Use the new tripleo_auditd ansible role instead of puppet
Since puppet-auditd is deprecated and archived, we have to switch to a new way of configuring that service. This patch also cleans deprecated rules/parameters. Beware of the release note: existing custom configuration must now be passed as a standard parameter_defaults entry via the AuditdConfig dict. Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/848758 Change-Id: I0222d32be13d640280d42e3c0956eed352f97e1c Closes-Bug: #1964733
This commit is contained in:
parent
01f4583111
commit
8a5e9e68dd
|
@ -31,14 +31,21 @@ parameters:
|
|||
description: Mapping of auditd rules
|
||||
type: json
|
||||
default: {}
|
||||
AuditdConfig:
|
||||
description: Mapping of auditd configurations
|
||||
type: json
|
||||
default: {}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the auditd service
|
||||
value:
|
||||
service_name: auditd
|
||||
config_settings:
|
||||
auditd::rules: {get_param: AuditdRules}
|
||||
step_config: |
|
||||
include tripleo::profile::base::auditd
|
||||
upgrade_tasks: []
|
||||
config_settings: {}
|
||||
host_prep_tasks:
|
||||
- name: Install and configure auditd using ansible
|
||||
vars:
|
||||
tripleo_auditd_rules: {get_param: AuditdRules}
|
||||
tripleo_auditd_config: {get_param: AuditdConfig}
|
||||
include_role:
|
||||
name: tripleo_auditd
|
|
@ -1,5 +1,5 @@
|
|||
resource_registry:
|
||||
OS::TripleO::Services::AuditD: ../deployment/auditd/auditd-baremetal-puppet.yaml
|
||||
OS::TripleO::Services::AuditD: ../deployment/auditd/auditd-baremetal-ansible.yaml
|
||||
|
||||
parameter_defaults:
|
||||
AuditdRules:
|
||||
|
@ -9,111 +9,108 @@ parameter_defaults:
|
|||
'Record attempts to alter time through settimeofday':
|
||||
content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules'
|
||||
order : 2
|
||||
'Record Attempts to Alter Time Through stime':
|
||||
content: '-a always,exit -F arch=b64 -S stime -k audit_time_rules'
|
||||
order : 3
|
||||
'Record Attempts to Alter Time Through clock_settime':
|
||||
content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules'
|
||||
order : 4
|
||||
order : 3
|
||||
'Record Attempts to Alter the localtime File':
|
||||
content: '-w /etc/localtime -p wa -k audit_time_rules'
|
||||
order : 5
|
||||
order : 4
|
||||
'Record Events that Modify the Systems Discretionary Access Controls - chmod':
|
||||
content: '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||
order : 5
|
||||
order : 4
|
||||
'Record Events that Modify the Systems Discretionary Access Controls - chown':
|
||||
content: '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||
order : 6
|
||||
order : 5
|
||||
'Record Events that Modify the Systems Discretionary Access Controls - fchmod':
|
||||
content: '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||
order : 7
|
||||
order : 6
|
||||
'Record Events that Modify the Systems Discretionary Access Controls - fchmodat':
|
||||
content: '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||
order : 8
|
||||
order : 7
|
||||
'Record Events that Modify the Systems Discretionary Access Controls - fchown':
|
||||
content: '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||
order : 9
|
||||
order : 8
|
||||
'Record Events that Modify the Systems Discretionary Access Controls - fchownat':
|
||||
content: '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||
order : 10
|
||||
order : 9
|
||||
'Record Events that Modify the Systems Discretionary Access Controls - fremovexattr':
|
||||
content: '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||
order : 11
|
||||
order : 10
|
||||
'Record Events that Modify the Systems Discretionary Access Controls - fsetxattr':
|
||||
content: '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||
order : 12
|
||||
order : 11
|
||||
'Record Events that Modify the Systems Discretionary Access Controls - lchown':
|
||||
content: '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||
order : 13
|
||||
order : 12
|
||||
'Record Events that Modify the Systems Discretionary Access Controls - lremovexattr':
|
||||
content: '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||
order : 14
|
||||
order : 13
|
||||
'Record Events that Modify the Systems Discretionary Access Controls - lsetxattr':
|
||||
content: '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||
order : 15
|
||||
order : 14
|
||||
'Record Events that Modify the Systems Discretionary Access Controls - removexattr':
|
||||
content: '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||
