New validation for checking presence of running rsyslog service.
Necessity of proper logging is described in depth by NIST SP 800-171 as well as by the Red Hat Openstack Security and Hardening Guide. New validation group `security` consists only of check-rsyslog and check-selinux-mode validations at this time. Further security related validations should be included in this group, in addition to other groups as needed. Signed-off-by: Jiri Podivin <jpodivin@redhat.com> Change-Id: I53f31f6fd30a15698328cada54c96d7d902e0155
This commit is contained in:
parent
88d2345051
commit
9b2bddbab8
12
.zuul.yaml
12
.zuul.yaml
@ -118,6 +118,7 @@
|
||||
- validations-common-centos-8-molecule-check_selinux_mode
|
||||
- validations-common-centos-8-molecule-validate_selinux
|
||||
- validations-common-centos-8-molecule-xfs_check_ftype
|
||||
- validations-common-centos-8-molecule-check_rsyslog
|
||||
gate:
|
||||
jobs:
|
||||
- validations-common-centos-8-molecule-check_latest_packages_version
|
||||
@ -253,3 +254,14 @@
|
||||
parent: validations-common-centos-8-base
|
||||
vars:
|
||||
validations_common_role_name: validate_selinux
|
||||
- job:
|
||||
files:
|
||||
- ^validations_common/roles/check_rsyslog/.*
|
||||
- ^tests/prepare-test-host.yml
|
||||
- ^playbooks/molecule/pre.yml
|
||||
- ^playbooks/molecule/run.yml
|
||||
- ^molecule-requirements.txt
|
||||
name: validations-common-centos-8-molecule-check_rsyslog
|
||||
parent: validations-common-centos-8-base
|
||||
vars:
|
||||
validations_common_role_name: check_rsyslog
|
||||
|
28
validations_common/playbooks/check-rsyslog.yaml
Normal file
28
validations_common/playbooks/check-rsyslog.yaml
Normal file
@ -0,0 +1,28 @@
|
||||
---
|
||||
- hosts: all
|
||||
gather_facts: false
|
||||
vars:
|
||||
metadata:
|
||||
name: Ensure presence of rsyslog package and running daemon.
|
||||
description: >
|
||||
Detects package presence and running service on the target host
|
||||
and fails if it doesn't find it. Presence of running logging service
|
||||
is one of the recommended requirements in NIST SP 800-171
|
||||
https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
|
||||
as well as other standards.
|
||||
groups:
|
||||
- prep
|
||||
- pre-deployment
|
||||
- pre-upgrade
|
||||
- post-deployment
|
||||
- post-upgrade
|
||||
categories:
|
||||
- system
|
||||
- core
|
||||
- os
|
||||
- audit
|
||||
- security
|
||||
products:
|
||||
- common
|
||||
roles:
|
||||
- check_rsyslog
|
@ -0,0 +1 @@
|
||||
---
|
@ -0,0 +1,54 @@
|
||||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Converge
|
||||
hosts: all
|
||||
gather_facts: false
|
||||
|
||||
tasks:
|
||||
- block:
|
||||
- include_role:
|
||||
name: check_rsyslog
|
||||
tasks_from: yum.yaml
|
||||
rescue:
|
||||
- debug:
|
||||
msg: "Lack of rsyslog package detected!"
|
||||
- name: Install rsyslog package
|
||||
yum:
|
||||
name: rsyslog
|
||||
- block:
|
||||
- include_role:
|
||||
name: check_rsyslog
|
||||
tasks_from: yum.yaml
|
||||
- block:
|
||||
- include_role:
|
||||
name: check_rsyslog
|
||||
tasks_from: systemctl.yaml
|
||||
rescue:
|
||||
- debug:
|
||||
msg: "Inactivity of the rsyslog service detected!"
