-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use the firewall role, the selinux role, and the certificate role from the logging role #293
Changes from 2 commits
6e9ad94
2d72616
b215d63
2345f7a
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -422,6 +422,34 @@ These variables are set in the same level of the `logging_inputs`, `logging_outp | |||||
will be uninstalled and reinstalled in order to revert back to the original | ||||||
system default configuration. | ||||||
- `logging_system_log_dir`: Directory where the local log output files are placed. Default to `/var/log`. | ||||||
- `logging_manage_firewall`: If set to `true` and ports are found in the logging role | ||||||
parameters, configure the firewall for the ports using the firewall role. | ||||||
If set to `false`, the `logging role` does not manage the firewall. | ||||||
Default to `false`. | ||||||
NOTE: `logging_manage_firewall` is limited to *adding* ports. | ||||||
It cannot be used for *removing* ports. | ||||||
If you want to remove ports, you will need to use the firewall system | ||||||
roles directly. | ||||||
- `logging_manage_selinux`: If set to `true` and ports are found in the logging role | ||||||
parameters, configure the selinux for the ports using the selinux role. | ||||||
If set to `false`, the `logging role` does not manage the selinux. | ||||||
Default to `false`. | ||||||
NOTE: `logging_manage_selinux` is limited to *adding* policy. | ||||||
It cannot be used for *removing* policy. | ||||||
If you want to remove policy, you will need to use the selinux system | ||||||
roles directly. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
- `logging_certificates`: This is a `list` of `dict` in the same format as used | ||||||
by the `fedora.linux_system_roles.certificate` role. Specify this variable if | ||||||
you want the certificate role to generate the certificates for the logging system | ||||||
configured by the logging role. With this example, `self-signed` certificate | ||||||
`logging_cert.crt` is generated in `/etc/pki/tls/certs`. | ||||||
Default to `[]`. | ||||||
```yaml | ||||||
logging_certificates: | ||||||
- name: logging_cert | ||||||
dns: ['localhost', 'www.example.com'] | ||||||
ca: self-sign | ||||||
``` | ||||||
|
||||||
### Update and Delete | ||||||
|
||||||
|
@@ -820,16 +848,34 @@ Deploying `relp input` reading logs from remote rsyslog and `remote_files output | |||||
outputs: [remote_files_output] | ||||||
``` | ||||||
|
||||||
### Port and SELinux | ||||||
### Port Managed by Firewall and SELinux Role | ||||||
|
||||||
When a port is specified in the logging role configuration, | ||||||
the firewall role is automatically included and the port | ||||||
is managed by the firewalld. | ||||||
|
||||||
The port is then configured by the selinux role and given | ||||||
an appropriate syslog selinux port type depending upon the | ||||||
associated tls value. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. tls value? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Some inputs/outputs (e.g., relp) have a
I'm going to put ` around tls as follows. Do you think it's clearer? 859 associated There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ah, I see - then use TLS in all caps. |
||||||
|
||||||
SELinux is only configured to allow sending and receiving on the following ports by default: | ||||||
You can verify the changes by the following command-line. | ||||||
|
||||||
For firewall, | ||||||
``` | ||||||
syslogd_port_t tcp 514, 20514 | ||||||
syslogd_port_t udp 514, 20514 | ||||||
firewall-cmd --list-port | ||||||
``` | ||||||
|
||||||
If other ports need to be configured, you can use [linux-system-roles/selinux](https://github.com/linux-system-roles/selinux) to manage SELinux contexts. | ||||||
For selinux, | ||||||
``` | ||||||
semanage port --list | grep "syslog" | ||||||
``` | ||||||
The newly specified port will be added to this default set. | ||||||