order : 16
|
||||
order : 15
|
||||
'Record Events that Modify the Systems Discretionary Access Controls - setxattr':
|
||||
content: '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||
order : 17
|
||||
order : 16
|
||||
'Record Events that Modify User/Group Information - /etc/group':
|
||||
content: '-w /etc/group -p wa -k audit_rules_usergroup_modification'
|
||||
order : 18
|
||||
order : 17
|
||||
'Record Events that Modify User/Group Information - /etc/passwd':
|
||||
content: '-w /etc/passwd -p wa -k audit_rules_usergroup_modification'
|
||||
order : 19
|
||||
order : 18
|
||||
'Record Events that Modify User/Group Information - /etc/gshadow':
|
||||
content: '-w /etc/gshadow -p wa -k audit_rules_usergroup_modification'
|
||||
order : 20
|
||||
order : 19
|
||||
'Record Events that Modify User/Group Information - /etc/shadow':
|
||||
content: '-w /etc/shadow -p wa -k audit_rules_usergroup_modification'
|
||||
order : 21
|
||||
order : 20
|
||||
'Record Events that Modify User/Group Information - /etc/opasswd':
|
||||
content: '-w /etc/opasswd -p wa -k audit_rules_usergroup_modification'
|
||||
order : 22
|
||||
order : 21
|
||||
'Record Events that Modify the Systems Network Environment - sethostname / setdomainname':
|
||||
content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification'
|
||||
order : 23
|
||||
order : 22
|
||||
'Record Events that Modify the Systems Network Environment - /etc/issue':
|
||||
content: '-w /etc/issue -p wa -k audit_rules_networkconfig_modification'
|
||||
order : 24
|
||||
order : 23
|
||||
'Record Events that Modify the Systems Network Environment - /etc/issue.net':
|
||||
content: '-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification'
|
||||
order : 25
|
||||
order : 24
|
||||
'Record Events that Modify the Systems Network Environment - /etc/hosts':
|
||||
content: '-w /etc/hosts -p wa -k audit_rules_networkconfig_modification'
|
||||
order : 26
|
||||
order : 25
|
||||
'Record Events that Modify the Systems Network Environment - /etc/sysconfig/network':
|
||||
content: '-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification'
|
||||
order : 27
|
||||
order : 26
|
||||
'Record Events that Modify the Systems Mandatory Access Controls':
|
||||
content: '-w /etc/selinux/ -p wa -k MAC-policy'
|
||||
order : 28
|
||||
order : 27
|
||||
'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EACCES)':
|
||||
content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
|
||||
order : 29
|
||||
order : 28
|
||||
'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EPERM)':
|
||||
content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
|
||||
order : 30
|
||||
order : 29
|
||||
'Ensure auditd Collects Information on the Use of Privileged Commands':
|
||||
content: '-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged'
|
||||
order : 31
|
||||
content: '-a always,exit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged'
|
||||
order : 30
|
||||
'Ensure auditd Collects Information on Exporting to Media (successful)':
|
||||
content: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export'
|
||||
order : 32
|
||||
order : 31
|
||||
'Ensure auditd Collects File Deletion Events by User':
|
||||
content: '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
|
||||
order : 33
|
||||
order : 32
|
||||
'Ensure auditd Collects System Administrator Actions':
|
||||
content: '-w /etc/sudoers -p wa -k actions'
|
||||
order : 34
|
||||
order : 33
|
||||
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (insmod)':
|
||||
content: '-w /usr/sbin/insmod -p x -k modules'
|
||||
order : 35
|
||||
order : 34
|
||||
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (rmmod)':
|
||||
content: '-w /usr/sbin/rmmod -p x -k modules'
|
||||
order : 36
|
||||
order : 35
|
||||
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (modprobe)':
|
||||
content: '-w /usr/sbin/modprobe -p x -k modules'
|
||||
order : 37
|
||||
order : 36
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
upgrade:
|
||||
- |
|
||||
Operators using the audit service must change the way they provide custom
|
||||
configuration, and use a new "AuditdConfig" dict in the parameter_defaults
|
||||
deprecations:
|
||||
- |
|
||||
All of the hiera value for the service configuration are deprecated, and
|
||||
replaced by a new "AuditdConfig" dict to be passed in the
|
||||
parameter_defaults
|
||||
fixes:
|
||||
- |
|
||||
This fixes LP#1964733 and the deprecation/abandon of puppet-auditd module.
|
Loading…
Reference in New Issue