From 53f9b60e5861f2ae215a0182a9633291782575f0 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Tue, 13 Oct 2015 09:44:02 -0500 Subject: [PATCH] V-51391: Initialize AIDE Closes-bug: 1505793 Implements: blueprint security-hardening Change-Id: Ia15368c0af184054c5be60c893c751e449b8770a --- defaults/main.yml | 10 ++++++++++ doc/source/developer-notes/V-51391.rst | 10 ++++++++++ handlers/main.yml | 5 +++++ tasks/misc.yml | 12 +++++++++++- templates/ZZ_aide_exclusions.j2 | 7 +++++++ 5 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 doc/source/developer-notes/V-51391.rst create mode 100644 templates/ZZ_aide_exclusions.j2 diff --git a/defaults/main.yml b/defaults/main.yml index d4f133bf..8d9462ca 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -228,3 +228,13 @@ install_fail2ban: no # V-38501 # The STIG requires bans to last 15 minutes. Adjust the following variable # to set the time an IP is banned by fail2ban (in seconds). fail2ban_bantime: 900 # V-38501 + +## AIDE +# The default Ubuntu configuration for AIDE will cause it to wander into some +# terrible places on the system, such as /var/lib/lxc and images in /opt. +# The following three default exclusions are highly recommended for AIDE to +# work properly, but additional exclusions can be added to this list if needed. +aide_exclude_dirs: + - /var/lib/lxc + - /openstack + - /opt diff --git a/doc/source/developer-notes/V-51391.rst b/doc/source/developer-notes/V-51391.rst new file mode 100644 index 00000000..b032c8e2 --- /dev/null +++ b/doc/source/developer-notes/V-51391.rst @@ -0,0 +1,10 @@ +When AIDE is first installed for V-38429, a new database will be created. +The creation process takes some time because AIDE needs to review each file +in its list of monitored files to get timestamps and hashes. The +initialization will be forked into the background so that it doesn't slow +down the playbook run. + +Some directories are excluded from AIDE runs to prevent AIDE from wandering +into directories where it shouldn't be hashing/monitoring files. The +``defaults/main.yml`` file has some recommended directories as part of the +``aide_exclude_dirs`` variable. diff --git a/handlers/main.yml b/handlers/main.yml index e6e0f0b8..636d2385 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -53,5 +53,10 @@ - name: generate auditd rules command: augenrules --load +# This will take a while to complete the first run, so we will fork it into +# the background so it doesn't hold up the whole playbook. +- name: initialize AIDE + shell: "aideinit -b" + - name: rehash aliases command: newaliases diff --git a/tasks/misc.yml b/tasks/misc.yml index 62eb04f4..a4593ffb 100644 --- a/tasks/misc.yml +++ b/tasks/misc.yml @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: V-38429 - Install AIDE +- name: V-38489 - Install AIDE apt: name: aide state: present @@ -21,6 +21,16 @@ - cat2 - V-38489 +- name: V-38489 - Exclude certain directories from AIDE and initialize DB + template: + src: ZZ_aide_exclusions.j2 + dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions + notify: + - initialize AIDE + tags: + - cat2 + - V-38489 + - name: Check for AIDE cron job (for V-38670) stat: path: /etc/cron.daily/aide diff --git a/templates/ZZ_aide_exclusions.j2 b/templates/ZZ_aide_exclusions.j2 new file mode 100644 index 00000000..d41f8432 --- /dev/null +++ b/templates/ZZ_aide_exclusions.j2 @@ -0,0 +1,7 @@ +# This file was deployed by openstack-ansible-security. +# These excluded paths prevent AIDE from wandering into directories where it +# shouldn't be hashing/monitoring files. + +{% for dir in aide_exclude_dirs %} +!{{ dir }} +{% endfor %}