Unblock security role gate

This patch addresses two issues that are blocking the security role CI jobs from completing: The OpenStack CI image is missing the default audit.rules file and this causes augenrules to fail when it loads new rules. The first line in the default rules file deletes existing rules and this must be in place before loading new rulesets. The contents of the default file are now in the template file, which is safer anyway. The default file provided by the OS is removed. The task that updates the apt cache in test.yml was running more than once during the CI job run when the gate ran slowly. That's fine, but it breaks the idempotence checks. A `changed_when` is added to the task to ensure that the idempotence tests aren't affected by an apt cache update. Change-Id: I9c2b50389cc2e4fa81717dcceccf6da1d973d34c
2017-01-03 12:19:46 -06:00 · 2017-01-03 12:19:46 -06:00 · 3942b20fb1
commit 3942b20fb1
parent de5f161baf
5 changed files with 37 additions and 4 deletions
--- a/tasks/rhel6stig/auditd.yml
+++ b/tasks/rhel6stig/auditd.yml
@ -243,6 +243,15 @@
    - cat2
    - V-38498

+- name: Remove system default audit.rules file
+  file:
+    path: /etc/audit/rules.d/audit.rules
+    state: absent
+  notify:
+    - generate auditd rules
+  tags:
+    - always
+
 - name: Auditd rules (includes several STIGs)
  template:
    src: osas-auditd.j2
--- a/tasks/rhel7stig/auditd.yml
+++ b/tasks/rhel7stig/auditd.yml
@ -29,7 +29,6 @@
  tags:
    - always

-
 - name: RHEL-07-030330 - The operating system must off-load audit records onto a different system or media from the system being audited
  lineinfile:
    dest: /etc/audisp/audisp-remote.conf
@ -67,6 +66,17 @@
  tags:
    - always

+- name: Remove system default audit.rules file
+  file:
+    path: /etc/audit/rules.d/audit.rules
+    state: absent
+  when:
+    - auditd_conf.stat.exists
+  notify:
+    - generate auditd rules
+  tags:
+    - always
+
 - name: Remove old RHEL 6 audit rules file
  file:
    path: /etc/audit/rules.d/osas-auditd.rules
--- a/templates/osas-auditd-rhel7.j2
+++ b/templates/osas-auditd-rhel7.j2
@ -5,6 +5,16 @@
 #
 #    http://docs.openstack.org/developer/openstack-ansible-security/
 #
+
+# Delete all existing auditd rules prior to loading this ruleset.
+-D
+
+# Increase the buffers to survive stress events.
+-b 320
+
+# Set the auditd failure flag.
+-f {{ security_rhel7_audit_failure_flag }}
+
 {#                                                                           #}
 {# The following loop takes a variable called audited_commands (a list of    #}
 {# dictionaries) and creates audit rules for each audited command or         #}
@ -85,6 +95,3 @@
 -w /etc/shadow -p wa -k RHEL-07-030710
 -w /etc/security/opasswd -p wa -k RHEL-07-030710
 {% endif %}
-
-# Set the auditd failure flag
-f {{ security_rhel7_audit_failure_flag }}
--- a/templates/osas-auditd.j2
+++ b/templates/osas-auditd.j2
@ -1,5 +1,11 @@
 # {{ ansible_managed }}

+# Delete all existing auditd rules prior to loading this ruleset.
+-D
+
+# Increase the buffers to survive stress events.
+-b 320
+
 {% if security_audit_clock_settimeofday | bool %}
 # RHEL 6 STIG V-38522
 # Audits changes to system time via settimeofday
--- a/tests/test.yml
+++ b/tests/test.yml
@ -21,6 +21,7 @@
        update_cache: yes
        cache_valid_time: "{{ cache_timeout }}"
      when: ansible_pkg_mgr == 'apt'
+      changed_when: False
    - name: Ensure OpenStack CI image has a logrotate cron job
      file:
        path: /etc/cron.daily/logrotate