New validation for checking presence of running rsyslog service.
Necessity of proper logging is described in depth by NIST SP 800-171 as well as by the Red Hat Openstack Security and Hardening Guide. New validation group `security` consists only of check-rsyslog and check-selinux-mode validations at this time. Further security related validations should be included in this group, in addition to other groups as needed. Signed-off-by: Jiri Podivin <jpodivin@redhat.com> Change-Id: I53f31f6fd30a15698328cada54c96d7d902e0155
This commit is contained in:
parent
88d2345051
commit
9b2bddbab8
12
.zuul.yaml
12
.zuul.yaml
@ -118,6 +118,7 @@
|
|||||||
- validations-common-centos-8-molecule-check_selinux_mode
|
- validations-common-centos-8-molecule-check_selinux_mode
|
||||||
- validations-common-centos-8-molecule-validate_selinux
|
- validations-common-centos-8-molecule-validate_selinux
|
||||||
- validations-common-centos-8-molecule-xfs_check_ftype
|
- validations-common-centos-8-molecule-xfs_check_ftype
|
||||||
|
- validations-common-centos-8-molecule-check_rsyslog
|
||||||
gate:
|
gate:
|
||||||
jobs:
|
jobs:
|
||||||
- validations-common-centos-8-molecule-check_latest_packages_version
|
- validations-common-centos-8-molecule-check_latest_packages_version
|
||||||
@ -253,3 +254,14 @@
|
|||||||
parent: validations-common-centos-8-base
|
parent: validations-common-centos-8-base
|
||||||
vars:
|
vars:
|
||||||
validations_common_role_name: validate_selinux
|
validations_common_role_name: validate_selinux
|
||||||
|
- job:
|
||||||
|
files:
|
||||||
|
- ^validations_common/roles/check_rsyslog/.*
|
||||||
|
- ^tests/prepare-test-host.yml
|
||||||
|
- ^playbooks/molecule/pre.yml
|
||||||
|
- ^playbooks/molecule/run.yml
|
||||||
|
- ^molecule-requirements.txt
|
||||||
|
name: validations-common-centos-8-molecule-check_rsyslog
|
||||||
|
parent: validations-common-centos-8-base
|
||||||
|
vars:
|
||||||
|
validations_common_role_name: check_rsyslog
|
||||||
|
28
validations_common/playbooks/check-rsyslog.yaml
Normal file
28
validations_common/playbooks/check-rsyslog.yaml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
---
|
||||||
|
- hosts: all
|
||||||
|
gather_facts: false
|
||||||
|
vars:
|
||||||
|
metadata:
|
||||||
|
name: Ensure presence of rsyslog package and running daemon.
|
||||||
|
description: >
|
||||||
|
Detects package presence and running service on the target host
|
||||||
|
and fails if it doesn't find it. Presence of running logging service
|
||||||
|
is one of the recommended requirements in NIST SP 800-171
|
||||||
|
https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
|
||||||
|
as well as other standards.
|
||||||
|
groups:
|
||||||
|
- prep
|
||||||
|
- pre-deployment
|
||||||
|
- pre-upgrade
|
||||||
|
- post-deployment
|
||||||
|
- post-upgrade
|
||||||
|
categories:
|
||||||
|
- system
|
||||||
|
- core
|
||||||
|
- os
|
||||||
|
- audit
|
||||||
|
- security
|
||||||
|
products:
|
||||||
|
- common
|
||||||
|
roles:
|
||||||
|
- check_rsyslog
|
@ -0,0 +1 @@
|
|||||||
|
---
|
@ -0,0 +1,54 @@
|
|||||||
|
---
|
||||||
|
# Copyright 2019 Red Hat, Inc.
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
|
||||||
|
- name: Converge
|
||||||
|
hosts: all
|
||||||
|
gather_facts: false
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- block:
|
||||||
|
- include_role:
|
||||||
|
name: check_rsyslog
|
||||||
|
tasks_from: yum.yaml
|
||||||
|
rescue:
|
||||||
|
- debug:
|
||||||
|
msg: "Lack of rsyslog package detected!"
|
||||||
|
- name: Install rsyslog package
|
||||||
|
yum:
|
||||||
|
name: rsyslog
|
||||||
|
- block:
|
||||||
|
- include_role:
|
||||||
|
name: check_rsyslog
|
||||||
|
tasks_from: yum.yaml
|
||||||
|
- block:
|
||||||
|
- include_role:
|
||||||
|
name: check_rsyslog
|
||||||
|
tasks_from: systemctl.yaml
|
||||||
|
rescue:
|
||||||
|
- debug:
|
||||||
|
msg: "Inactivity of the rsyslog service detected!"
