Add AuditD composable service

This patch allows the management of the AuditD service and its associated files (such as `audit.rules`) This is achieved by means of the `puppet-auditd` puppet module. Also places ssh banner capabilities map on top of patch Change-Id: Ib8bb52dde88304cb58b051bced9779c97a314d0d Depends-On: Ie31c063b674075e35e1bfa28d1fc07f3f897407b
openstack-archive · Jan 27, 2017 · afdc138 · afdc138
1 parent c349789
commit afdc138
Show file tree

Hide file tree

Showing 6 changed files with 184 additions and 0 deletions.
diff --git a/capabilities-map.yaml b/capabilities-map.yaml
@@ -541,6 +541,14 @@ topics:
   - title: Security Options
     description: Security Hardening Options
     environment_groups:
+      - title: SSH Banner Text
+        description: Enables population of SSH Banner Text
+        environments:
+          - file: environments/sshd-banner.yaml
+            title: SSH Banner Text
+            description:
+            requires:
+              - overcloud-resource-registry-puppet.yaml
       - title: Horizon Password Validation
         description: Enable Horizon Password validation
         environments:
@@ -549,3 +557,11 @@ topics:
             description:
             requires:
               - overcloud-resource-registry-puppet.yaml
+      - title: AuditD Rules
+        description:  Management of AuditD rules
+        environments:
+          - file: environments/auditd.yaml
+            title: AuditD Rule Management
+            description:
+            requires:
+              - overcloud-resource-registry-puppet.yaml
diff --git a/environments/auditd.yaml b/environments/auditd.yaml
@@ -0,0 +1,119 @@
+resource_registry:
+  OS::TripleO::Services::AuditD: ../puppet/services/auditd.yaml
+
+parameter_defaults:
+  AuditdRules:
+    'Record attempts to alter time through adjtimex':
+      content: '-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules'
+      order  : 1
+    'Record attempts to alter time through settimeofday':
+      content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules'
+      order  : 2
+    'Record Attempts to Alter Time Through stime':
+      content: '-a always,exit -F arch=b64 -S stime -k audit_time_rules'
+      order  : 3
+    'Record Attempts to Alter Time Through clock_settime':
+      content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules'
+      order  : 4
+    'Record Attempts to Alter the localtime File':
+      content: '-w /etc/localtime -p wa -k audit_time_rules'
+      order  : 5
+    'Record Events that Modify the Systems Discretionary Access Controls - chmod':
+      content: '-a always,exit -F arch=b64 -S chmod  -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+      order  : 5
+    'Record Events that Modify the Systems Discretionary Access Controls - chown':
+      content: '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+      order  : 6
+    'Record Events that Modify the Systems Discretionary Access Controls - fchmod':
+      content: '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+      order  : 7
+    'Record Events that Modify the Systems Discretionary Access Controls - fchmodat':
+      content: '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+      order  : 8
+    'Record Events that Modify the Systems Discretionary Access Controls - fchown':
+      content: '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+      order  : 9
+    'Record Events that Modify the Systems Discretionary Access Controls - fchownat':
+      content: '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+      order  : 10
+    'Record Events that Modify the Systems Discretionary Access Controls - fremovexattr':
+      content: '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+      order  : 11
+    'Record Events that Modify the Systems Discretionary Access Controls - fsetxattr':
+      content: '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+      order  : 12
+    'Record Events that Modify the Systems Discretionary Access Controls - lchown':
+      content: '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+      order  : 13
+    'Record Events that Modify the Systems Discretionary Access Controls - lremovexattr':
+      content: '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+      order  : 14
+    'Record Events that Modify the Systems Discretionary Access Controls - lsetxattr':
+      content: '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+      order  : 15
+    'Record Events that Modify the Systems Discretionary Access Controls - removexattr':
+      content: '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+      order  : 16
+    'Record Events that Modify the Systems Discretionary Access Controls - setxattr':
+      content: '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+      order  : 17
+    'Record Events that Modify User/Group Information - /etc/group':
+      content: '-w /etc/group -p wa -k audit_rules_usergroup_modification'
+      order  : 18
+    'Record Events that Modify User/Group Information - /etc/passwd':
+      content: '-w /etc/passwd -p wa -k audit_rules_usergroup_modification'
+      order  : 19
+    'Record Events that Modify User/Group Information - /etc/gshadow':
+      content: '-w /etc/gshadow -p wa -k audit_rules_usergroup_modification'
+      order  : 20
+    'Record Events that Modify User/Group Information - /etc/shadow':
+      content: '-w /etc/shadow -p wa -k audit_rules_usergroup_modification'
+      order  : 21
+    'Record Events that Modify User/Group Information - /etc/opasswd':
+      content: '-w /etc/opasswd -p wa -k audit_rules_usergroup_modification'
+      order  : 22
+    'Record Events that Modify the Systems Network Environment - sethostname / setdomainname':
+      content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification'
+      order  : 23
+    'Record Events that Modify the Systems Network Environment - /etc/issue':
+      content: '-w /etc/issue -p wa -k audit_rules_networkconfig_modification'
+      order  : 24
+    'Record Events that Modify the Systems Network Environment - /etc/issue.net':
+      content: '-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification'
+      order  : 25
+    'Record Events that Modify the Systems Network Environment - /etc/hosts':
+      content: '-w /etc/hosts -p wa -k audit_rules_networkconfig_modification'
+      order  : 26
+    'Record Events that Modify the Systems Network Environment - /etc/sysconfig/network':
+      content: '-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification'
+      order  : 27
+    'Record Events that Modify the Systems Mandatory Access Controls':
+      content: '-w /etc/selinux/ -p wa -k MAC-policy'
+      order  : 28
+    'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EACCES)':
+      content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
+      order  : 29
+    'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EPERM)':
+      content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
+      order  : 30
+    'Ensure auditd Collects Information on the Use of Privileged Commands':
+      content: '-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged'
+      order  : 31
+    'Ensure auditd Collects Information on Exporting to Media (successful)':
+      content: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export'
+      order  : 32
+    'Ensure auditd Collects File Deletion Events by User':
+      content: '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
+      order  : 33
+    'Ensure auditd Collects System Administrator Actions':
+      content: '-w /etc/sudoers -p wa -k actions'
+      order  : 34
+    'Ensure auditd Collects Information on Kernel Module Loading and Unloading (insmod)':
+      content: '-w /usr/sbin/insmod -p x -k modules'
+      order  : 35
+    'Ensure auditd Collects Information on Kernel Module Loading and Unloading (rmmod)':
+      content: '-w /usr/sbin/rmmod -p x -k modules'
+      order  : 36
+    'Ensure auditd Collects Information on Kernel Module Loading and Unloading (modprobe)':
+      content: '-w /usr/sbin/modprobe -p x -k modules'
+      order  : 37
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
@@ -240,6 +240,7 @@ resource_registry:
   OS::TripleO::Services::CinderHPELeftHandISCSI: OS::Heat::None
   OS::TripleO::Services::Etcd: OS::Heat::None
   OS::TripleO::Services::Ec2Api: OS::Heat::None
+  OS::TripleO::Services::AuditD: OS::Heat::None
 
