Add AIDE checks for ACL/xattrs [+Docs]

CentOS/RHEL have strict AIDE configs, but Ubuntu's configuration needs
extra configuration. This patch adds lines to the end of Ubuntu's AIDE
confgiuration to meet the requirements of RHEL-07-021600,
RHEL-07-021610, and RHEL-07-021620.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I107fa931f80d6871195027be0ed8db4105e2ddf4

doc/metadata/rhel7/RHEL-07-021600.rst

@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-021600
-status: not implemented
-tag: misc
+status: implemented
+tag: aide
 ---
 
-This STIG requirement is not yet implemented.
+CentOS 7 and Red Hat Enterprise Linux 7 already deploy a very secure AIDE
+configuration that checks access control lists (ACLs) and extended attributes
+by default. No configuration changes are applied on these systems.
+
+However, Ubuntu lacks the rules that include ACL and extended attribute checks.
+The tasks in the security role will add a small configuration block at the end
+of the AIDE configuration file to meet the requirements of this STIG, as well
+as RHEL-07-021610.

doc/metadata/rhel7/RHEL-07-021610.rst

@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-021610
-status: not implemented
-tag: misc
+status: implemented
+tag: aide
 ---
 
-This STIG requirement is not yet implemented.
+CentOS 7 and Red Hat Enterprise Linux 7 already deploy a very secure AIDE
+configuration that checks access control lists (ACLs) and extended attributes
+by default. No configuration changes are applied on these systems.
+
+However, Ubuntu lacks the rules that include ACL and extended attribute checks.
+The tasks in the security role will add a small configuration block at the end
+of the AIDE configuration file to meet the requirements of this STIG, as well
+as RHEL-07-021600.

doc/metadata/rhel7/RHEL-07-021620.rst

@@ -1,7 +1,12 @@
 ---
 id: RHEL-07-021620
-status: not implemented
-tag: misc
+status: implemented
+tag: aide
 ---
 
-This STIG requirement is not yet implemented.
+The default AIDE configuration in CentOS 7 and Red Hat Enterprise Linux 7
+already uses SHA512 to validate file contents and directories. No changes are
+required on these systems.
+
+The tasks in the security role add a rule to end of the AIDE configuration on
+Ubuntu systems that uses SHA512 for validation.

files/aide_extra.conf

@@ -0,0 +1,14 @@
+# Rules borrowed from CentOS/RHEL AIDE configuration
+# (SELinux was removed for Ubuntu compatibility.)
+FIPSR = p+i+n+u+g+s+m+c+acl+xattrs+sha256
+NORMAL = FIPSR+sha512
+
+# The following two lines apply the NORMAL rule (above this line) to the
+# /bin and /sbin directories to meet the requirements of two STIG controls:
+#
+#   RHEL-07-021600 - Verify ACLs
+#   RHEL-07-021610 - Verify extended attributes
+#
+/bin    NORMAL
+/sbin   NORMAL
+

tasks/rhel7stig/aide.yml

@@ -82,3 +82,21 @@
     - medium
     - aide
     - RHEL-07-020140
+
+# NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration
+# that meets the requirements of RHEL-07-021600 and RHEL-07-021610. That config
+# is borrowed for Ubuntu 16.04 here.
+- name: Configure AIDE to verify additional properties
+  blockinfile:
+    dest: "{{ aide_conf }}"
+    insertbefore: EOF
+    marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
+    block: "{{ lookup('file', 'aide_extra.conf') }}"
+  when:
+    - ansible_os_family | lower == 'ubuntu'
+  tags:
+    - low
+    - aide
+    - RHEL-07-021600
+    - RHEL-07-021610
+    - RHEL-07-021620