Use the new tripleo_auditd ansible role instead of puppet

Since puppet-auditd is deprecated and archived, we have to switch to a
new way of configuring that service.

This patch also cleans deprecated rules/parameters.

Beware of the release note: existing custom configuration must now be
passed as a standard parameter_defaults entry via the AuditdConfig dict.

Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/848758
Change-Id: I0222d32be13d640280d42e3c0956eed352f97e1c
Closes-Bug: #1964733

deployment/auditd/auditd-baremetal-ansible.yaml

@@ -31,14 +31,21 @@ parameters:
     description: Mapping of auditd rules
     type: json
     default: {}
+  AuditdConfig:
+    description: Mapping of auditd configurations
+    type: json
+    default: {}
 
 outputs:
   role_data:
     description: Role data for the auditd service
     value:
       service_name: auditd
-      config_settings:
-        auditd::rules: {get_param: AuditdRules}
-      step_config: |
-        include tripleo::profile::base::auditd
-      upgrade_tasks: []
+      config_settings: {}
+      host_prep_tasks:
+        - name: Install and configure auditd using ansible
+          vars:
+            tripleo_auditd_rules: {get_param: AuditdRules}
+            tripleo_auditd_config: {get_param: AuditdConfig}
+          include_role:
+            name: tripleo_auditd

environments/auditd.yaml

@@ -1,5 +1,5 @@
 resource_registry:
-  OS::TripleO::Services::AuditD: ../deployment/auditd/auditd-baremetal-puppet.yaml
+  OS::TripleO::Services::AuditD: ../deployment/auditd/auditd-baremetal-ansible.yaml
 