``` | ||||||
syslog_tls_port_t tcp 6514, 10514 | ||||||
syslog_tls_port_t udp 6514, 10514 | ||||||
syslogd_port_t tcp 601, 20514 | ||||||
syslogd_port_t udp 514, 601, 20514 | ||||||
``` | ||||||
|
||||||
## Providers | ||||||
|
||||||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# SPDX-License-Identifier: MIT | ||
collections: | ||
- fedora.linux_system_roles |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
--- | ||
- name: Generate certificates | ||
include_role: | ||
name: fedora.linux_system_roles.certificate | ||
vars: | ||
certificate_requests: "{{ logging_certificates }}" | ||
when: logging_certificates | length > 0 |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
--- | ||
- block: | ||
- name: Add tcp ports to logging_firewall_ports | ||
set_fact: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Since you are using |
||
logging_firewall_ports: "{{ logging_firewall_ports | d([]) | | ||
union([{'port': item, 'state': 'enabled'}]) }}" | ||
loop: "{{ (logging_tcp_ports + logging_tls_tcp_ports) | | ||
map('regex_replace', '$', '/tcp') | list }}" | ||
when: (logging_tcp_ports + logging_tls_tcp_ports) | length > 0 | ||
|
||
- name: Add udp ports to logging_firewall_ports | ||
set_fact: | ||
logging_firewall_ports: "{{ logging_firewall_ports | d([]) | | ||
union([{'port': item, 'state': 'enabled'}]) }}" | ||
loop: "{{ (logging_udp_ports + logging_tls_udp_ports) | | ||
map('regex_replace', '$', '/udp') | list }}" | ||
when: (logging_udp_ports + logging_tls_udp_ports) | length > 0 | ||
|
||
- name: Manage firewall for specified ports | ||
include_role: | ||
name: fedora.linux_system_roles.firewall | ||
vars: | ||
firewall: "{{ logging_firewall_ports }}" | ||
when: | ||
- logging_firewall_ports | d([]) | ||
when: | ||
- logging_manage_firewall | bool | ||
- logging_tcp_ports or logging_udp_ports or | ||
logging_tls_tcp_ports or logging_tls_udp_ports |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,183 @@ | ||
--- | ||
# Initialize variables | ||
- name: Initialize logging_tls_tcp_ports | ||
set_fact: | ||
logging_tls_tcp_ports: [] | ||
|
||
- name: Initialize logging_tcp_ports | ||
set_fact: | ||
logging_tcp_ports: [] | ||
|
||
- name: Initialize logging_tls_udp_ports | ||
set_fact: | ||
logging_tls_udp_ports: [] | ||
|
||
- name: Initialize logging_udp_ports | ||
set_fact: | ||
logging_udp_ports: [] | ||
|
||
# Gather ports configured as logging role parameters | ||
- block: | ||
- name: Parameter 'port' values | ||
set_fact: | ||
logging_tls_tcp_ports: "{{ (logging_inputs + logging_outputs) | d([]) | | ||
selectattr('port', 'defined') | | ||
map(attribute='port') | list }}" | ||
|
||
- block: | ||
- name: Parameter 'tcp_port' values (without tls) | ||
set_fact: | ||
logging_tcp_ports: "{{ logging_tcp_ports | | ||
union(__tcp_ports[0] | list) }}" | ||
|
||
- name: Parameter 'tcp_port' values (with tls) | ||
set_fact: | ||
logging_tls_tcp_ports: "{{ logging_tls_tcp_ports | | ||
union(__tcp_ports[1] | list) }}" | ||
|
||
- name: Parameter 'udp_port' values (without tls) | ||
set_fact: | ||
logging_udp_ports: "{{ logging_udp_ports | | ||
union(__udp_ports[0] | list) }}" | ||
|
||
- name: Parameter 'udp_port' values (with tls) | ||
set_fact: | ||
logging_tls_udp_ports: "{{ logging_tls_udp_ports | | ||
union(__udp_ports[1] | list) }}" | ||
|
||
- name: Parameter 'server_port' values (without tls) | ||
set_fact: | ||
logging_tcp_ports: "{{ logging_tcp_ports | | ||
union(__server_ports[0] | list) }}" | ||
|
||
- name: Parameter 'server_port' values (with tls) | ||
set_fact: | ||
logging_tls_tcp_ports: "{{ logging_tls_tcp_ports | | ||
union(__server_ports[1] | list) }}" | ||
vars: | ||
__tcp_outputs: "{{ logging_outputs | d([]) | | ||
selectattr('tcp_port', 'defined') }}" | ||
__tcp_ports: | | ||
{% set tcp_ports = [] %} | ||
{% set tls_tcp_ports = [] %} | ||
{% for output in __tcp_outputs %} | ||
{% if output.tcp_port is defined %} | ||
