New validation for checking presence of running rsyslog service.

Necessity of proper logging is described in depth by NIST SP 800-171
as well as by the Red Hat Openstack Security and Hardening Guide.

New validation group `security` consists only of check-rsyslog and
check-selinux-mode validations at this time.

Further security related validations should be included
in this group, in addition to other groups as needed.

Signed-off-by: Jiri Podivin <jpodivin@redhat.com>
Change-Id: I53f31f6fd30a15698328cada54c96d7d902e0155
This commit is contained in:
Jiri Podivin 2021-02-16 11:57:23 +01:00
parent 88d2345051
commit 9b2bddbab8
8 changed files with 183 additions and 0 deletions

View File

@ -118,6 +118,7 @@
- validations-common-centos-8-molecule-check_selinux_mode - validations-common-centos-8-molecule-check_selinux_mode
- validations-common-centos-8-molecule-validate_selinux - validations-common-centos-8-molecule-validate_selinux
- validations-common-centos-8-molecule-xfs_check_ftype - validations-common-centos-8-molecule-xfs_check_ftype
- validations-common-centos-8-molecule-check_rsyslog
gate: gate:
jobs: jobs:
- validations-common-centos-8-molecule-check_latest_packages_version - validations-common-centos-8-molecule-check_latest_packages_version
@ -253,3 +254,14 @@
parent: validations-common-centos-8-base parent: validations-common-centos-8-base
vars: vars:
validations_common_role_name: validate_selinux validations_common_role_name: validate_selinux
- job:
files:
- ^validations_common/roles/check_rsyslog/.*
- ^tests/prepare-test-host.yml
- ^playbooks/molecule/pre.yml
- ^playbooks/molecule/run.yml
- ^molecule-requirements.txt
name: validations-common-centos-8-molecule-check_rsyslog
parent: validations-common-centos-8-base
vars:
validations_common_role_name: check_rsyslog

View File

@ -0,0 +1,28 @@
---
- hosts: all
gather_facts: false
vars:
metadata:
name: Ensure presence of rsyslog package and running daemon.
description: >
Detects package presence and running service on the target host
and fails if it doesn't find it. Presence of running logging service
is one of the recommended requirements in NIST SP 800-171
https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
as well as other standards.
groups:
- prep
- pre-deployment
- pre-upgrade
- post-deployment
- post-upgrade
categories:
- system
- core
- os
- audit
- security
products:
- common
roles:
- check_rsyslog

View File

@ -0,0 +1 @@
---

View File

@ -0,0 +1,54 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
gather_facts: false
tasks:
- block:
- include_role:
name: check_rsyslog
tasks_from: yum.yaml
rescue:
- debug:
msg: "Lack of rsyslog package detected!"
- name: Install rsyslog package
yum:
name: rsyslog
- block:
- include_role:
name: check_rsyslog
tasks_from: yum.yaml
- block:
- include_role:
name: check_rsyslog
tasks_from: systemctl.yaml
rescue:
- debug:
msg: "Inactivity of the rsyslog service detected!"
- name: Enable rsyslog service
systemd:
name: rsyslog.service
state: started
- block:
- include_role:
name: check_rsyslog
tasks_from: systemctl.yaml
- block:
- include_role:
name: check_rsyslog

View File

@ -0,0 +1,53 @@
---
# inherits tripleo-validations/.config/molecule/config.yml
# To override default values, please take a look at the config.yml.
driver:
name: podman
log: true
platforms:
- name: centos
hostname: centos
image: centos/centos:stream8
registry:
url: quay.io
dockerfile: ../../../../../.config/molecule/Dockerfile
pkg_extras: python*-setuptools python*-pyyaml
volumes:
- /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
privileged: true
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
ulimits: &ulimit
- host
command: /sbin/init
provisioner:
name: ansible
inventory:
hosts:
all:
hosts:
centos:
ansible_python_interpreter: /usr/bin/python3
log: true
options:
vvv: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
ANSIBLE_LIBRARY: "${ANSIBLE_LIBRARY:-/usr/share/ansible/plugins/modules}"
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
verifier:
name: ansible

View File

@ -0,0 +1,11 @@
---
- name: Gather facts
setup:
filter:
- ansible_os_family
- include_tasks: yum.yaml
when: (ansible_os_family == 'RedHat') or
(ansible_os_family == 'CentOS')
- include_tasks: systemctl.yaml
when: (ansible_os_family == 'RedHat') or
(ansible_os_family == 'CentOS')

View File

@ -0,0 +1,13 @@
---
- name: Get active rsyslog service
shell: >
systemctl list-units "rsyslog.service" --state=active --no-legend --plain --no-pager
register: rsyslog_state
changed_when: false
- name: Fails if we don't find active rsyslog
assert:
that:
- rsyslog_state.stdout_lines|length != 0
fail_msg: "The the rsyslog service isn't in an active state."
success_msg: "rsyslog is active"

View File

@ -0,0 +1,11 @@
---
- name: Get installed package from yum
package_facts:
manager: "auto"
- name: Fails if we don't find the rsyslog installed
assert:
that:
- "'rsyslog' in ansible_facts.packages"
fail_msg: "rsyslog package is not installed"
success_msg: "rsyslog package is installed"