2266031 – Parameters in the THT template aide.yaml failing to set cronjob for intended user

Bug 2266031 - Parameters in the THT template aide.yaml failing to set cronjob for intended user

Summary: Parameters in the THT template aide.yaml failing to set cronjob for intended ...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	tripleo-ansible
Sub Component:
Version:	17.1 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	async
Target Release:	---
Assignee:	Dave Wilde
QA Contact:	Joe H. Rahme
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-02-26 11:33 UTC by Saumik Paul
Modified:	2025-04-03 04:25 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-12-03 19:07:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-31502	0	None	None	None	2024-02-26 11:34:03 UTC

Description Saumik Paul 2024-02-26 11:33:10 UTC

// Description of problem:
Aide integrity checking not set up as cronjob despite setting the Aide{Hour,Minute,CronUser} parameters in the THT template aide.yaml file as part of the overcloud deployment. Documentation reference [0].

Content of aide.yaml is in [1].

Overcloud deployment script is in [2].

When I looked through the `/home/stack/ansible.log`, I found that the tasks [3] from aide_config.yml did never run. Upon further investigation of the aide Ansible role, I noticed that the aide_upgrade.yml [4] file is not calling the aide_config.yml which has the task defined for setting up the cronjob [3].

This seems to be a problem in the `aide` Ansible role.

To further test my theory, I modified the aide_upgrade.yml [5] file to include aide_config.yml (which was not there originally), and then I could see that the cronjob was set for the tripleo-admin user in the overcloud nodes.

// Version-Release number of selected component (if applicable):
tripleo-ansible-3.3.1-17.1.20231101230824.el9ost.noarch

// How reproducible:
Always.

// Steps to Reproduce:
Deploy RHOSP 17.1 overcloud with AIDE setup in the overcloud nodes. Reference [0].

// Actual results:
Aide integrity checking not set up as cronjob despite setting the Aide{Hour,Minute,CronUser} parameters in the THT template aide.yaml file as part of the overcloud deployment. Documentation reference [0].

// Expected results:
Aide integrity checking should be set up as cronjob using the Aide{Hour,Minute,CronUser} parameters in the THT template aide.yaml file as part of the overcloud deployment. Documentation reference [0].

[0] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/17.1/html-single/hardening_red_hat_openstack_platform/index#intrusion-detection-with-aide_hardening-infrastructure-and-virtualization

[1]

```
(undercloud) [stack@undercloud ~]$ cat templates/04-aide.yaml 
resource_registry:
  OS::TripleO::Services::Aide:
    /usr/share/openstack-tripleo-heat-templates/deployment/aide/aide-baremetal-ansible.yaml
 
parameter_defaults:
  AideRules:
    'TripleORules':
      content: 'TripleORules = p+sha256'
      order: 1
    'etc':
      content: '/etc/ TripleORules'
      order: 2
    'boot':
      content: '/boot/ TripleORules'
      order: 3
    'sbin':
      content: '/sbin/ TripleORules'
      order: 4
    'var':
      content: '/var/ TripleORules'
      order: 5
    'not var/log':
      content: '!/var/log.*'
      order: 6
    'not var/spool':
      content: '!/var/spool.*'
      order: 7
    'not nova instances':
      content: '!/var/lib/nova/instances.*'
      order: 8
  AideHour: 2
  AideMinute: 5
  AideCronUser: 'tripleo-admin' 
```

[2]

```
(undercloud) [stack@undercloud ~]$ cat scripts/overcloud-deploy.sh 
#!/usr/bin/bash
time openstack overcloud deploy --templates \
-n /home/stack/templates/network_data.yaml \
-r /home/stack/templates/roles_data.yaml \
--stack overcloud \
--libvirt-type kvm \
--ntp-server 192.168.102.250 \
-e /home/stack/templates/overcloud-baremetal-deployed.yaml \
-e /home/stack/templates/overcloud-networks-deployed.yaml \
-e /home/stack/templates/overcloud-vip-deployed.yaml \
-e /home/stack/containers-prepare-parameter.yaml \
-e /home/stack/templates/01-disable-tsx.yaml \
-e /home/stack/templates/02-storage-config.yaml \
-e /home/stack/templates/03-ceph-pools-tgt-size.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/cephadm/cephadm.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/cephadm/ceph-mds.yaml \
-e /home/stack/templates/deployed_ceph.yaml \
-e /home/stack/templates/04-aide.yaml \
-e /home/stack/templates/05-dns-domain.yaml
```

[3]

```
// File: /usr/share/ansible/roles/aide/tasks/aide_config.yml

- name: Check for aide db
- name: Ensure aide DB config is set
- name: Initialize aide database
- name: Check for tmp aide db
- name: Copy aide db
- name: Set aide command fact with email
- name: Email aide block
    - name: Ensure audit directory exists
    - name: Set aide command fact
- name: Create aide cron entry <<<
```

[4] /usr/share/ansible/roles/aide/tasks/aide_upgrade.yml

[5]

```
(undercloud) [stack@undercloud ~]$ cat /usr/share/ansible/roles/aide/tasks/aide_upgrade.yml 
---
...
- name: Copy new aide db
  copy:
    src: "{{ aide_db_temp_path }}"
    dest: "{{ aide_db_path }}"
    remote_src: true
  when:
    - aide_db_temp_path_check.stat.exists | bool

- include_tasks: aide_config.yml  <<<<
```

Comment 9 Red Hat Bugzilla 2025-04-03 04:25:13 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.