|
||||
- name: Enable rsyslog service
|
||||
systemd:
|
||||
name: rsyslog.service
|
||||
state: started
|
||||
- block:
|
||||
- include_role:
|
||||
name: check_rsyslog
|
||||
tasks_from: systemctl.yaml
|
||||
- block:
|
||||
- include_role:
|
||||
name: check_rsyslog
|
@ -0,0 +1,53 @@
|
||||
---
|
||||
# inherits tripleo-validations/.config/molecule/config.yml
|
||||
# To override default values, please take a look at the config.yml.
|
||||
driver:
|
||||
name: podman
|
||||
|
||||
log: true
|
||||
|
||||
platforms:
|
||||
- name: centos
|
||||
hostname: centos
|
||||
image: centos/centos:stream8
|
||||
registry:
|
||||
url: quay.io
|
||||
dockerfile: ../../../../../.config/molecule/Dockerfile
|
||||
pkg_extras: python*-setuptools python*-pyyaml
|
||||
volumes:
|
||||
- /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
|
||||
privileged: true
|
||||
environment: &env
|
||||
http_proxy: "{{ lookup('env', 'http_proxy') }}"
|
||||
https_proxy: "{{ lookup('env', 'https_proxy') }}"
|
||||
ulimits: &ulimit
|
||||
- host
|
||||
command: /sbin/init
|
||||
|
||||
provisioner:
|
||||
name: ansible
|
||||
inventory:
|
||||
hosts:
|
||||
all:
|
||||
hosts:
|
||||
centos:
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
log: true
|
||||
options:
|
||||
vvv: true
|
||||
env:
|
||||
ANSIBLE_STDOUT_CALLBACK: yaml
|
||||
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
|
||||
ANSIBLE_LIBRARY: "${ANSIBLE_LIBRARY:-/usr/share/ansible/plugins/modules}"
|
||||
|
||||
scenario:
|
||||
test_sequence:
|
||||
- destroy
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- verify
|
||||
- destroy
|
||||
|
||||
verifier:
|
||||
name: ansible
|
11
validations_common/roles/check_rsyslog/tasks/main.yaml
Normal file
11
validations_common/roles/check_rsyslog/tasks/main.yaml
Normal file
@ -0,0 +1,11 @@
|
||||
---
|
||||
- name: Gather facts
|
||||
setup:
|
||||
filter:
|
||||
- ansible_os_family
|
||||
- include_tasks: yum.yaml
|
||||
when: (ansible_os_family == 'RedHat') or
|
||||
(ansible_os_family == 'CentOS')
|
||||
- include_tasks: systemctl.yaml
|
||||
when: (ansible_os_family == 'RedHat') or
|
||||
(ansible_os_family == 'CentOS')
|
13
validations_common/roles/check_rsyslog/tasks/systemctl.yaml
Normal file
13
validations_common/roles/check_rsyslog/tasks/systemctl.yaml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
- name: Get active rsyslog service
|
||||
shell: >
|
||||
systemctl list-units "rsyslog.service" --state=active --no-legend --plain --no-pager
|
||||
register: rsyslog_state
|
||||
changed_when: false
|
||||
|
||||
- name: Fails if we don't find active rsyslog
|
||||
assert:
|
||||
that:
|
||||
- rsyslog_state.stdout_lines|length != 0
|
||||
fail_msg: "The the rsyslog service isn't in an active state."
|
||||
success_msg: "rsyslog is active"
|
11
validations_common/roles/check_rsyslog/tasks/yum.yaml
Normal file
11
validations_common/roles/check_rsyslog/tasks/yum.yaml
Normal file
@ -0,0 +1,11 @@
|
||||
---
|
||||
- name: Get installed package from yum
|
||||
package_facts:
|
||||
manager: "auto"
|
||||
|
||||
- name: Fails if we don't find the rsyslog installed
|
||||
assert:
|
||||
that:
|
||||
- "'rsyslog' in ansible_facts.packages"
|
||||
fail_msg: "rsyslog package is not installed"
|
||||
success_msg: "rsyslog package is installed"
|
Loading…
Reference in New Issue
Block a user