diff --git a/deployment/auditd/auditd-baremetal-puppet.yaml b/deployment/auditd/auditd-baremetal-ansible.yaml similarity index 72% rename from deployment/auditd/auditd-baremetal-puppet.yaml rename to deployment/auditd/auditd-baremetal-ansible.yaml index 18d218651a..88a0c93fdb 100644 --- a/deployment/auditd/auditd-baremetal-puppet.yaml +++ b/deployment/auditd/auditd-baremetal-ansible.yaml @@ -31,14 +31,21 @@ parameters: description: Mapping of auditd rules type: json default: {} + AuditdConfig: + description: Mapping of auditd configurations + type: json + default: {} outputs: role_data: description: Role data for the auditd service value: service_name: auditd - config_settings: - auditd::rules: {get_param: AuditdRules} - step_config: | - include tripleo::profile::base::auditd - upgrade_tasks: [] + config_settings: {} + host_prep_tasks: + - name: Install and configure auditd using ansible + vars: + tripleo_auditd_rules: {get_param: AuditdRules} + tripleo_auditd_config: {get_param: AuditdConfig} + include_role: + name: tripleo_auditd diff --git a/environments/auditd.yaml b/environments/auditd.yaml index 820b2d92e1..1b301323a2 100644 --- a/environments/auditd.yaml +++ b/environments/auditd.yaml @@ -1,5 +1,5 @@ resource_registry: - OS::TripleO::Services::AuditD: ../deployment/auditd/auditd-baremetal-puppet.yaml + OS::TripleO::Services::AuditD: ../deployment/auditd/auditd-baremetal-ansible.yaml parameter_defaults: AuditdRules: @@ -9,111 +9,108 @@ parameter_defaults: 'Record attempts to alter time through settimeofday': content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules' order : 2 - 'Record Attempts to Alter Time Through stime': - content: '-a always,exit -F arch=b64 -S stime -k audit_time_rules' - order : 3 'Record Attempts to Alter Time Through clock_settime': content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules' - order : 4 + order : 3 'Record Attempts to Alter the localtime File': content: '-w /etc/localtime -p wa -k audit_time_rules' - order : 5 + order : 4 'Record Events that Modify the Systems Discretionary Access Controls - chmod': content: '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod' - order : 5 + order : 4 'Record Events that Modify the Systems Discretionary Access Controls - chown': content: '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod' - order : 6 + order : 5 'Record Events that Modify the Systems Discretionary Access Controls - fchmod': content: '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod' - order : 7 + order : 6 'Record Events that Modify the Systems Discretionary Access Controls - fchmodat': content: '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' - order : 8 + order : 7 'Record Events that Modify the Systems Discretionary Access Controls - fchown': content: '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' - order : 9 + order : 8 'Record Events that Modify the Systems Discretionary Access Controls - fchownat': content: '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod' - order : 10 + order : 9 'Record Events that Modify the Systems Discretionary Access Controls - fremovexattr': content: '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' - order : 11 + order : 10 'Record Events that Modify the Systems Discretionary Access Controls - fsetxattr': content: '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' - order : 12 + order : 11 'Record Events that Modify the Systems Discretionary Access Controls - lchown': content: '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' - order : 13 + order : 12 'Record Events that Modify the Systems Discretionary Access Controls - lremovexattr': content: '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' - order : 14 + order : 13 'Record Events that Modify the Systems Discretionary Access Controls - lsetxattr': content: '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' - order : 15 + order : 14 'Record Events that Modify the Systems Discretionary Access Controls - removexattr': content: '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' - order : 16 + order : 15 'Record Events that Modify the Systems Discretionary Access Controls - setxattr': content: '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' - order : 17 + order : 16 'Record Events that Modify User/Group Information - /etc/group': content: '-w /etc/group -p wa -k audit_rules_usergroup_modification' - order : 18 + order : 17 'Record Events that Modify User/Group Information - /etc/passwd': content: '-w /etc/passwd -p wa -k audit_rules_usergroup_modification' - order : 19 + order : 18 'Record Events that Modify User/Group Information - /etc/gshadow': content: '-w /etc/gshadow -p wa -k audit_rules_usergroup_modification' - order : 20 + order : 19 'Record Events that Modify User/Group Information - /etc/shadow': content: '-w /etc/shadow -p wa -k audit_rules_usergroup_modification' - order : 21 + order : 20 'Record Events that Modify User/Group Information - /etc/opasswd': content: '-w /etc/opasswd -p wa -k audit_rules_usergroup_modification' - order : 22 + order : 21 'Record Events that Modify the Systems Network Environment - sethostname / setdomainname': content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification' - order : 23 + order : 22 'Record Events that Modify the Systems Network Environment - /etc/issue': content: '-w /etc/issue -p wa -k audit_rules_networkconfig_modification' - order : 24 + order : 23 'Record Events that Modify the Systems Network Environment - /etc/issue.net': content: '-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification' - order : 25 + order : 24 'Record Events that Modify the Systems Network Environment - /etc/hosts': content: '-w /etc/hosts -p wa -k audit_rules_networkconfig_modification' - order : 26 + order : 25 'Record Events that Modify the Systems Network Environment - /etc/sysconfig/network': content: '-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification' - order : 27 + order : 26 'Record Events that Modify the Systems Mandatory Access Controls': content: '-w /etc/selinux/ -p wa -k MAC-policy' - order : 28 + order : 27 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EACCES)': content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' - order : 29 + order : 28 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EPERM)': content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' - order : 30 + order : 29 'Ensure auditd Collects Information on the Use of Privileged Commands': - content: '-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged' - order : 31 + content: '-a always,exit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged' + order : 30 'Ensure auditd Collects Information on Exporting to Media (successful)': content: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export' - order : 32 + order : 31 'Ensure auditd Collects File Deletion Events by User': content: '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' - order : 33 + order : 32 'Ensure auditd Collects System Administrator Actions': content: '-w /etc/sudoers -p wa -k actions' - order : 34 + order : 33 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (insmod)': content: '-w /usr/sbin/insmod -p x -k modules' - order : 35 + order : 34 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (rmmod)': content: '-w /usr/sbin/rmmod -p x -k modules' - order : 36 + order : 35 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (modprobe)': content: '-w /usr/sbin/modprobe -p x -k modules' - order : 37 + order : 36 diff --git a/releasenotes/notes/auditd-to-ansible-f39bd119bf25320e.yaml b/releasenotes/notes/auditd-to-ansible-f39bd119bf25320e.yaml new file mode 100644 index 0000000000..6fa75bec15 --- /dev/null +++ b/releasenotes/notes/auditd-to-ansible-f39bd119bf25320e.yaml @@ -0,0 +1,13 @@ +--- +upgrade: + - | + Operators using the audit service must change the way they provide custom + configuration, and use a new "AuditdConfig" dict in the parameter_defaults +deprecations: + - | + All of the hiera value for the service configuration are deprecated, and + replaced by a new "AuditdConfig" dict to be passed in the + parameter_defaults +fixes: + - | + This fixes LP#1964733 and the deprecation/abandon of puppet-auditd module.