From 1de3e672b46a931c9907a927e7b3b71ed8c66b84 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Thu, 8 Oct 2015 16:32:54 -0500
Subject: [PATCH] V-38637, V-3866{3,4,5}: Verify auditd pkg contents

Implements: blueprint security-hardening

Change-Id: I1e2cbebae26967c758db0e4f6c815e986fa43438
---
 doc/source/developer-notes/V-38637.rst |  6 +++++
 doc/source/developer-notes/V-38663.rst |  1 +
 doc/source/developer-notes/V-38664.rst |  1 +
 doc/source/developer-notes/V-38665.rst |  1 +
 tasks/auditd.yml                       | 31 ++++++++++++++++++++++++++
 5 files changed, 40 insertions(+)
 create mode 100644 doc/source/developer-notes/V-38637.rst
 create mode 120000 doc/source/developer-notes/V-38663.rst
 create mode 120000 doc/source/developer-notes/V-38664.rst
 create mode 120000 doc/source/developer-notes/V-38665.rst

diff --git a/doc/source/developer-notes/V-38637.rst b/doc/source/developer-notes/V-38637.rst
new file mode 100644
index 00000000..0de32fb0
--- /dev/null
+++ b/doc/source/developer-notes/V-38637.rst
@@ -0,0 +1,6 @@
+The auditd package is verified with ``debsums`` and the playbook will fail
+immediately if any of the files from the auditd package have been altered.
+This could be the sign of a system compromise.
+
+If the ``debsums`` package isn't installed, the Ansible task will install it
+during the playbook run.
diff --git a/doc/source/developer-notes/V-38663.rst b/doc/source/developer-notes/V-38663.rst
new file mode 120000
index 00000000..9829a15b
--- /dev/null
+++ b/doc/source/developer-notes/V-38663.rst
@@ -0,0 +1 @@
+V-38453.rst
\ No newline at end of file
diff --git a/doc/source/developer-notes/V-38664.rst b/doc/source/developer-notes/V-38664.rst
new file mode 120000
index 00000000..9829a15b
--- /dev/null
+++ b/doc/source/developer-notes/V-38664.rst
@@ -0,0 +1 @@
+V-38453.rst
\ No newline at end of file
diff --git a/doc/source/developer-notes/V-38665.rst b/doc/source/developer-notes/V-38665.rst
new file mode 120000
index 00000000..9829a15b
--- /dev/null
+++ b/doc/source/developer-notes/V-38665.rst
@@ -0,0 +1 @@
+V-38453.rst
\ No newline at end of file
diff --git a/tasks/auditd.yml b/tasks/auditd.yml
index c1fe2859..2ef1cc42 100644
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@@ -72,6 +72,37 @@
     - cat2
     - V-38636
 
+- name: Ensure debsums package is installed (for V-38637)
+  apt:
+    name: debsums
+    state: present
+  tags:
+    - auditd
+    - cat2
+    - V-38637
+
+# The debsums command returns 0 if the files haven't been altered but it
+# returns 2 otherwise. We also will check to see if auditd has been installed
+# and fail if it's not installed.
+- name: Checking auditd package contents for alterations with debsums (for V-38637)
+  shell: debsums auditd -c
+  register: v38637_result
+  changed_when: False
+  failed_when: "'not installed' in v38637_result.stdout"
+  tags:
+    - auditd
+    - cat2
+    - V-38637
+
+- name: V-38637 - Contents of auditd package must be verified
+  fail:
+    msg: "FAILED: Could not verify that files from auditd package are unaltered"
+  when: v38637_result.rc == 2
+  tags:
+    - auditd
+    - cat2
+    - V-38637
+
 - name: V-38445 - Audit log files must be group-owned by root
   file:
     dest: /var/log/audit/