summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--capabilities-map.yaml16
-rw-r--r--environments/auditd.yaml119
-rw-r--r--overcloud-resource-registry-puppet.j2.yaml1
-rw-r--r--puppet/services/auditd.yaml34
-rw-r--r--puppet/services/neutron-api.yaml33
-rw-r--r--releasenotes/notes/puppet-auditd-6504295e8c6c7a3b.yaml9
-rw-r--r--roles_data.yaml5
7 files changed, 216 insertions, 1 deletions
diff --git a/capabilities-map.yaml b/capabilities-map.yaml
index aae89307..08c455f9 100644
--- a/capabilities-map.yaml
+++ b/capabilities-map.yaml
@@ -541,6 +541,14 @@ topics:
- title: Security Options
description: Security Hardening Options
environment_groups:
+ - title: SSH Banner Text
+ description: Enables population of SSH Banner Text
+ environments:
+ - file: environments/sshd-banner.yaml
+ title: SSH Banner Text
+ description:
+ requires:
+ - overcloud-resource-registry-puppet.yaml
- title: Horizon Password Validation
description: Enable Horizon Password validation
environments:
@@ -549,3 +557,11 @@ topics:
description:
requires:
- overcloud-resource-registry-puppet.yaml
+ - title: AuditD Rules
+ description: Management of AuditD rules
+ environments:
+ - file: environments/auditd.yaml
+ title: AuditD Rule Management
+ description:
+ requires:
+ - overcloud-resource-registry-puppet.yaml
diff --git a/environments/auditd.yaml b/environments/auditd.yaml
new file mode 100644
index 00000000..b358c98a
--- /dev/null
+++ b/environments/auditd.yaml
@@ -0,0 +1,119 @@
+resource_registry:
+ OS::TripleO::Services::AuditD: ../puppet/services/auditd.yaml
+
+parameter_defaults:
+ AuditdRules:
+ 'Record attempts to alter time through adjtimex':
+ content: '-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules'
+ order : 1
+ 'Record attempts to alter time through settimeofday':
+ content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules'
+ order : 2
+ 'Record Attempts to Alter Time Through stime':
+ content: '-a always,exit -F arch=b64 -S stime -k audit_time_rules'
+ order : 3
+ 'Record Attempts to Alter Time Through clock_settime':
+ content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules'
+ order : 4
+ 'Record Attempts to Alter the localtime File':
+ content: '-w /etc/localtime -p wa -k audit_time_rules'
+ order : 5
+ 'Record Events that Modify the Systems Discretionary Access Controls - chmod':
+ content: '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+ order : 5
+ 'Record Events that Modify the Systems Discretionary Access Controls - chown':
+ content: '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+ order : 6
+ 'Record Events that Modify the Systems Discretionary Access Controls - fchmod':
+ content: '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+ order : 7
+ 'Record Events that Modify the Systems Discretionary Access Controls - fchmodat':
+ content: '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+ order : 8
+ 'Record Events that Modify the Systems Discretionary Access Controls - fchown':
+ content: '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+ order : 9
+ 'Record Events that Modify the Systems Discretionary Access Controls - fchownat':
+ content: '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+ order : 10
+ 'Record Events that Modify the Systems Discretionary Access Controls - fremovexattr':
+ content: '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+ order : 11
+ 'Record Events that Modify the Systems Discretionary Access Controls - fsetxattr':
+ content: '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+ order : 12
+ 'Record Events that Modify the Systems Discretionary Access Controls - lchown':
+ content: '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+ order : 13
+ 'Record Events that Modify the Systems Discretionary Access Controls - lremovexattr':
+ content: '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+ order : 14
+ 'Record Events that Modify the Systems Discretionary Access Controls - lsetxattr':
+ content: '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+ order : 15
+ 'Record Events that Modify the Systems Discretionary Access Controls - removexattr':
+ content: '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+ order : 16
+ 'Record Events that Modify the Systems Discretionary Access Controls - setxattr':
+ content: '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
+ order : 17
