Adding V-38438 (auditd during boot)

This patch adds a task and handlers for enabling the audit daemon during the boot sequence to comply with V-38438. Deployers have the option to opt-out of the entire change, or they can apply the change without updating the active grub.cfg file. Change-Id: Ia8702b8439a5993516397363b21356f1216be403
2016-08-23 10:21:46 -05:00 · 2016-08-23 10:21:46 -05:00 · 2aca8287dc
commit 2aca8287dc
parent e58ae245ad
7 changed files with 85 additions and 8 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -49,6 +49,16 @@ security_aide_exclude_dirs:
 security_initialize_aide: false

 ## Audit daemon
+# V-38438 requires that auditd is enabled at boot time with a parameter in the
+# GRUB configuration.
+#
+# If 'security_enable_audit_during_boot' is set to 'yes', then the 'audit=1'
+# parameter will be added in /etc/default/grub.d/.
+# If 'security_enable_grub_update is set to 'yes', the grub.cfg will be
+# updated automatically.
+security_enable_audit_during_boot: yes            # V-38438
+security_enable_grub_update: yes                  # V-38438
+
 # The following booleans control the rule sets added to auditd's default
 # set of auditing rules.  To see which rules will be added for each boolean,
 # refer to the templates/osas-auditd.j2 file.
--- a/doc/source/stig-notes/V-38438_developer.rst
+++ b/doc/source/stig-notes/V-38438_developer.rst
@ -1,8 +1,18 @@
-**Exception**
+The role will add ``audit=1`` to the ``GRUB_CMDLINE_LINUX_DEFAULT`` variable
+in the GRUB configuration within ``/etc/default/grub.d/`` and it will also
+update the active ``grub.cfg`` so that the change takes effect on the next
+boot.

-Adjusting the bootloader configuration can cause issues with reboots and this
-work is left up to the deployer.  Enabling auditing at boot time is helpful,
-but the risk may not be worth the change in most environments.
+To opt-out of the change, set the following variable:

-The ``auditd`` process starts very early during the boot process to catch
-events already, and this should be sufficient for most environments.
+.. code-block:: yaml
+
+   security_enable_audit_during_boot: no
+
+Deployers may opt-in for the change without automatically updating the active
+``grub.cfg`` file by setting the following Ansible variables:
+
+.. code-block:: yaml
+
+   security_enable_audit_during_boot: yes
+   security_enable_grub_update: no
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -61,3 +61,17 @@

 - name: rehash aliases
  command: newaliases
+
+- name: update grub config
+  command: "{{ grub_update_cmd }}"
+  when:
+    - security_enable_grub_update | bool
+  notify:
+    - set bootloader file permissions after updating grub config
+
+# NOTE(mhayden): Running `update-grub` causes the bootloader permissions to
+# change, which breaks V-38583.
+- name: set bootloader file permissions after updating grub config
+  file:
+    path: "{{ grub_conf_file }}"
+    mode: 0644
--- a/releasenotes/notes/add-v38438-3f7e905892be4b4f.yaml
+++ b/releasenotes/notes/add-v38438-3f7e905892be4b4f.yaml
@ -0,0 +1,21 @@
+---
+features:
+  - |
+    The role now enables auditing during early boot to comply with the
+    requirements in V-38438. By default, the GRUB configuration variables in
+    ``/etc/default/grub.d/`` will be updated and the active ``grub.cfg`` will
+    be updated.
+
+    Deployers can opt-out of the change entirely by setting a variable:
+
+    .. code-block:: yaml
+
+       security_enable_audit_during_boot: no
+
+    Deployers may opt-in for the change without automatically updating the
+    active ``grub.cfg`` file by setting the following Ansible variables:
+
+    .. code-block:: yaml
+
+       security_enable_audit_during_boot: yes
+       security_enable_grub_update: no
--- a/tasks/boot.yml
+++ b/tasks/boot.yml
@ -19,6 +19,20 @@
  register: grub_cfg
  always_run: True

+- name: V-38438 - Auditing must be enabled at boot by setting a kernel parameter
+  lineinfile:
+    dest: /etc/default/grub.d/99-enable-auditd.cfg
+    line: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT audit=1"'
+    create: yes
+  notify:
+    - update grub config
+  tags:
+    - boot
+    - cat1
+    - V-38438
+  when:
+    - security_enable_audit_during_boot | bool
+
 - name: V-38579 - Bootloader configuration files must be owned by root
  file:
    path: "{{ grub_conf_file }}"
@ -27,7 +41,8 @@
    - boot
    - cat2
    - V-38579
-  when: grub_cfg.stat.exists
+  when:
+    - grub_cfg.stat.exists

 - name: V-38581 - Bootloader configuration files must be group-owned by root
  file:
@ -37,7 +52,8 @@
    - boot
    - cat2
    - V-38581
-  when: grub_cfg.stat.exists
+  when:
+    - grub_cfg.stat.exists

 - name: V-38583 - Bootloader configuration files must have mode 0644 or less
  file:
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@ -33,3 +33,6 @@ ypserv_pkg: ypserv
 cron_service: crond
 ssh_service: sshd
 chrony_service: chronyd
+
+# Commands
+grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf"
--- a/vars/ubuntu.yml
+++ b/vars/ubuntu.yml
@ -36,3 +36,6 @@ ypserv_pkg: nis
 cron_service: cron
 ssh_service: ssh
 chrony_service: chrony
+
+# Commands
+grub_update_cmd: "update-grub"