docs and bugfixes

2024-11-25 06:31:27 +00:00 · 2020-12-10 16:11:41 -07:00 · 2020-12-10 16:11:41 -07:00 · e2626acf9f
commit e2626acf9f
parent 348b543cb3
9 changed files with 155 additions and 6 deletions
--- a/ansible/README.md
+++ b/ansible/README.md
@ -25,7 +25,7 @@ Loosely copied from the CentOS ansible infrastructure. This structure is represe
 │   ├── vars
 │   └── requirements.yml
 ├── roles
-│   ├── <role-name>
+│   └── <role-name>
 ├── tasks -> playbooks/tasks
 ├── templates -> playbooks/templates
 └── vars -> playbooks/vars
@ -58,3 +58,44 @@ role-* -> These playbooks call roles specifically for infrastructure tasks.
 adhoc  -> These playbooks are one-off playbooks that can be used on the CLI or
          in AWX
 ```
+
+## Designing Playbooks
+
+### Pre flight and post flight
+
+At a minimum, there should be `pre_tasks` and `post_tasks` that can judge whether ansible has been can or has been run on a system. Some playbooks will not necessarily need this (eg if you're running an adhoc playbook to create a user). But operations done on a host should at least have these in the playbook.
+
+```
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      assert:
+        that:
+          - "not no_ansible.stat.exists"
+        msg: "/etc/no-ansible exists - skipping run on this node"
+
+  # Import roles/tasks here
+
+  post_tasks:
+    - name: Touching run file that ansible has ran here
+      file:
+        path: /var/log/ansible.run
+        state: touch
+```
+
+If you need to use handlers, you will need to include them in the playbook.
+
+### Roles
+
+If you are using roles that are not part of this repository in the `roles` directory, you will need to list them in the `requirements.yml`. For example, we use the IPA role.
+
+```
+---
+- src: freeipa.ansible_freeipa
+```
+
+Otherwise, custom roles for the infrastructure will sit in `ansible/roles`.
--- a/ansible/playbooks/templates/etc/rockybanner
+++ b/ansible/playbooks/templates/etc/rockybanner
--- a/ansible/playbooks/files/none
+++ b/ansible/playbooks/files/none
@ -1 +0,0 @@
-# no files here yet
--- a/ansible/playbooks/init-rocky-system-config.yml
+++ b/ansible/playbooks/init-rocky-system-config.yml
@ -4,6 +4,10 @@
  hosts: all
  become: true

+  # This is to try to avoid the handler issue in pre/post tasks
+  handlers:
+    - include: handlers/main.yml
+
  pre_tasks:
    - name: Check if ansible cannot be run here
      stat:
--- a/ansible/playbooks/role-rocky-ipa-replica.yml
+++ b/ansible/playbooks/role-rocky-ipa-replica.yml
@ -7,6 +7,10 @@
  vars_files:
  - vars/encpass.yml

+  # This is to try to avoid the handler issue in pre/post tasks
+  handlers:
+    - include: handlers/main.yml
+
  pre_tasks:
    - name: Check if ansible cannot be run here
      stat:
--- a/ansible/playbooks/role-rocky-ipa.yml
+++ b/ansible/playbooks/role-rocky-ipa.yml
@ -7,6 +7,10 @@
  vars_files:
  - vars/encpass.yml

+  # This is to try to avoid the handler issue in pre/post tasks
+  handlers:
+    - include: handlers/main.yml
+
  pre_tasks:
    - name: Check if ansible cannot be run here
      stat:
--- a/ansible/playbooks/tasks/ssh-config.yml
+++ b/ansible/playbooks/tasks/ssh-config.yml
@ -19,8 +19,8 @@

  - name: ssh banner
    copy:
-      src: "etc/banner"
-      dest: "{{ ssh_banner }}"
+      src: "etc/rockybanner"
+      dest: "/etc/rockybanner"
      owner: root
      group: root
    notify: restart_ssh
--- a/ansible/playbooks/templates/etc/audit/rules.d/collection.rules.j2
+++ b/ansible/playbooks/templates/etc/audit/rules.d/collection.rules.j2
@ -0,0 +1,97 @@
+# Ignore CWD logs
+-a exclude,always -F msgtype=CWD
+
+-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
+-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
+-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
+-w /etc/localtime -p wa -k time-change
+
+## Records when events occur that modify user and group passwords and ID's
