V-38637, V-3866{3,4,5}: Verify auditd pkg contents

Implements: blueprint security-hardening

Change-Id: I1e2cbebae26967c758db0e4f6c815e986fa43438

doc/source/developer-notes/V-38637.rst

@@ -0,0 +1,6 @@
+The auditd package is verified with ``debsums`` and the playbook will fail
+immediately if any of the files from the auditd package have been altered.
+This could be the sign of a system compromise.
+
+If the ``debsums`` package isn't installed, the Ansible task will install it
+during the playbook run.

doc/source/developer-notes/V-38663.rst

@@ -0,0 +1 @@
+V-38453.rst

doc/source/developer-notes/V-38664.rst

@@ -0,0 +1 @@
+V-38453.rst

doc/source/developer-notes/V-38665.rst

@@ -0,0 +1 @@
+V-38453.rst

tasks/auditd.yml

@@ -72,6 +72,37 @@
     - cat2
     - V-38636
 
+- name: Ensure debsums package is installed (for V-38637)
+  apt:
+    name: debsums
+    state: present
+  tags:
+    - auditd
+    - cat2
+    - V-38637
+
+# The debsums command returns 0 if the files haven't been altered but it
+# returns 2 otherwise. We also will check to see if auditd has been installed
+# and fail if it's not installed.
+- name: Checking auditd package contents for alterations with debsums (for V-38637)
+  shell: debsums auditd -c
+  register: v38637_result
+  changed_when: False
+  failed_when: "'not installed' in v38637_result.stdout"
+  tags:
+    - auditd
+    - cat2
+    - V-38637
+
+- name: V-38637 - Contents of auditd package must be verified
+  fail:
+    msg: "FAILED: Could not verify that files from auditd package are unaltered"
+  when: v38637_result.rc == 2
+  tags:
+    - auditd
+    - cat2
+    - V-38637
+
 - name: V-38445 - Audit log files must be group-owned by root
   file:
     dest: /var/log/audit/