{% if output.tls is defined %} | ||
{% if output.tls -%} | ||
{% set _ = tls_tcp_ports.append(output.tcp_port) %} | ||
{% else -%} | ||
{% set _ = tcp_ports.append(output.tcp_port) %} | ||
{%- endif %} | ||
{% else -%} | ||
{% set _ = tcp_ports.append(output.tcp_port) %} | ||
{%- endif %} | ||
{%- endif %} | ||
{% endfor %} | ||
{% set both = [tcp_ports, tls_tcp_ports] %} | ||
{{ both }} | ||
__udp_outputs: "{{ logging_outputs | d([]) | | ||
selectattr('udp_port', 'defined') }}" | ||
__udp_ports: | | ||
{% set udp_ports = [] %} | ||
{% set tls_udp_ports = [] %} | ||
{% for output in __udp_outputs %} | ||
{% if output.udp_port is defined %} | ||
{% if output.tls is defined %} | ||
{% if output.tls -%} | ||
{% set _ = tls_udp_ports.append(output.udp_port) %} | ||
{% else -%} | ||
{% set _ = udp_ports.append(output.udp_port) %} | ||
{%- endif %} | ||
{% else -%} | ||
{% set _ = udp_ports.append(output.udp_port) %} | ||
{%- endif %} | ||
{%- endif %} | ||
{% endfor %} | ||
{% set both = [udp_ports, tls_udp_ports] %} | ||
{{ both }} | ||
__server_outputs: "{{ logging_outputs | d([]) | | ||
selectattr('server_port', 'defined') }}" | ||
__server_ports: | | ||
{% set server_ports = [] %} | ||
{% set server_tls_ports = [] %} | ||
{% for output in __server_outputs %} | ||
{% if output.server_port is defined %} | ||
{% if output.tls is defined %} | ||
{% if output.tls -%} | ||
{% set _ = server_tls_ports.append(output.server_port) %} | ||
{% else -%} | ||
{% set _ = server_ports.append(output.server_port) %} | ||
{%- endif %} | ||
{% else -%} | ||
{% set _ = server_tls_ports.append(output.server_port) %} | ||
{%- endif %} | ||
{%- endif %} | ||
{% endfor %} | ||
{% set both = [server_ports, server_tls_ports] %} | ||
{{ both }} | ||
|
||
- block: | ||
- name: Parameter 'tcp_ports' values (without tls) | ||
set_fact: | ||
logging_tcp_ports: "{{ logging_tcp_ports | | ||
union(__tcp_ports[0]) | list | flatten }}" | ||
|
||
- name: Parameter 'tcp_ports' values (with tls) | ||
set_fact: | ||
logging_tls_tcp_ports: "{{ logging_tls_tcp_ports | | ||
union(__tcp_ports[1]) | | ||
list | flatten }}" | ||
|
||
- name: Parameter 'udp_ports' values (without tls) | ||
set_fact: | ||
logging_udp_ports: "{{ logging_udp_ports | | ||
union(__udp_ports[0])| list | flatten }}" | ||
|
||
- name: Parameter 'udp_ports' values (with tls) | ||
set_fact: | ||
logging_tls_udp_ports: "{{ logging_tls_udp_ports | | ||
union(__udp_ports[1]) | | ||
list | flatten }}" | ||
vars: | ||
__tcp_inputs: "{{ logging_inputs | d([]) | | ||
selectattr('tcp_ports', 'defined') }}" | ||
__tcp_ports: | | ||
{% set tcp_ports = [] %} | ||
{% set tls_tcp_ports = [] %} | ||
{% for input in __tcp_inputs %} | ||
{% if input.tcp_ports is defined %} | ||
{% if input.tls is defined %} | ||
{% if input.tls -%} | ||
{% set _ = tls_tcp_ports.append(input.tcp_ports) %} | ||
{% else -%} | ||
{% set _ = tcp_ports.append(input.tcp_ports) %} | ||
{%- endif %} | ||
{% else -%} | ||
{% set _ = tcp_ports.append(input.tcp_ports) %} | ||
{%- endif %} | ||
{%- endif %} | ||
{% endfor %} | ||
{% set both = [tcp_ports, tls_tcp_ports] %} | ||
{{ both }} | ||
__udp_inputs: "{{ logging_inputs | d([]) | | ||
selectattr('udp_port', 'defined') }}" | ||
__udp_ports: | | ||
{% set udp_ports = [] %} | ||
{% set tls_udp_ports = [] %} | ||
{% for input in __udp_inputs %} | ||
{% if input.udp_ports is defined %} | ||
{% if input.tls is defined %} | ||
{% if input.tls -%} | ||
{% set _ = tls_udp_ports.append(input.udp_ports) %} | ||
{% else -%} | ||
{% set _ = udp_ports.append(input.udp_ports) %} | ||
{%- endif %} | ||
{% else -%} | ||
{% set _ = udp_ports.append(input.udp_ports) %} | ||
{%- endif %} | ||
{%- endif %} | ||
{% endfor %} | ||
{% set both = [udp_ports, tls_udp_ports] %} | ||
{{ both }} | ||
when: | ||
- (logging_manage_firewall | bool) or (logging_manage_selinux | bool) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.