 parameter_defaults:
   EnablePackageInstall: false

diff --git a/puppet/services/auditd.yaml b/puppet/services/auditd.yaml
@@ -0,0 +1,34 @@
+heat_template_version: ocata
+
+description: >
+  AuditD configured with Puppet
+
+parameters:
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  AuditdRules:
+    description: Mapping of auditd rules
+    type: json
+    default: {}
+
+outputs:
+  role_data:
+    description: Role data for the auditd service
+    value:
+      service_name: auditd
+      config_settings:
+        auditd::rules: {get_param: AuditdRules}
+      step_config: |
+        include ::tripleo::profile::base::auditd
diff --git a/releasenotes/notes/puppet-auditd-6504295e8c6c7a3b.yaml b/releasenotes/notes/puppet-auditd-6504295e8c6c7a3b.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Adds the ability to manage auditd.service and enter audit.rules via tripleo
+    heat templates. This in turn enforces an audit log of system events, such
+    as system time changes, modifications to Discretionary Access Controls,
+    Failed login attempts.
+
+
diff --git a/roles_data.yaml b/roles_data.yaml
@@ -112,6 +112,7 @@
     - OS::TripleO::Services::NeutronML2FujitsuFossw
     - OS::TripleO::Services::CinderHPELeftHandISCSI
     - OS::TripleO::Services::Etcd
+    - OS::TripleO::Services::AuditD
 
 - name: Compute
   CountDefault: 1
@@ -139,6 +140,7 @@
     - OS::TripleO::Services::OpenDaylightOvs
     - OS::TripleO::Services::SensuClient
     - OS::TripleO::Services::FluentdClient
+    - OS::TripleO::Services::AuditD
 
 - name: BlockStorage
   ServicesDefault:
@@ -153,6 +155,7 @@
     - OS::TripleO::Services::TripleoFirewall
     - OS::TripleO::Services::SensuClient
     - OS::TripleO::Services::FluentdClient
+    - OS::TripleO::Services::AuditD
 
 - name: ObjectStorage
   disable_upgrade_deployment: True
@@ -169,6 +172,7 @@
     - OS::TripleO::Services::TripleoFirewall
     - OS::TripleO::Services::SensuClient
     - OS::TripleO::Services::FluentdClient
+    - OS::TripleO::Services::AuditD
 
 - name: CephStorage
   disable_upgrade_deployment: True
@@ -184,3 +188,4 @@
     - OS::TripleO::Services::TripleoFirewall
     - OS::TripleO::Services::SensuClient
     - OS::TripleO::Services::FluentdClient
+    - OS::TripleO::Services::AuditD