+ 'Record Events that Modify User/Group Information - /etc/group':
+ content: '-w /etc/group -p wa -k audit_rules_usergroup_modification'
+ order : 18
+ 'Record Events that Modify User/Group Information - /etc/passwd':
+ content: '-w /etc/passwd -p wa -k audit_rules_usergroup_modification'
+ order : 19
+ 'Record Events that Modify User/Group Information - /etc/gshadow':
+ content: '-w /etc/gshadow -p wa -k audit_rules_usergroup_modification'
+ order : 20
+ 'Record Events that Modify User/Group Information - /etc/shadow':
+ content: '-w /etc/shadow -p wa -k audit_rules_usergroup_modification'
+ order : 21
+ 'Record Events that Modify User/Group Information - /etc/opasswd':
+ content: '-w /etc/opasswd -p wa -k audit_rules_usergroup_modification'
+ order : 22
+ 'Record Events that Modify the Systems Network Environment - sethostname / setdomainname':
+ content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification'
+ order : 23
+ 'Record Events that Modify the Systems Network Environment - /etc/issue':
+ content: '-w /etc/issue -p wa -k audit_rules_networkconfig_modification'
+ order : 24
+ 'Record Events that Modify the Systems Network Environment - /etc/issue.net':
+ content: '-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification'
+ order : 25
+ 'Record Events that Modify the Systems Network Environment - /etc/hosts':
+ content: '-w /etc/hosts -p wa -k audit_rules_networkconfig_modification'
+ order : 26
+ 'Record Events that Modify the Systems Network Environment - /etc/sysconfig/network':
+ content: '-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification'
+ order : 27
+ 'Record Events that Modify the Systems Mandatory Access Controls':
+ content: '-w /etc/selinux/ -p wa -k MAC-policy'
+ order : 28
+ 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EACCES)':
+ content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
+ order : 29
+ 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EPERM)':
+ content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
+ order : 30
+ 'Ensure auditd Collects Information on the Use of Privileged Commands':
+ content: '-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged'
+ order : 31
+ 'Ensure auditd Collects Information on Exporting to Media (successful)':
+ content: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export'
+ order : 32
+ 'Ensure auditd Collects File Deletion Events by User':
+ content: '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
+ order : 33
+ 'Ensure auditd Collects System Administrator Actions':
+ content: '-w /etc/sudoers -p wa -k actions'
+ order : 34
+ 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (insmod)':
+ content: '-w /usr/sbin/insmod -p x -k modules'
+ order : 35
+ 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (rmmod)':
+ content: '-w /usr/sbin/rmmod -p x -k modules'
+ order : 36
+ 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (modprobe)':
+ content: '-w /usr/sbin/modprobe -p x -k modules'
+ order : 37
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 28384203..1b9646fe 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -240,6 +240,7 @@ resource_registry:
OS::TripleO::Services::CinderHPELeftHandISCSI: OS::Heat::None
OS::TripleO::Services::Etcd: OS::Heat::None
OS::TripleO::Services::Ec2Api: OS::Heat::None
+ OS::TripleO::Services::AuditD: OS::Heat::None
parameter_defaults:
EnablePackageInstall: false
diff --git a/puppet/services/auditd.yaml b/puppet/services/auditd.yaml
new file mode 100644
index 00000000..639631e1
--- /dev/null
+++ b/puppet/services/auditd.yaml
@@ -0,0 +1,34 @@
+heat_template_version: ocata
+
+description: >
+ AuditD configured with Puppet
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ AuditdRules:
+ description: Mapping of auditd rules
+ type: json
+ default: {}
+
+outputs:
+ role_data:
+ description: Role data for the auditd service
+ value:
+ service_name: auditd
+ config_settings:
+ auditd::rules: {get_param: AuditdRules}
+ step_config: |
+ include ::tripleo::profile::base::auditd
diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml
index 37368c8b..65fa0d8f 100644
--- a/puppet/services/neutron-api.yaml
+++ b/puppet/services/neutron-api.yaml
@@ -71,6 +71,9 @@ parameters:
removed in Ocata. Future releases will enable L3 HA by default if it is
appropriate for the deployment type. Alternate mechanisms will be
available to override.
