Bug 2266031
| Summary: | Parameters in the THT template aide.yaml failing to set cronjob for intended user | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Saumik Paul <sapaul> |
| Component: | tripleo-ansible | Assignee: | Dave Wilde <dwilde> |
| Status: | CLOSED WONTFIX | QA Contact: | Joe H. Rahme <jhakimra> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 17.1 (Wallaby) | CC: | dwilde, nkawamot, pweeks, ramishra |
| Target Milestone: | async | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-12-03 19:07:51 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |
// Description of problem: Aide integrity checking not set up as cronjob despite setting the Aide{Hour,Minute,CronUser} parameters in the THT template aide.yaml file as part of the overcloud deployment. Documentation reference [0]. Content of aide.yaml is in [1]. Overcloud deployment script is in [2]. When I looked through the `/home/stack/ansible.log`, I found that the tasks [3] from aide_config.yml did never run. Upon further investigation of the aide Ansible role, I noticed that the aide_upgrade.yml [4] file is not calling the aide_config.yml which has the task defined for setting up the cronjob [3]. This seems to be a problem in the `aide` Ansible role. To further test my theory, I modified the aide_upgrade.yml [5] file to include aide_config.yml (which was not there originally), and then I could see that the cronjob was set for the tripleo-admin user in the overcloud nodes. // Version-Release number of selected component (if applicable): tripleo-ansible-3.3.1-17.1.20231101230824.el9ost.noarch // How reproducible: Always. // Steps to Reproduce: Deploy RHOSP 17.1 overcloud with AIDE setup in the overcloud nodes. Reference [0]. // Actual results: Aide integrity checking not set up as cronjob despite setting the Aide{Hour,Minute,CronUser} parameters in the THT template aide.yaml file as part of the overcloud deployment. Documentation reference [0]. // Expected results: Aide integrity checking should be set up as cronjob using the Aide{Hour,Minute,CronUser} parameters in the THT template aide.yaml file as part of the overcloud deployment. Documentation reference [0]. [0] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/17.1/html-single/hardening_red_hat_openstack_platform/index#intrusion-detection-with-aide_hardening-infrastructure-and-virtualization [1] ``` (undercloud) [stack@undercloud ~]$ cat templates/04-aide.yaml resource_registry: OS::TripleO::Services::Aide: /usr/share/openstack-tripleo-heat-templates/deployment/aide/aide-baremetal-ansible.yaml parameter_defaults: AideRules: 'TripleORules': content: 'TripleORules = p+sha256' order: 1 'etc': content: '/etc/ TripleORules' order: 2 'boot': content: '/boot/ TripleORules' order: 3 'sbin': content: '/sbin/ TripleORules' order: 4 'var': content: '/var/ TripleORules' order: 5 'not var/log': content: '!/var/log.*' order: 6 'not var/spool': content: '!/var/spool.*' order: 7 'not nova instances': content: '!/var/lib/nova/instances.*' order: 8 AideHour: 2 AideMinute: 5 AideCronUser: 'tripleo-admin' ``` [2] ``` (undercloud) [stack@undercloud ~]$ cat scripts/overcloud-deploy.sh #!/usr/bin/bash time openstack overcloud deploy --templates \ -n /home/stack/templates/network_data.yaml \ -r /home/stack/templates/roles_data.yaml \ --stack overcloud \ --libvirt-type kvm \ --ntp-server 192.168.102.250 \ -e /home/stack/templates/overcloud-baremetal-deployed.yaml \ -e /home/stack/templates/overcloud-networks-deployed.yaml \ -e /home/stack/templates/overcloud-vip-deployed.yaml \ -e /home/stack/containers-prepare-parameter.yaml \ -e /home/stack/templates/01-disable-tsx.yaml \ -e /home/stack/templates/02-storage-config.yaml \ -e /home/stack/templates/03-ceph-pools-tgt-size.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/cephadm/cephadm.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/cephadm/ceph-mds.yaml \ -e /home/stack/templates/deployed_ceph.yaml \ -e /home/stack/templates/04-aide.yaml \ -e /home/stack/templates/05-dns-domain.yaml ``` [3] ``` // File: /usr/share/ansible/roles/aide/tasks/aide_config.yml - name: Check for aide db - name: Ensure aide DB config is set - name: Initialize aide database - name: Check for tmp aide db - name: Copy aide db - name: Set aide command fact with email - name: Email aide block - name: Ensure audit directory exists - name: Set aide command fact - name: Create aide cron entry <<< ``` [4] /usr/share/ansible/roles/aide/tasks/aide_upgrade.yml [5] ``` (undercloud) [stack@undercloud ~]$ cat /usr/share/ansible/roles/aide/tasks/aide_upgrade.yml --- ... - name: Copy new aide db copy: src: "{{ aide_db_temp_path }}" dest: "{{ aide_db_path }}" remote_src: true when: - aide_db_temp_path_check.stat.exists | bool - include_tasks: aide_config.yml <<<< ```