Service parameter config for auditd grub parameter

This commit implements enable/disable the kernel grub parameter for auditd, using the service parameter mechanism. The new "audit" parameter, with full name "platform::compute::grub::params::d_audit", gets stored as a system-wide service parameter and is instrumented for certain personalities. Only System Controllers and Worker hosts would be allowed to have the "audit" kernel parameter enabled. Story: 2008849 Task: 43364 Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/810018 Change-Id: I574616b32e70862261c3dc5acfee73d57c06c7df Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
2021-09-20 10:03:41 -04:00 · 2021-09-20 10:03:41 -04:00 · f2ec1e3370
parent 23406f3a07
commit f2ec1e3370
3 changed files with 60 additions and 0 deletions
--- a/sysinv/sysinv/sysinv/sysinv/common/constants.py
+++ b/sysinv/sysinv/sysinv/sysinv/common/constants.py
@ -1195,6 +1195,13 @@ SERVICE_PARAM_NAME_ENDPOINT_DOMAIN = "endpoint_domain"
 SERVICE_PARAM_SECTION_COLLECTD = 'collectd'
 SERVICE_PARAM_COLLECTD_NETWORK_SERVERS = 'network_servers'

+# platform kernel parameter auditd
+# enables and disables auditd
+SERVICE_PARAM_SECTION_PLATFORM_KERNEL = 'kernel'
+SERVICE_PARAM_NAME_PLATFORM_AUDITD = 'audit'
+SERVICE_PARAM_PLATFORM_AUDITD_DISABLED = '0'
+SERVICE_PARAM_PLATFORM_AUDITD_ENABLED = '1'
+
 # TIS part number, CPE = combined load, STD = standard load
 TIS_STD_BUILD = 'Standard'
 TIS_AIO_BUILD = 'All-in-one'
--- a/sysinv/sysinv/sysinv/sysinv/common/service_parameter.py
+++ b/sysinv/sysinv/sysinv/sysinv/common/service_parameter.py
@ -396,6 +396,21 @@ def _validate_pod_max_pids(name, value):
                    constants.SERVICE_PARAM_KUBERNETES_POD_MAX_PIDS_MAX)


+def _validate_kernel_audit(name, value):
+    """Check if specified value is supported"""
+    try:
+        if str(value) in [constants.SERVICE_PARAM_PLATFORM_AUDITD_DISABLED,
+                          constants.SERVICE_PARAM_PLATFORM_AUDITD_ENABLED]:
+            return
+    except ValueError:
+        pass
+
+    raise wsme.exc.ClientSideError(_(
+        "Parameter '%s' value must be either '%s' or '%s'" %
+        (name, constants.SERVICE_PARAM_PLATFORM_AUDITD_DISABLED,
+         constants.SERVICE_PARAM_PLATFORM_AUDITD_ENABLED)))
+
+
 PLATFORM_CONFIG_PARAMETER_OPTIONAL = [
    constants.SERVICE_PARAM_NAME_PLAT_CONFIG_VIRTUAL,
 ]
@ -524,6 +539,19 @@ PLATFORM_MTCE_PARAMETER_RESOURCE = {
    constants.SERVICE_PARAM_PLAT_MTCE_MNFA_TIMEOUT: 'platform::mtce::params::mnfa_timeout',
 }

+PLATFORM_KERNEL_PARAMETER_OPTIONAL = [
+    constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD,
+]
+
+PLATFORM_KERNEL_PARAMETER_VALIDATOR = {
+    constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD: _validate_kernel_audit,
+}
+
+PLATFORM_KERNEL_PARAMETER_RESOURCE = {
+    constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD:
+        'platform::compute::grub::params::g_audit',
+}
+
 RADOSGW_CONFIG_PARAMETER_MANDATORY = [
    constants.SERVICE_PARAM_NAME_RADOSGW_SERVICE_ENABLED,
 ]
@ -797,6 +825,11 @@ SERVICE_PARAMETER_SCHEMA = {
            SERVICE_PARAM_RESOURCE: COLLECTD_PARAMETER_RESOURCE,
            SERVICE_PARAM_DATA_FORMAT: COLLECTD_NETWORK_SERVERS_PARAMETER_DATA_FORMAT,
        },
+        constants.SERVICE_PARAM_SECTION_PLATFORM_KERNEL: {
+            SERVICE_PARAM_OPTIONAL: PLATFORM_KERNEL_PARAMETER_OPTIONAL,
+            SERVICE_PARAM_VALIDATOR: PLATFORM_KERNEL_PARAMETER_VALIDATOR,
+            SERVICE_PARAM_RESOURCE: PLATFORM_KERNEL_PARAMETER_RESOURCE,
+        },
    },
    constants.SERVICE_TYPE_HORIZON: {
        constants.SERVICE_PARAM_SECTION_HORIZON_AUTH: {
--- a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
+++ b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
@ -673,6 +673,11 @@ class ConductorManager(service.PeriodicService):
         'name': constants.SERVICE_PARAM_PLAT_MTCE_MNFA_TIMEOUT,
         'value': constants.SERVICE_PARAM_PLAT_MTCE_MNFA_TIMEOUT_DEFAULT,
         },
+        {'service': constants.SERVICE_TYPE_PLATFORM,
+         'section': constants.SERVICE_PARAM_SECTION_PLATFORM_KERNEL,
+         'name': constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD,
+         'value': constants.SERVICE_PARAM_PLATFORM_AUDITD_DISABLED,
+         },
        {'service': constants.SERVICE_TYPE_RADOSGW,
         'section': constants.SERVICE_PARAM_SECTION_RADOSGW_CONFIG,
         'name': constants.SERVICE_PARAM_NAME_RADOSGW_SERVICE_ENABLED,
@ -8955,6 +8960,21 @@ class ConductorManager(service.PeriodicService):
                personalities = [constants.CONTROLLER,
                                 constants.WORKER,
                                 constants.STORAGE]
+            elif section == constants.SERVICE_PARAM_SECTION_PLATFORM_KERNEL:
+                reboot = True
+                personalities = [constants.CONTROLLER,
+                                 constants.WORKER]
+                config_uuid = self._config_update_hosts(context, personalities, reboot=True)
+
+                config_dict = {
+                    'personalities': personalities,
+                    "classes": ['platform::compute::grub::runtime']
+                }
+
+                # Apply runtime config but keep reboot required flag set in
+                # _config_update_hosts() above. Node needs a reboot to clear it.
+                config_uuid = self._config_clear_reboot_required(config_uuid)
+                self._config_apply_runtime_manifest(context, config_uuid, config_dict, force=True)

        # we should not set the reboot flag on operations that are not
        # reboot required. An apply of a service parameter is not reboot