+ EnableInternalTLS:
+ type: boolean
+ default: false
parameter_groups:
- label: deprecated
@@ -82,8 +85,19 @@ parameter_groups:
parameters:
- NeutronL3HA
+conditions:
+ use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
+
resources:
+ TLSProxyBase:
+ type: OS::TripleO::Services::TLSProxyBase
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
+
NeutronBase:
type: ./neutron-base.yaml
properties:
@@ -103,6 +117,7 @@ outputs:
config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
+ - get_attr: [TLSProxyBase, role_data, config_settings]
- neutron::server::database_connection:
list_join:
- ''
@@ -140,7 +155,23 @@ outputs:
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
- neutron::bind_host: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+ tripleo::profile::base::neutron::server::tls_proxy_bind_ip:
+ get_param: [ServiceNetMap, NeutronApiNetwork]
+ tripleo::profile::base::neutron::server::tls_proxy_fqdn:
+ str_replace:
+ template:
+ "%{hiera('fqdn_$NETWORK')}"
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+ tripleo::profile::base::neutron::server::tls_proxy_port:
+ get_param: [EndpointMap, NeutronInternal, port]
+ # Bind to localhost if internal TLS is enabled, since we put a TLS
+ # proxy in front.
+ neutron::bind_host:
+ if:
+ - use_tls_proxy
+ - 'localhost'
+ - {get_param: [ServiceNetMap, NeutronApiNetwork]}
tripleo::profile::base::neutron::server::l3_ha_override: {get_param: NeutronL3HA}
step_config: |
include tripleo::profile::base::neutron::server
diff --git a/releasenotes/notes/puppet-auditd-6504295e8c6c7a3b.yaml b/releasenotes/notes/puppet-auditd-6504295e8c6c7a3b.yaml
new file mode 100644
index 00000000..1949e4fe
--- /dev/null
+++ b/releasenotes/notes/puppet-auditd-6504295e8c6c7a3b.yaml
@@ -0,0 +1,9 @@
+---
+features:
+ - |
+ Adds the ability to manage auditd.service and enter audit.rules via tripleo
+ heat templates. This in turn enforces an audit log of system events, such
+ as system time changes, modifications to Discretionary Access Controls,
+ Failed login attempts.
+
+
diff --git a/roles_data.yaml b/roles_data.yaml
index 58c5290f..b4291463 100644
--- a/roles_data.yaml
+++ b/roles_data.yaml
@@ -112,6 +112,7 @@
- OS::TripleO::Services::NeutronML2FujitsuFossw
- OS::TripleO::Services::CinderHPELeftHandISCSI
- OS::TripleO::Services::Etcd
+ - OS::TripleO::Services::AuditD
- name: Compute
CountDefault: 1
@@ -139,6 +140,7 @@
- OS::TripleO::Services::OpenDaylightOvs
- OS::TripleO::Services::SensuClient
- OS::TripleO::Services::FluentdClient
+ - OS::TripleO::Services::AuditD
- name: BlockStorage
ServicesDefault:
@@ -153,6 +155,7 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::SensuClient
- OS::TripleO::Services::FluentdClient
+ - OS::TripleO::Services::AuditD
- name: ObjectStorage
disable_upgrade_deployment: True
@@ -169,6 +172,7 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::SensuClient
- OS::TripleO::Services::FluentdClient
+ - OS::TripleO::Services::AuditD
- name: CephStorage
disable_upgrade_deployment: True
@@ -184,3 +188,4 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::SensuClient
- OS::TripleO::Services::FluentdClient
+ - OS::TripleO::Services::AuditD