openstack/tripleo-heat-templates
Code Issues Proposed changes

Merge "Add AuditD composable service"

Browse Source
This commit is contained in:
Jenkins 2017-01-27 22:04:18 +00:00 committed by Gerrit Code Review
commit 8a646686ed
6 changed files with 184 additions and 0 deletions

16
capabilities-map.yaml

@ -541,6 +541,14 @@ topics:
- title: Security Options
description: Security Hardening Options
environment_groups:
- title: SSH Banner Text
description: Enables population of SSH Banner Text
environments:
- file: environments/sshd-banner.yaml
title: SSH Banner Text
description:
requires:
- overcloud-resource-registry-puppet.yaml
- title: Horizon Password Validation
description: Enable Horizon Password validation
environments:
@ -549,3 +557,11 @@ topics:
description:
requires:
- overcloud-resource-registry-puppet.yaml
- title: AuditD Rules
description: Management of AuditD rules
environments:
- file: environments/auditd.yaml
title: AuditD Rule Management
description:
requires:
- overcloud-resource-registry-puppet.yaml

119
environments/auditd.yaml Normal file

@ -0,0 +1,119 @@
resource_registry:
OS::TripleO::Services::AuditD: ../puppet/services/auditd.yaml
parameter_defaults:
AuditdRules:
'Record attempts to alter time through adjtimex':
content: '-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules'
order : 1
'Record attempts to alter time through settimeofday':
content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules'
order : 2
'Record Attempts to Alter Time Through stime':
content: '-a always,exit -F arch=b64 -S stime -k audit_time_rules'
order : 3
'Record Attempts to Alter Time Through clock_settime':
content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules'
order : 4
'Record Attempts to Alter the localtime File':
content: '-w /etc/localtime -p wa -k audit_time_rules'
order : 5
'Record Events that Modify the Systems Discretionary Access Controls - chmod':
content: '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 5
'Record Events that Modify the Systems Discretionary Access Controls - chown':
content: '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 6
'Record Events that Modify the Systems Discretionary Access Controls - fchmod':
content: '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 7
'Record Events that Modify the Systems Discretionary Access Controls - fchmodat':
content: '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 8
'Record Events that Modify the Systems Discretionary Access Controls - fchown':
content: '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 9
'Record Events that Modify the Systems Discretionary Access Controls - fchownat':
content: '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 10
'Record Events that Modify the Systems Discretionary Access Controls - fremovexattr':
content: '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 11
'Record Events that Modify the Systems Discretionary Access Controls - fsetxattr':
content: '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 12
'Record Events that Modify the Systems Discretionary Access Controls - lchown':
content: '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 13
'Record Events that Modify the Systems Discretionary Access Controls - lremovexattr':
content: '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 14
'Record Events that Modify the Systems Discretionary Access Controls - lsetxattr':
content: '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 15
'Record Events that Modify the Systems Discretionary Access Controls - removexattr':
content: '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 16
'Record Events that Modify the Systems Discretionary Access Controls - setxattr':
content: '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
order : 17
'Record Events that Modify User/Group Information - /etc/group':
content: '-w /etc/group -p wa -k audit_rules_usergroup_modification'
order : 18
'Record Events that Modify User/Group Information - /etc/passwd':
content: '-w /etc/passwd -p wa -k audit_rules_usergroup_modification'
order : 19
'Record Events that Modify User/Group Information - /etc/gshadow':
content: '-w /etc/gshadow -p wa -k audit_rules_usergroup_modification'
order : 20
'Record Events that Modify User/Group Information - /etc/shadow':
content: '-w /etc/shadow -p wa -k audit_rules_usergroup_modification'
order : 21
'Record Events that Modify User/Group Information - /etc/opasswd':
content: '-w /etc/opasswd -p wa -k audit_rules_usergroup_modification'
order : 22
'Record Events that Modify the Systems Network Environment - sethostname / setdomainname':
content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification'
order : 23
'Record Events that Modify the Systems Network Environment - /etc/issue':
content: '-w /etc/issue -p wa -k audit_rules_networkconfig_modification'
order : 24
'Record Events that Modify the Systems Network Environment - /etc/issue.net':
content: '-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification'
order : 25
'Record Events that Modify the Systems Network Environment - /etc/hosts':
content: '-w /etc/hosts -p wa -k audit_rules_networkconfig_modification'
order : 26
'Record Events that Modify the Systems Network Environment - /etc/sysconfig/network':
content: '-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification'
order : 27
'Record Events that Modify the Systems Mandatory Access Controls':
content: '-w /etc/selinux/ -p wa -k MAC-policy'
order : 28
'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EACCES)':
content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
order : 29
'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EPERM)':
content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
order : 30
'Ensure auditd Collects Information on the Use of Privileged Commands':
content: '-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged'
order : 31
'Ensure auditd Collects Information on Exporting to Media (successful)':
content: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export'
order : 32
'Ensure auditd Collects File Deletion Events by User':
content: '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
order : 33
'Ensure auditd Collects System Administrator Actions':
content: '-w /etc/sudoers -p wa -k actions'
order : 34
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (insmod)':
content: '-w /usr/sbin/insmod -p x -k modules'
order : 35
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (rmmod)':
content: '-w /usr/sbin/rmmod -p x -k modules'
order : 36
'Ensure auditd Collects Information on Kernel Module Loading and Unloading (modprobe)':
content: '-w /usr/sbin/modprobe -p x -k modules'
order : 37

