openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Implements AIDE Intrusion Detection System 

Introduces a service to configure AIDE Intrusion Detection.

This service init's the database and copies the new database
to the active naming. It also sets a cron job, using email if
`AideEmail` is populated, otherwise the reports are sent to
`/var/log/aide/`.

AIDE rules can be supplied as a hash, and should the rules ever
be changed, the service will populate the new rules and re-init
a fresh integrity database.

Related-Blueprint: tripleo-aide-database
Depends-On: Iac2ceb7fc6b610f8920ae6f75faa2885f3edf6eb
Change-Id: I23d8ba2c43e907372fe079026df1fca5fa1c9881
This commit is contained in:
lhinds 2017-07-12 17:27:47 +01:00
parent 39c6233306
commit 7e68dbdf8c
30 changed files with 144 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
capabilities-map.yaml
View File

@ -464,7 +464,6 @@ topics:
requires:
- overcloud-resource-registry-puppet.yaml
- title: Security
description: Security Hardening Options
environment_groups:
@ -543,6 +542,11 @@ topics:
environments:
- file: environments/login-defs.yaml
title: login.defs Values
- title: Advanced Intrusion Detection Environment
description: Enable AIDE - Advanced Intrusion Detection Environment
environments:
- file: environments/aide.yaml
title: AIDE Values
- title: Additional Services
description:

1
environments/hyperconverged-ceph.yaml
View File

@ -14,6 +14,7 @@ resource_registry:
parameter_defaults:
ComputeServices:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CertmongerUser
- OS::TripleO::Services::CephClient

1
overcloud-resource-registry-puppet.j2.yaml
View File

@ -113,6 +113,7 @@ resource_registry:
# services
OS::TripleO::Services: common/services.yaml
OS::TripleO::Services::Aide: OS::Heat::None
OS::TripleO::Services::Apache: puppet/services/apache.yaml
OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml
OS::TripleO::Services::CephMds: OS::Heat::None

96
puppet/services/aide.yaml Normal file
View File

@ -0,0 +1,96 @@
heat_template_version: queens
description: >
Aide service configured with Puppet
parameters:
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
AideConfPath:
description: Aide configuration file
type: string
default: '/etc/aide.conf'
AideDBPath:
description: Aide integrity database location
type: string
default: '/var/lib/aide/aide.db'
AideDBTempPath:
description: Aide integrity database temp location
type: string
default: '/var/lib/aide/aide.db.new'
AideHour:
description: Hour value for Cron Job
type: number
default: 11
AideCronUser:
description: User which creates and runs the cron job for aide
type: string
default: 'root'
AideMinute:
description: Minute value for Cron Job
type: number
default: 30
AideEmail:
description: Email address to send reports on Cron Job
type: string
default: ''
AideMuaPath:
description: Full POSIX path to mail binary
type: string
default: '/bin/mail'
AideRules:
description: A hash of Aide rules
type: json
default: {}
outputs:
role_data:
description: Role data for the aide service
value:
service_name: aide
config_settings:
tripleo::profile::base::aide::aide_rules: {get_param: AideRules}
tripleo::profile::base::aide::aide_conf_path: {get_param: AideConfPath}
tripleo::profile::base::aide::aide_db_path: {get_param: AideDBPath}
tripleo::profile::base::aide::aide_db_temp_path: {get_param: AideDBTempPath}
tripleo::profile::base::aide::cron::aide_cron_user: {get_param: AideCronUser}
tripleo::profile::base::aide::cron::aide_hour: {get_param: AideHour}
tripleo::profile::base::aide::cron::aide_minute: {get_param: AideMinute}
tripleo::profile::base::aide::cron::aide_email: {get_param: AideEmail}
tripleo::profile::base::aide::cron::aide_mua_path: {get_param: AideMuaPath}
step_config: |
include ::tripleo::profile::base::aide
upgrade_tasks:
- name: Ensure Aide is installed
tags: step4
yum: name=aide state=latest
- name: re-init database
tags: step5
shell: aide --init --config $(hiera tripleo::profile::base::aide::aide_conf_path)
- name: cp-new-aide-db
tags: step5
shell: /bin/cp -f $(hiera tripleo::profile::base::aide::aide_db_temp_path) $(hiera tripleo::profile::base::aide::aide_db_path)

12
releasenotes/notes/aide-50fc91178430f1a5.yaml Normal file
View File

@ -0,0 +1,12 @@
---
features:
- |
Introduces a puppet service to configure AIDE Intrusion
Detection. This service init's the database and copies the
new database to the active naming. It also sets a cron job,
when parameter `AideEmail` is populated, otherwise reports
are sent to /var/log/aide/.
AIDE rules can be supplied as a hash, and should the rules ever
be changed, the service will populate the new rules and re-init
a fresh integrity database.

