Implements AIDE Intrusion Detection System

Introduces a service to configure AIDE Intrusion Detection.

This service init's the database and copies the new database
to the active naming. It also sets a cron job, using email if
`AideEmail` is populated, otherwise the reports are sent to
`/var/log/aide/`.

AIDE rules can be supplied as a hash, and should the rules ever
be changed, the service will populate the new rules and re-init
a fresh integrity database.

Related-Blueprint: tripleo-aide-database
Depends-On: Iac2ceb7fc6b610f8920ae6f75faa2885f3edf6eb
Change-Id: I23d8ba2c43e907372fe079026df1fca5fa1c9881

capabilities-map.yaml

@@ -464,7 +464,6 @@ topics:
             requires:
               - overcloud-resource-registry-puppet.yaml
 
-
   - title: Security
     description: Security Hardening Options
     environment_groups:
@@ -543,6 +542,11 @@ topics:
         environments:
           - file: environments/login-defs.yaml
             title: login.defs Values
+      - title: Advanced Intrusion Detection Environment
+        description: Enable AIDE - Advanced Intrusion Detection Environment
+        environments:
+          - file: environments/aide.yaml
+            title: AIDE Values
 
   - title: Additional Services
     description:

environments/hyperconverged-ceph.yaml

@@ -14,6 +14,7 @@ resource_registry:
 
 parameter_defaults:
   ComputeServices:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephClient

overcloud-resource-registry-puppet.j2.yaml

@@ -113,6 +113,7 @@ resource_registry:
 
   # services
   OS::TripleO::Services: common/services.yaml
+  OS::TripleO::Services::Aide: OS::Heat::None
   OS::TripleO::Services::Apache: puppet/services/apache.yaml
   OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml
   OS::TripleO::Services::CephMds: OS::Heat::None

puppet/services/aide.yaml

@@ -0,0 +1,96 @@
+heat_template_version: queens
+description: >
+  Aide service configured with Puppet
+
+parameters:
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  AideConfPath:
+    description: Aide configuration file
+    type: string
+    default: '/etc/aide.conf'
+  AideDBPath:
+    description: Aide integrity database location
+    type: string
+    default: '/var/lib/aide/aide.db'
+  AideDBTempPath:
+    description: Aide integrity database temp location
+    type: string
+    default: '/var/lib/aide/aide.db.new'
+  AideHour:
+    description: Hour value for Cron Job
+    type: number
+    default: 11
+  AideCronUser:
+    description: User which creates and runs the cron job for aide
+    type: string
+    default: 'root'
+  AideMinute:
+    description: Minute value for Cron Job
+    type: number
+    default: 30
+  AideEmail:
+    description: Email address to send reports on Cron Job
+    type: string
+    default: ''
+  AideMuaPath:
+    description: Full POSIX path to mail binary
+    type: string
+    default: '/bin/mail'
+  AideRules:
+    description: A hash of Aide rules
+    type: json
+    default: {}
+
+outputs:
+  role_data:
+    description: Role data for the aide service
+    value:
+      service_name: aide
+      config_settings:
+        tripleo::profile::base::aide::aide_rules: {get_param: AideRules}
+        tripleo::profile::base::aide::aide_conf_path: {get_param: AideConfPath}
+        tripleo::profile::base::aide::aide_db_path: {get_param: AideDBPath}
+        tripleo::profile::base::aide::aide_db_temp_path: {get_param: AideDBTempPath}
+        tripleo::profile::base::aide::cron::aide_cron_user: {get_param: AideCronUser}
+        tripleo::profile::base::aide::cron::aide_hour: {get_param: AideHour}
+        tripleo::profile::base::aide::cron::aide_minute: {get_param: AideMinute}
+        tripleo::profile::base::aide::cron::aide_email: {get_param: AideEmail}
+        tripleo::profile::base::aide::cron::aide_mua_path: {get_param: AideMuaPath}
+      step_config: |
+        include ::tripleo::profile::base::aide
+      upgrade_tasks:
+       - name: Ensure Aide is installed
+         tags: step4
+         yum: name=aide state=latest
+       - name: re-init database
+         tags: step5
+         shell: aide --init --config $(hiera tripleo::profile::base::aide::aide_conf_path)
+       - name: cp-new-aide-db
+         tags: step5
+         shell: /bin/cp -f $(hiera tripleo::profile::base::aide::aide_db_temp_path) $(hiera tripleo::profile::base::aide::aide_db_path)
+

releasenotes/notes/aide-50fc91178430f1a5.yaml

@@ -0,0 +1,12 @@
+---
+features:
+  - |
+    Introduces a puppet service to configure AIDE Intrusion
+    Detection. This service init's the database and copies the
+    new database to the active naming. It also sets a cron job,
+    when parameter `AideEmail` is populated, otherwise reports
+    are sent to /var/log/aide/.
+
+    AIDE rules can be supplied as a hash, and should the rules ever
+    be changed, the service will populate the new rules and re-init
+    a fresh integrity database.