1
overcloud-resource-registry-puppet.j2.yaml

@ -240,6 +240,7 @@ resource_registry:
OS::TripleO::Services::CinderHPELeftHandISCSI: OS::Heat::None
OS::TripleO::Services::Etcd: OS::Heat::None
OS::TripleO::Services::Ec2Api: OS::Heat::None
OS::TripleO::Services::AuditD: OS::Heat::None
parameter_defaults:
EnablePackageInstall: false

34
puppet/services/auditd.yaml Normal file

@ -0,0 +1,34 @@
heat_template_version: ocata
description: >
AuditD configured with Puppet
parameters:
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
AuditdRules:
description: Mapping of auditd rules
type: json
default: {}
outputs:
role_data:
description: Role data for the auditd service
value:
service_name: auditd
config_settings:
auditd::rules: {get_param: AuditdRules}
step_config: |
include ::tripleo::profile::base::auditd

9
releasenotes/notes/puppet-auditd-6504295e8c6c7a3b.yaml Normal file

@ -0,0 +1,9 @@
---
features:
- |
Adds the ability to manage auditd.service and enter audit.rules via tripleo
heat templates. This in turn enforces an audit log of system events, such
as system time changes, modifications to Discretionary Access Controls,
Failed login attempts.

5
roles_data.yaml

@ -112,6 +112,7 @@
- OS::TripleO::Services::NeutronML2FujitsuFossw
- OS::TripleO::Services::CinderHPELeftHandISCSI
- OS::TripleO::Services::Etcd
- OS::TripleO::Services::AuditD
- name: Compute
CountDefault: 1
@ -139,6 +140,7 @@
- OS::TripleO::Services::OpenDaylightOvs
- OS::TripleO::Services::SensuClient
- OS::TripleO::Services::FluentdClient
- OS::TripleO::Services::AuditD
- name: BlockStorage
ServicesDefault:
@ -153,6 +155,7 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::SensuClient
- OS::TripleO::Services::FluentdClient
- OS::TripleO::Services::AuditD
- name: ObjectStorage
disable_upgrade_deployment: True
@ -169,6 +172,7 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::SensuClient
- OS::TripleO::Services::FluentdClient
- OS::TripleO::Services::AuditD
- name: CephStorage
disable_upgrade_deployment: True
@ -184,3 +188,4 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::SensuClient
- OS::TripleO::Services::FluentdClient
- OS::TripleO::Services::AuditD