPath: + description: Aide configuration file + type: string + default: '/etc/aide.conf' + AideDBPath: + description: Aide integrity database location + type: string + default: '/var/lib/aide/aide.db' + AideDBTempPath: + description: Aide integrity database temp location + type: string + default: '/var/lib/aide/aide.db.new' + AideHour: + description: Hour value for Cron Job + type: number + default: 11 + AideCronUser: + description: User which creates and runs the cron job for aide + type: string + default: 'root' + AideMinute: + description: Minute value for Cron Job + type: number + default: 30 + AideEmail: + description: Email address to send reports on Cron Job + type: string + default: '' + AideMuaPath: + description: Full POSIX path to mail binary + type: string + default: '/bin/mail' + AideRules: + description: A hash of Aide rules + type: json + default: {} + +outputs: + role_data: + description: Role data for the aide service + value: + service_name: aide + config_settings: + tripleo::profile::base::aide::aide_rules: {get_param: AideRules} + tripleo::profile::base::aide::aide_conf_path: {get_param: AideConfPath} + tripleo::profile::base::aide::aide_db_path: {get_param: AideDBPath} + tripleo::profile::base::aide::aide_db_temp_path: {get_param: AideDBTempPath} + tripleo::profile::base::aide::cron::aide_cron_user: {get_param: AideCronUser} + tripleo::profile::base::aide::cron::aide_hour: {get_param: AideHour} + tripleo::profile::base::aide::cron::aide_minute: {get_param: AideMinute} + tripleo::profile::base::aide::cron::aide_email: {get_param: AideEmail} + tripleo::profile::base::aide::cron::aide_mua_path: {get_param: AideMuaPath} + step_config: | + include ::tripleo::profile::base::aide + upgrade_tasks: + - name: Ensure Aide is installed + tags: step4 + yum: name=aide state=latest + - name: re-init database + tags: step5 + shell: aide --init --config $(hiera tripleo::profile::base::aide::aide_conf_path) + - name: cp-new-aide-db + tags: step5 + shell: /bin/cp -f $(hiera tripleo::profile::base::aide::aide_db_temp_path) $(hiera tripleo::profile::base::aide::aide_db_path) + diff --git a/releasenotes/notes/aide-50fc91178430f1a5.yaml b/releasenotes/notes/aide-50fc91178430f1a5.yaml new file mode 100644 index 0000000000..84fd1fde5a --- /dev/null +++ b/releasenotes/notes/aide-50fc91178430f1a5.yaml @@ -0,0 +1,12 @@ +--- +features: + - | + Introduces a puppet service to configure AIDE Intrusion + Detection. This service init's the database and copies the + new database to the active naming. It also sets a cron job, + when parameter `AideEmail` is populated, otherwise reports + are sent to /var/log/aide/. + + AIDE rules can be supplied as a hash, and should the rules ever + be changed, the service will populate the new rules and re-init + a fresh integrity database. diff --git a/roles/BlockStorage.yaml b/roles/BlockStorage.yaml index 90fa438eb6..abc09a9eaa 100644 --- a/roles/BlockStorage.yaml +++ b/roles/BlockStorage.yaml @@ -9,6 +9,7 @@ - Storage - StorageMgmt ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::BlockStorageCinderVolume - OS::TripleO::Services::CACerts diff --git a/roles/CephAll.yaml b/roles/CephAll.yaml index df4c589937..c1956194b7 100644 --- a/roles/CephAll.yaml +++ b/roles/CephAll.yaml @@ -9,6 +9,7 @@ - StorageMgmt HostnameFormatDefault: '%stackname%-ceph-all-%index%' ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephClient diff --git a/roles/CephFile.yaml b/roles/CephFile.yaml index 8ee56d7343..6e117cba82 100644 --- a/roles/CephFile.yaml +++ b/roles/CephFile.yaml @@ -9,6 +9,7 @@ - StorageMgmt HostnameFormatDefault: '%stackname%-ceph-file-%index%' ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephClient diff --git a/roles/CephObject.yaml b/roles/CephObject.yaml index 3eea041b04..0102d6c8b1 100644 --- a/roles/CephObject.yaml +++ b/roles/CephObject.yaml @@ -9,6 +9,7 @@ - StorageMgmt