1
roles/BlockStorage.yaml
View File

@ -9,6 +9,7 @@
- Storage
- StorageMgmt
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::BlockStorageCinderVolume
- OS::TripleO::Services::CACerts

1
roles/CephAll.yaml
View File

@ -9,6 +9,7 @@
- StorageMgmt
HostnameFormatDefault: '%stackname%-ceph-all-%index%'
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CephClient

1
roles/CephFile.yaml
View File

@ -9,6 +9,7 @@
- StorageMgmt
HostnameFormatDefault: '%stackname%-ceph-file-%index%'
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CephClient

1
roles/CephObject.yaml
View File

@ -9,6 +9,7 @@
- StorageMgmt
HostnameFormatDefault: '%stackname%-ceph-object-%index%'
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CephClient

1
roles/CephStorage.yaml
View File

@ -8,6 +8,7 @@
- Storage
- StorageMgmt
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CephOSD

1
roles/Compute.yaml
View File

@ -21,6 +21,7 @@
deprecated_server_resource_name: 'NovaCompute'
disable_upgrade_deployment: True
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CephClient

1
roles/ComputeHCI.yaml
View File

@ -11,6 +11,7 @@
- StorageMgmt
disable_upgrade_deployment: True
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CephClient

1
roles/ComputeOvsDpdk.yaml
View File

@ -12,6 +12,7 @@
HostnameFormatDefault: '%stackname%-computeovsdpdk-%index%'
disable_upgrade_deployment: True
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CephClient

1
roles/ComputeSriov.yaml
View File

@ -12,6 +12,7 @@
HostnameFormatDefault: '%stackname%-computesriov-%index%'
disable_upgrade_deployment: True
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CephClient

1
roles/Controller.yaml
View File

@ -23,6 +23,7 @@
deprecated_param_flavor: 'OvercloudControlFlavor'
deprecated_param_image: 'controllerImage'
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AodhApi
- OS::TripleO::Services::AodhEvaluator
- OS::TripleO::Services::AodhListener

1
roles/ControllerNoCeph.yaml
View File

@ -23,6 +23,7 @@
deprecated_param_flavor: 'OvercloudControlFlavor'
deprecated_param_image: 'controllerImage'
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AodhApi
- OS::TripleO::Services::AodhEvaluator
- OS::TripleO::Services::AodhListener

1
roles/ControllerOpenstack.yaml
View File

@ -17,6 +17,7 @@
- Tenant
HostnameFormatDefault: '%stackname%-controller-%index%'
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AodhApi
- OS::TripleO::Services::AodhEvaluator
- OS::TripleO::Services::AodhListener

1
roles/Database.yaml
View File

@ -8,6 +8,7 @@
- InternalApi
HostnameFormatDefault: '%stackname%-database-%index%'
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CertmongerUser

1
roles/HciCephAll.yaml
View File

@ -12,6 +12,7 @@
disable_upgrade_deployment: True
HostnameFormatDefault: '%stackname%-hci-ceph-all-%index%'
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CephClient

1
roles/HciCephFile.yaml
View File

@ -12,6 +12,7 @@
disable_upgrade_deployment: True
HostnameFormatDefault: '%stackname%-hci-ceph-file-%index%'
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CephClient

1
roles/HciCephMon.yaml
View File

@ -12,6 +12,7 @@
disable_upgrade_deployment: True
HostnameFormatDefault: '%stackname%-hci-ceph-mon-%index%'
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CephClient

1
roles/HciCephObject.yaml
View File

@ -12,6 +12,7 @@
disable_upgrade_deployment: True
HostnameFormatDefault: '%stackname%-hci-ceph-object-%index%'
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CephClient

1
roles/IronicConductor.yaml
View File

@ -6,6 +6,7 @@
Ironic Conductor node role
HostnameFormatDefault: '%stackname%-ironic-%index%'
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CertmongerUser

1
roles/Messaging.yaml
View File

@ -8,6 +8,7 @@
- InternalApi
HostnameFormatDefault: '%stackname%-messaging-%index%'
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CertmongerUser

1
roles/Networker.yaml
View File

@ -9,6 +9,7 @@
- Tenant
HostnameFormatDefault: '%stackname%-networker-%index%'
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CertmongerUser

1
roles/ObjectStorage.yaml
View File

@ -17,6 +17,7 @@
deprecated_param_flavor: 'OvercloudSwiftStorageFlavor'
disable_upgrade_deployment: True
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CertmongerUser

1
roles/Telemetry.yaml
View File

@ -8,6 +8,7 @@
- InternalApi
HostnameFormatDefault: '%stackname%-telemetry-%index%'
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AodhApi
- OS::TripleO::Services::AodhEvaluator
- OS::TripleO::Services::AodhListener

1
roles/Undercloud.yaml
View File

@ -11,6 +11,7 @@
- primary
- controller
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::Apache
- OS::TripleO::Services::Docker
- OS::TripleO::Services::DockerRegistry

5
roles_data.yaml
View File

@ -26,6 +26,7 @@
deprecated_param_flavor: 'OvercloudControlFlavor'
deprecated_param_image: 'controllerImage'
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AodhApi
- OS::TripleO::Services::AodhEvaluator
- OS::TripleO::Services::AodhListener
@ -178,6 +179,7 @@
deprecated_server_resource_name: 'NovaCompute'
disable_upgrade_deployment: True
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CephClient
@ -230,6 +232,7 @@
- Storage
- StorageMgmt
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::BlockStorageCinderVolume
- OS::TripleO::Services::CACerts
@ -274,6 +277,7 @@
deprecated_param_flavor: 'OvercloudSwiftStorageFlavor'
disable_upgrade_deployment: True
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CertmongerUser
@ -308,6 +312,7 @@
- Storage
- StorageMgmt
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CephOSD

1
roles_data_undercloud.yaml
View File

@ -14,6 +14,7 @@
- primary
- controller
ServicesDefault:
- OS::TripleO::Services::Aide
- OS::TripleO::Services::Apache
- OS::TripleO::Services::Docker
- OS::TripleO::Services::DockerRegistry