+{% for y in audit_identity_list %}
+-w {{ y }} -p wa -k identity
+{% endfor %}
+
+## Records changes to network environment files or system calls
+-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
+-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
+-w /etc/issue -p wa -k system-locale
+-w /etc/issue.net -p wa -k system-locale
+-w /etc/hosts -p wa -k system-locale
+-w /etc/hostname -p wa -k system-locale
+-w /etc/sysconfig/network -p wa -k system-locale
+-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
+
+## Monitors SELinux Mandatory Access Controls
+-w /etc/selinux/ -p wa -k MAC-policy
+-w /usr/share/selinux/ -p wa -k MAC-policy
+
+## Monitors login/logout/failed login events
+# To be fair, these are normally logged in /var/log/secure
+{% for y in audit_logins %}
+-w {{ y }} -p wa -k logins
+{% endfor %}
+
+## Monitor session initiation events
+## This will track file changes within sessions
+{% for y in audit_session %}
+-w {{ y }} -p wa -k session
+{% endfor %}
+
+## Monitor changes for files for UID's above {{ audit_auid }}
+# You can take this out if you are on a non-PCI system
+-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
+-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
+-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
+-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
+
+## Monitors mounting events for users
+# You can probably take these out
+-a always,exit -F arch=b64 -S mount -F auid>={{ audit_auid }} -F auid!=4294967295 -k mounts
+-a always,exit -F arch=b32 -S mount -F auid>={{ audit_auid }} -F auid!=4294967295 -k mounts
+## Collect file deletion events by a user
+-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>={{ audit_auid }} -F auid!=4294967295 -k delete
+-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>={{ audit_auid }} -F auid!=4294967295 -k delete
+## Collect changes to System Administration Scope
+# Note: This only records /etc/sudoers and doesn't watch /etc/sudoers.d
+-w /etc/sudoers -p wa -k scope
+-w /etc/sudoers.d -p wa -k scope
+## Collect System Administrator Actions (sudolog)
+-w /var/log/sudo.log -p wa -k actions
+## Collect Kernel Module Loading and Unloading
+-w /sbin/kmod -p x -k modules
+-w /sbin/insmod -p x -k modules
+-w /sbin/rmmod -p x -k modules
+-w /sbin/modprobe -p x -k modules
+-a always,exit -F arch=b64 -S init_module,finit_module -S delete_module -k modules
+-a always,exit -F arch=b32 -S init_module,finit_module -S delete_module -k modules
+
+{% for y in audit_suid_list %}
+-a always,exit -F path={{ y }} -F perm=x -F auid>={{ audit_auid }} -F auid!=4294967295 -k privileged
+{% endfor %}
+
+# Is someone messing with our audit logs?
+-w /var/log/audit/ -k audit-logs
+
+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=4294967295 -F key=audit-logs
+-a always,exit -F path=/usr/sbin/ausearch -F perm=x -F key=audit-logs
+-a always,exit -F path=/usr/sbin/aureport -F perm=x -F key=audit-logs
+-a always,exit -F path=/usr/sbin/aulast -F perm=x -F key=audit-logs
+-a always,exit -F path=/usr/sbin/aulastlogin -F perm=x -F key=audit-logs
+-a always,exit -F path=/usr/sbin/auvirt -F perm=x -F key=audit-logs
+
+# Privilege elevation
+-a always,exit -F arch=b64 -S setuid -Fa0=0 -F exe={{ bin_su }} -F key=privileged
+-a always,exit -F arch=b32 -S setuid -Fa0=0 -F exe={{ bin_su }} -F key=privileged
+-a always,exit -F arch=b64 -S setresuid -F a0=0 -F exe={{ bin_sudo }} -F key=privileged
+-a always,exit -F arch=b32 -S setresuid -F a0=0 -F exe={{ bin_sudo }} -F key=privileged
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=privileged
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=privileged
+
+-e 2
--- a/ansible/playbooks/vars/RedHat.yml
+++ b/ansible/playbooks/vars/RedHat.yml
@ -150,5 +150,5 @@ syslog_packages:
 ntp_packages:
  - chrony

-legacy_ntp_packages:
-  - ntp
+bin_su: /usr/bin/su
+bin_sudo: /usr/bin/sudo