HostnameFormatDefault: '%stackname%-ceph-object-%index%' ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephClient diff --git a/roles/CephStorage.yaml b/roles/CephStorage.yaml index a079feb06e..cddd0c1b43 100644 --- a/roles/CephStorage.yaml +++ b/roles/CephStorage.yaml @@ -8,6 +8,7 @@ - Storage - StorageMgmt ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephOSD diff --git a/roles/Compute.yaml b/roles/Compute.yaml index 4c6c8e350f..ebe5a8df8c 100644 --- a/roles/Compute.yaml +++ b/roles/Compute.yaml @@ -21,6 +21,7 @@ deprecated_server_resource_name: 'NovaCompute' disable_upgrade_deployment: True ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephClient diff --git a/roles/ComputeHCI.yaml b/roles/ComputeHCI.yaml index dda912863f..f3c0475682 100644 --- a/roles/ComputeHCI.yaml +++ b/roles/ComputeHCI.yaml @@ -11,6 +11,7 @@ - StorageMgmt disable_upgrade_deployment: True ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephClient diff --git a/roles/ComputeOvsDpdk.yaml b/roles/ComputeOvsDpdk.yaml index 685c149c1f..1fd5fe1401 100644 --- a/roles/ComputeOvsDpdk.yaml +++ b/roles/ComputeOvsDpdk.yaml @@ -12,6 +12,7 @@ HostnameFormatDefault: '%stackname%-computeovsdpdk-%index%' disable_upgrade_deployment: True ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephClient diff --git a/roles/ComputeSriov.yaml b/roles/ComputeSriov.yaml index fe7a111f4e..096c340b31 100644 --- a/roles/ComputeSriov.yaml +++ b/roles/ComputeSriov.yaml @@ -12,6 +12,7 @@ HostnameFormatDefault: '%stackname%-computesriov-%index%' disable_upgrade_deployment: True ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephClient diff --git a/roles/Controller.yaml b/roles/Controller.yaml index f2b0616198..f7a01834f9 100644 --- a/roles/Controller.yaml +++ b/roles/Controller.yaml @@ -23,6 +23,7 @@ deprecated_param_flavor: 'OvercloudControlFlavor' deprecated_param_image: 'controllerImage' ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AodhApi - OS::TripleO::Services::AodhEvaluator - OS::TripleO::Services::AodhListener diff --git a/roles/ControllerNoCeph.yaml b/roles/ControllerNoCeph.yaml index f03dcc12da..7aa5394ff1 100644 --- a/roles/ControllerNoCeph.yaml +++ b/roles/ControllerNoCeph.yaml @@ -23,6 +23,7 @@ deprecated_param_flavor: 'OvercloudControlFlavor' deprecated_param_image: 'controllerImage' ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AodhApi - OS::TripleO::Services::AodhEvaluator - OS::TripleO::Services::AodhListener diff --git a/roles/ControllerOpenstack.yaml b/roles/ControllerOpenstack.yaml index 5b4a46949e..0324773fc2 100644 --- a/roles/ControllerOpenstack.yaml +++ b/roles/ControllerOpenstack.yaml @@ -17,6 +17,7 @@ - Tenant HostnameFormatDefault: '%stackname%-controller-%index%' ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AodhApi - OS::TripleO::Services::AodhEvaluator - OS::TripleO::Services::AodhListener diff --git a/roles/Database.yaml b/roles/Database.yaml index fdd0a4d9d3..f72a4caa78 100644 --- a/roles/Database.yaml +++ b/roles/Database.yaml @@ -8,6 +8,7 @@ - InternalApi HostnameFormatDefault: '%stackname%-database-%index%' ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CertmongerUser diff --git a/roles/HciCephAll.yaml b/roles/HciCephAll.yaml index 2e5689194a..8ad7bd45df 100644 --- a/roles/HciCephAll.yaml +++ b/roles/HciCephAll.yaml @@ -12,6 +12,7 @@ disable_upgrade_deployment: True HostnameFormatDefault: '%stackname%-hci-ceph-all-%index%' ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephClient diff --git a/roles/HciCephFile.yaml b/roles/HciCephFile.yaml index 95c2300e30..ac1ef2c90c 100644 --- a/roles/HciCephFile.yaml +++ b/roles/HciCephFile.yaml @@ -12,6 +12,7 @@ disable_upgrade_deployment: True HostnameFormatDefault: '%stackname%-hci-ceph-file-%index%' ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephClient diff --git a/roles/HciCephMon.yaml b/roles/HciCephMon.yaml index 99589e3b99..d22b86ac27 