 parameter_defaults:
   AuditdRules:
@@ -9,111 +9,108 @@ parameter_defaults:
     'Record attempts to alter time through settimeofday':
       content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules'
       order  : 2
-    'Record Attempts to Alter Time Through stime':
-      content: '-a always,exit -F arch=b64 -S stime -k audit_time_rules'
-      order  : 3
     'Record Attempts to Alter Time Through clock_settime':
       content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules'
-      order  : 4
+      order  : 3
     'Record Attempts to Alter the localtime File':
       content: '-w /etc/localtime -p wa -k audit_time_rules'
-      order  : 5
+      order  : 4
     'Record Events that Modify the Systems Discretionary Access Controls - chmod':
       content: '-a always,exit -F arch=b64 -S chmod  -F auid>=1000 -F auid!=4294967295 -k perm_mod'
-      order  : 5
+      order  : 4
     'Record Events that Modify the Systems Discretionary Access Controls - chown':
       content: '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
-      order  : 6
+      order  : 5
     'Record Events that Modify the Systems Discretionary Access Controls - fchmod':
       content: '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
-      order  : 7
+      order  : 6
     'Record Events that Modify the Systems Discretionary Access Controls - fchmodat':
       content: '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
-      order  : 8
+      order  : 7
     'Record Events that Modify the Systems Discretionary Access Controls - fchown':
       content: '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
-      order  : 9
+      order  : 8
     'Record Events that Modify the Systems Discretionary Access Controls - fchownat':
       content: '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
-      order  : 10
+      order  : 9
     'Record Events that Modify the Systems Discretionary Access Controls - fremovexattr':
       content: '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
-      order  : 11
+      order  : 10
     'Record Events that Modify the Systems Discretionary Access Controls - fsetxattr':
       content: '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
-      order  : 12
+      order  : 11
     'Record Events that Modify the Systems Discretionary Access Controls - lchown':
       content: '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
-      order  : 13
+      order  : 12
     'Record Events that Modify the Systems Discretionary Access Controls - lremovexattr':
       content: '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
-      order  : 14
+      order  : 13
     'Record Events that Modify the Systems Discretionary Access Controls - lsetxattr':
       content: '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
-      order  : 15
+      order  : 14
     'Record Events that Modify the Systems Discretionary Access Controls - removexattr':
       content: '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
-      order  : 16
+      order  : 15
     'Record Events that Modify the Systems Discretionary Access Controls - setxattr':
       content: '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
-      order  : 17
+      order  : 16
     'Record Events that Modify User/Group Information - /etc/group':
       content: '-w /etc/group -p wa -k audit_rules_usergroup_modification'
-      order  : 18
+      order  : 17
     'Record Events that Modify User/Group Information - /etc/passwd':
       content: '-w /etc/passwd -p wa -k audit_rules_usergroup_modification'
-      order  : 19
+      order  : 18
     'Record Events that Modify User/Group Information - /etc/gshadow':
       content: '-w /etc/gshadow -p wa -k audit_rules_usergroup_modification'
-      order  : 20
+      order  : 19
     'Record Events that Modify User/Group Information - /etc/shadow':
       content: '-w /etc/shadow -p wa -k audit_rules_usergroup_modification'
-      order  : 21
+      order  : 20
     'Record Events that Modify User/Group Information - /etc/opasswd':
       content: '-w /etc/opasswd -p wa -k audit_rules_usergroup_modification'
-      order  : 22
+      order  : 21
     'Record Events that Modify the Systems Network Environment - sethostname / setdomainname':
       content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification'
-      order  : 23
+      order  : 22
     'Record Events that Modify the Systems Network Environment - /etc/issue':
       content: '-w /etc/issue -p wa -k audit_rules_networkconfig_modification'
-      order  : 24
+      order  : 23
     'Record Events that Modify the Systems Network Environment - /etc/issue.net':
       content: '-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification'
-      order  : 25
+      order  : 24
     'Record Events that Modify the Systems Network Environment - /etc/hosts':
       content: '-w /etc/hosts -p wa -k audit_rules_networkconfig_modification'
-      order  : 26
+      order  : 25
     'Record Events that Modify the Systems Network Environment - /etc/sysconfig/network':
       content: '-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification'
-      order  : 27
+      order  : 26
     'Record Events that Modify the Systems Mandatory Access Controls':
       content: '-w /etc/selinux/ -p wa -k MAC-policy'
-      order  : 28
+      order  : 27
     'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EACCES)':
       content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
-      order  : 29
+      order  : 28
     'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EPERM)':
       content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
-      order  : 30
+      order  : 29
     'Ensure auditd Collects Information on the Use of Privileged Commands':
-      content: '-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged'
-      order  : 31
+      content: '-a always,exit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged'
+      order  : 30
     'Ensure auditd Collects Information on Exporting to Media (successful)':
       content: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export'
-      order  : 32
+      order  : 31
     'Ensure auditd Collects File Deletion Events by User':
       content: '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
-      order  : 33
+      order  : 32
     'Ensure auditd Collects System Administrator Actions':
       content: '-w /etc/sudoers -p wa -k actions'
-      order  : 34
+      order  : 33
     'Ensure auditd Collects Information on Kernel Module Loading and Unloading (insmod)':
       content: '-w /usr/sbin/insmod -p x -k modules'
-      order  : 35
+      order  : 34
     'Ensure auditd Collects Information on Kernel Module Loading and Unloading (rmmod)':
       content: '-w /usr/sbin/rmmod -p x -k modules'
-      order  : 36
+      order  : 35
     'Ensure auditd Collects Information on Kernel Module Loading and Unloading (modprobe)':
       content: '-w /usr/sbin/modprobe -p x -k modules'
-      order  : 37
+      order  : 36

releasenotes/notes/auditd-to-ansible-f39bd119bf25320e.yaml

@@ -0,0 +1,13 @@
+---
+upgrade:
+  - |
+    Operators using the audit service must change the way they provide custom
+    configuration, and use a new "AuditdConfig" dict in the parameter_defaults
+deprecations:
+  - |
+    All of the hiera value for the service configuration are deprecated, and
+    replaced by a new "AuditdConfig" dict to be passed in the
+    parameter_defaults
+fixes:
+  - |
+    This fixes LP#1964733 and the deprecation/abandon of puppet-auditd module.