roles/BlockStorage.yaml

@@ -9,6 +9,7 @@
     - Storage
     - StorageMgmt
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::BlockStorageCinderVolume
     - OS::TripleO::Services::CACerts

roles/CephAll.yaml

@@ -9,6 +9,7 @@
     - StorageMgmt
   HostnameFormatDefault: '%stackname%-ceph-all-%index%'
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CephClient

roles/CephFile.yaml

@@ -9,6 +9,7 @@
     - StorageMgmt
   HostnameFormatDefault: '%stackname%-ceph-file-%index%'
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CephClient

roles/CephObject.yaml

@@ -9,6 +9,7 @@
     - StorageMgmt
   HostnameFormatDefault: '%stackname%-ceph-object-%index%'
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CephClient

roles/CephStorage.yaml

@@ -8,6 +8,7 @@
     - Storage
     - StorageMgmt
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CephOSD

roles/Compute.yaml

@@ -21,6 +21,7 @@
   deprecated_server_resource_name: 'NovaCompute'
   disable_upgrade_deployment: True
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CephClient

roles/ComputeHCI.yaml

@@ -11,6 +11,7 @@
     - StorageMgmt
   disable_upgrade_deployment: True
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CephClient

roles/ComputeOvsDpdk.yaml

@@ -12,6 +12,7 @@
   HostnameFormatDefault: '%stackname%-computeovsdpdk-%index%'
   disable_upgrade_deployment: True
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CephClient

roles/ComputeSriov.yaml

@@ -12,6 +12,7 @@
   HostnameFormatDefault: '%stackname%-computesriov-%index%'
   disable_upgrade_deployment: True
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CephClient

roles/Controller.yaml

@@ -23,6 +23,7 @@
   deprecated_param_flavor: 'OvercloudControlFlavor'
   deprecated_param_image: 'controllerImage'
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AodhApi
     - OS::TripleO::Services::AodhEvaluator
     - OS::TripleO::Services::AodhListener

roles/ControllerNoCeph.yaml

@@ -23,6 +23,7 @@
   deprecated_param_flavor: 'OvercloudControlFlavor'
   deprecated_param_image: 'controllerImage'
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AodhApi
     - OS::TripleO::Services::AodhEvaluator
     - OS::TripleO::Services::AodhListener

roles/ControllerOpenstack.yaml

@@ -17,6 +17,7 @@
     - Tenant
   HostnameFormatDefault: '%stackname%-controller-%index%'
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AodhApi
     - OS::TripleO::Services::AodhEvaluator
     - OS::TripleO::Services::AodhListener

roles/Database.yaml

@@ -8,6 +8,7 @@
     - InternalApi
   HostnameFormatDefault: '%stackname%-database-%index%'
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CertmongerUser

roles/HciCephAll.yaml

@@ -12,6 +12,7 @@
   disable_upgrade_deployment: True
   HostnameFormatDefault: '%stackname%-hci-ceph-all-%index%'
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CephClient

roles/HciCephFile.yaml

@@ -12,6 +12,7 @@
   disable_upgrade_deployment: True
   HostnameFormatDefault: '%stackname%-hci-ceph-file-%index%'
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CephClient

roles/HciCephMon.yaml

@@ -12,6 +12,7 @@
   disable_upgrade_deployment: True
   HostnameFormatDefault: '%stackname%-hci-ceph-mon-%index%'
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CephClient

roles/HciCephObject.yaml

@@ -12,6 +12,7 @@
   disable_upgrade_deployment: True
   HostnameFormatDefault: '%stackname%-hci-ceph-object-%index%'
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CephClient

roles/IronicConductor.yaml

@@ -6,6 +6,7 @@
     Ironic Conductor node role
   HostnameFormatDefault: '%stackname%-ironic-%index%'
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CertmongerUser

roles/Messaging.yaml

@@ -8,6 +8,7 @@
     - InternalApi
   HostnameFormatDefault: '%stackname%-messaging-%index%'
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CertmongerUser

roles/Networker.yaml

@@ -9,6 +9,7 @@
     - Tenant
   HostnameFormatDefault: '%stackname%-networker-%index%'
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CertmongerUser

roles/ObjectStorage.yaml

@@ -17,6 +17,7 @@
   deprecated_param_flavor: 'OvercloudSwiftStorageFlavor'
   disable_upgrade_deployment: True
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CertmongerUser

roles/Telemetry.yaml

@@ -8,6 +8,7 @@
     - InternalApi
   HostnameFormatDefault: '%stackname%-telemetry-%index%'
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AodhApi
     - OS::TripleO::Services::AodhEvaluator
     - OS::TripleO::Services::AodhListener

roles/Undercloud.yaml

@@ -11,6 +11,7 @@
     - primary
     - controller
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::Apache
     - OS::TripleO::Services::Docker
     - OS::TripleO::Services::DockerRegistry

roles_data.yaml

@@ -26,6 +26,7 @@
   deprecated_param_flavor: 'OvercloudControlFlavor'
   deprecated_param_image: 'controllerImage'
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AodhApi
     - OS::TripleO::Services::AodhEvaluator
     - OS::TripleO::Services::AodhListener
@@ -178,6 +179,7 @@
   deprecated_server_resource_name: 'NovaCompute'
   disable_upgrade_deployment: True
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CephClient
@@ -230,6 +232,7 @@
     - Storage
     - StorageMgmt
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::BlockStorageCinderVolume
     - OS::TripleO::Services::CACerts
@@ -274,6 +277,7 @@
   deprecated_param_flavor: 'OvercloudSwiftStorageFlavor'
   disable_upgrade_deployment: True
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CertmongerUser
@@ -308,6 +312,7 @@
     - Storage
     - StorageMgmt
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::AuditD
     - OS::TripleO::Services::CACerts
     - OS::TripleO::Services::CephOSD

roles_data_undercloud.yaml

@@ -14,6 +14,7 @@
     - primary
     - controller
   ServicesDefault:
+    - OS::TripleO::Services::Aide
     - OS::TripleO::Services::Apache
     - OS::TripleO::Services::Docker
     - OS::TripleO::Services::DockerRegistry