100644 --- a/roles/HciCephMon.yaml +++ b/roles/HciCephMon.yaml @@ -12,6 +12,7 @@ disable_upgrade_deployment: True HostnameFormatDefault: '%stackname%-hci-ceph-mon-%index%' ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephClient diff --git a/roles/HciCephObject.yaml b/roles/HciCephObject.yaml index c410bf6fb6..7aef73384d 100644 --- a/roles/HciCephObject.yaml +++ b/roles/HciCephObject.yaml @@ -12,6 +12,7 @@ disable_upgrade_deployment: True HostnameFormatDefault: '%stackname%-hci-ceph-object-%index%' ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephClient diff --git a/roles/IronicConductor.yaml b/roles/IronicConductor.yaml index dfc1f41f13..b01d872de5 100644 --- a/roles/IronicConductor.yaml +++ b/roles/IronicConductor.yaml @@ -6,6 +6,7 @@ Ironic Conductor node role HostnameFormatDefault: '%stackname%-ironic-%index%' ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CertmongerUser diff --git a/roles/Messaging.yaml b/roles/Messaging.yaml index 6949a59624..df50618a56 100644 --- a/roles/Messaging.yaml +++ b/roles/Messaging.yaml @@ -8,6 +8,7 @@ - InternalApi HostnameFormatDefault: '%stackname%-messaging-%index%' ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CertmongerUser diff --git a/roles/Networker.yaml b/roles/Networker.yaml index 1ee192b12b..2c152fd889 100644 --- a/roles/Networker.yaml +++ b/roles/Networker.yaml @@ -9,6 +9,7 @@ - Tenant HostnameFormatDefault: '%stackname%-networker-%index%' ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CertmongerUser diff --git a/roles/ObjectStorage.yaml b/roles/ObjectStorage.yaml index 41d9e602ef..9d5cf3ec25 100644 --- a/roles/ObjectStorage.yaml +++ b/roles/ObjectStorage.yaml @@ -17,6 +17,7 @@ deprecated_param_flavor: 'OvercloudSwiftStorageFlavor' disable_upgrade_deployment: True ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CertmongerUser diff --git a/roles/Telemetry.yaml b/roles/Telemetry.yaml index 973be1e751..e7a23d9672 100644 --- a/roles/Telemetry.yaml +++ b/roles/Telemetry.yaml @@ -8,6 +8,7 @@ - InternalApi HostnameFormatDefault: '%stackname%-telemetry-%index%' ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AodhApi - OS::TripleO::Services::AodhEvaluator - OS::TripleO::Services::AodhListener diff --git a/roles/Undercloud.yaml b/roles/Undercloud.yaml index 2fd4b5de78..8b2fc3fbd0 100644 --- a/roles/Undercloud.yaml +++ b/roles/Undercloud.yaml @@ -11,6 +11,7 @@ - primary - controller ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::Apache - OS::TripleO::Services::Docker - OS::TripleO::Services::DockerRegistry diff --git a/roles_data.yaml b/roles_data.yaml index 8590c07ace..d799e77deb 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -26,6 +26,7 @@ deprecated_param_flavor: 'OvercloudControlFlavor' deprecated_param_image: 'controllerImage' ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AodhApi - OS::TripleO::Services::AodhEvaluator - OS::TripleO::Services::AodhListener @@ -178,6 +179,7 @@ deprecated_server_resource_name: 'NovaCompute' disable_upgrade_deployment: True ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephClient @@ -230,6 +232,7 @@ - Storage - StorageMgmt ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::BlockStorageCinderVolume - OS::TripleO::Services::CACerts @@ -274,6 +277,7 @@ deprecated_param_flavor: 'OvercloudSwiftStorageFlavor' disable_upgrade_deployment: True ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CertmongerUser @@ -308,6 +312,7 @@ - Storage - StorageMgmt ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephOSD diff --git a/roles_data_undercloud.yaml b/roles_data_undercloud.yaml index d01519d681..bded1ee69f 100644 --- a/roles_data_undercloud.yaml +++ b/roles_data_undercloud.yaml @@ -14,6 +14,7 @@ - primary - controller ServicesDefault: + - OS::TripleO::Services::Aide - OS::TripleO::Services::Apache - OS::TripleO::Services::Docker - OS::TripleO::Services::DockerRegistry