V-51391: Initialize AIDE

Closes-bug: 1505793 Implements: blueprint security-hardening Change-Id: Ia15368c0af184054c5be60c893c751e449b8770a
2015-10-13 09:44:02 -05:00 · 2015-10-13 09:44:02 -05:00 · 53f9b60e58
parent 4506933796
commit 53f9b60e58
5 changed files with 43 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -228,3 +228,13 @@ install_fail2ban: no                               # V-38501
 # The STIG requires bans to last 15 minutes. Adjust the following variable
 # to set the time an IP is banned by fail2ban (in seconds).
 fail2ban_bantime: 900                              # V-38501
+
+## AIDE
+# The default Ubuntu configuration for AIDE will cause it to wander into some
+# terrible places on the system, such as /var/lib/lxc and images in /opt.
+# The following three default exclusions are highly recommended for AIDE to
+# work properly, but additional exclusions can be added to this list if needed.
+aide_exclude_dirs:
+  - /var/lib/lxc
+  - /openstack
+  - /opt
--- a/doc/source/developer-notes/V-51391.rst
+++ b/doc/source/developer-notes/V-51391.rst
@ -0,0 +1,10 @@
+When AIDE is first installed for V-38429, a new database will be created.
+The creation process takes some time because AIDE needs to review each file
+in its list of monitored files to get timestamps and hashes. The
+initialization will be forked into the background so that it doesn't slow
+down the playbook run.
+
+Some directories are excluded from AIDE runs to prevent AIDE from wandering
+into directories where it shouldn't be hashing/monitoring files. The
+``defaults/main.yml`` file has some recommended directories as part of the
+``aide_exclude_dirs`` variable.
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -53,5 +53,10 @@
 - name: generate auditd rules
  command: augenrules --load

+# This will take a while to complete the first run, so we will fork it into
+# the background so it doesn't hold up the whole playbook.
+- name: initialize AIDE
+  shell: "aideinit -b"
+
 - name: rehash aliases
  command: newaliases
--- a/tasks/misc.yml
+++ b/tasks/misc.yml
@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- name: V-38429 - Install AIDE
+- name: V-38489 - Install AIDE
  apt:
    name: aide
    state: present
@ -21,6 +21,16 @@
    - cat2
    - V-38489

+- name: V-38489 - Exclude certain directories from AIDE and initialize DB
+  template:
+    src: ZZ_aide_exclusions.j2
+    dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions
+  notify:
+    - initialize AIDE
+  tags:
+    - cat2
+    - V-38489
+
 - name: Check for AIDE cron job (for V-38670)
  stat:
    path: /etc/cron.daily/aide
--- a/templates/ZZ_aide_exclusions.j2
+++ b/templates/ZZ_aide_exclusions.j2
@ -0,0 +1,7 @@
+# This file was deployed by openstack-ansible-security.
+# These excluded paths prevent AIDE from wandering into directories where it
+# shouldn't be hashing/monitoring files.
+
+{% for dir in aide_exclude_dirs %}
+!{{ dir }}
+{% endfor %}