|
||||||
|
- name: Enable rsyslog service
|
||||||
|
systemd:
|
||||||
|
name: rsyslog.service
|
||||||
|
state: started
|
||||||
|
- block:
|
||||||
|
- include_role:
|
||||||
|
name: check_rsyslog
|
||||||
|
tasks_from: systemctl.yaml
|
||||||
|
- block:
|
||||||
|
- include_role:
|
||||||
|
name: check_rsyslog
|
@ -0,0 +1,53 @@
|
|||||||
|
---
|
||||||
|
# inherits tripleo-validations/.config/molecule/config.yml
|
||||||
|
# To override default values, please take a look at the config.yml.
|
||||||
|
driver:
|
||||||
|
name: podman
|
||||||
|
|
||||||
|
log: true
|
||||||
|
|
||||||
|
platforms:
|
||||||
|
- name: centos
|
||||||
|
hostname: centos
|
||||||
|
image: centos/centos:stream8
|
||||||
|
registry:
|
||||||
|
url: quay.io
|
||||||
|
dockerfile: ../../../../../.config/molecule/Dockerfile
|
||||||
|
pkg_extras: python*-setuptools python*-pyyaml
|
||||||
|
volumes:
|
||||||
|
- /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
|
||||||
|
privileged: true
|
||||||
|
environment: &env
|
||||||
|
http_proxy: "{{ lookup('env', 'http_proxy') }}"
|
||||||
|
https_proxy: "{{ lookup('env', 'https_proxy') }}"
|
||||||
|
ulimits: &ulimit
|
||||||
|
- host
|
||||||
|
command: /sbin/init
|
||||||
|
|
||||||
|
provisioner:
|
||||||
|
name: ansible
|
||||||
|
inventory:
|
||||||
|
hosts:
|
||||||
|
all:
|
||||||
|
hosts:
|
||||||
|
centos:
|
||||||
|
ansible_python_interpreter: /usr/bin/python3
|
||||||
|
log: true
|
||||||
|
options:
|
||||||
|
vvv: true
|
||||||
|
env:
|
||||||
|
ANSIBLE_STDOUT_CALLBACK: yaml
|
||||||
|
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
|
||||||
|
ANSIBLE_LIBRARY: "${ANSIBLE_LIBRARY:-/usr/share/ansible/plugins/modules}"
|
||||||
|
|
||||||
|
scenario:
|
||||||
|
test_sequence:
|
||||||
|
- destroy
|
||||||
|
- create
|
||||||
|
- prepare
|
||||||
|
- converge
|
||||||
|
- verify
|
||||||
|
- destroy
|
||||||
|
|
||||||
|
verifier:
|
||||||
|
name: ansible
|
11
validations_common/roles/check_rsyslog/tasks/main.yaml
Normal file
11
validations_common/roles/check_rsyslog/tasks/main.yaml
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
- name: Gather facts
|
||||||
|
setup:
|
||||||
|
filter:
|
||||||
|
- ansible_os_family
|
||||||
|
- include_tasks: yum.yaml
|
||||||
|
when: (ansible_os_family == 'RedHat') or
|
||||||
|
(ansible_os_family == 'CentOS')
|
||||||
|
- include_tasks: systemctl.yaml
|
||||||
|
when: (ansible_os_family == 'RedHat') or
|
||||||
|
(ansible_os_family == 'CentOS')
|
13
validations_common/roles/check_rsyslog/tasks/systemctl.yaml
Normal file
13
validations_common/roles/check_rsyslog/tasks/systemctl.yaml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
- name: Get active rsyslog service
|
||||||
|
shell: >
|
||||||
|
systemctl list-units "rsyslog.service" --state=active --no-legend --plain --no-pager
|
||||||
|
register: rsyslog_state
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
- name: Fails if we don't find active rsyslog
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- rsyslog_state.stdout_lines|length != 0
|
||||||
|
fail_msg: "The the rsyslog service isn't in an active state."
|
||||||
|
success_msg: "rsyslog is active"
|
11
validations_common/roles/check_rsyslog/tasks/yum.yaml
Normal file
11
validations_common/roles/check_rsyslog/tasks/yum.yaml
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
- name: Get installed package from yum
|
||||||
|
package_facts:
|
||||||
|
manager: "auto"
|
||||||
|
|
||||||
|
- name: Fails if we don't find the rsyslog installed
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "'rsyslog' in ansible_facts.packages"
|
||||||
|
fail_msg: "rsyslog package is not installed"
|
||||||
|
success_msg: "rsyslog package is installed"
|
Loading…
Reference in New Issue
Block a user