Can't initialize AIDE during subsequent playbook runs

Bug #1616281 reported by Major Hayden on 2016-08-24
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-ansible
Medium
Major Hayden

Bug Description

AIDE isn't initialized by default because it can cause a lot of system load when it does its first check of a new system. If a deployer applies the security hardening role with ``initialize_aide`` set to False (the default), it won't be initialized. However, if they set it to True and re-run the playbook, AIDE is already configured and the handler to initialize AIDE won't execute.

Fix proposed to branch: master
Review: https://review.openstack.org/359554

Changed in openstack-ansible:
status: New → In Progress

Reviewed: https://review.openstack.org/359554
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=578ce32998d889cf3ea63260fc3ca2f99e8ea91d
Submitter: Jenkins
Branch: master

commit 578ce32998d889cf3ea63260fc3ca2f99e8ea91d
Author: Major Hayden <email address hidden>
Date: Tue Aug 23 22:12:31 2016 -0500

    Ensure AIDE initializes on subsequent runs

    If a deployer installs AIDE the first time they apply the role
    without initializing AIDE and they want to initialize it later,
    the handler that does the initialization never fires.

    This patch does a few things:

      - Ensures AIDE initialization if the initialize_aide bool is True
      - Doesn't intialize the AIDE db if it already exists
      - Moves the new db into place on Red Hat systems
      - Moves the AIDE tasks into its own file with tags
      - Prevents AIDE from trawling through /var

    Closes-bug: 1616281

    Change-Id: I85d65738fde064b06b1147c529b22c3f44a33e94

Changed in openstack-ansible:
status: In Progress → Fix Released

Change abandoned by Major Hayden (<email address hidden>) on branch: liberty
Review: https://review.openstack.org/361242
Reason: Need to adjust this backport in Mitaka a bit.

Reviewed: https://review.openstack.org/361239
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=c16d11786a2a95fc5079ae35e0222bf5d49bb3a3
Submitter: Jenkins
Branch: stable/mitaka

commit c16d11786a2a95fc5079ae35e0222bf5d49bb3a3
Author: Major Hayden <email address hidden>
Date: Mon Aug 29 11:11:09 2016 -0500

    Ensure AIDE initializes on subsequent runs

    If a deployer installs AIDE the first time they apply the role
    without initializing AIDE and they want to initialize it later,
    the handler that does the initialization never fires.

    This patch does a few things:

      - Ensures AIDE initialization if the initialize_aide bool is True
      - Doesn't intialize the AIDE db if it already exists
      - Moves the new db into place on Red Hat systems
      - Moves the AIDE tasks into its own file with tags
      - Prevents AIDE from trawling through /var

    Manual backport of two reviews:
      * https://review.openstack.org/#/c/359554/
      * https://review.openstack.org/#/c/361460/

    Closes-bug: 1616281
    Depends-on: I60aa62ff688d32c14031773d35af29b3cf6b6fd6
    Change-Id: I170eb3898b4336333b1fbe663ec4f069823898e0

tags: added: in-stable-mitaka

This issue was fixed in the openstack/openstack-ansible-security 14.0.0.0b3 development milestone.

Reviewed: https://review.openstack.org/362828
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=6c9eb50fd64cb791a73ef778315f9a52b8c434c8
Submitter: Jenkins
Branch: liberty

commit 6c9eb50fd64cb791a73ef778315f9a52b8c434c8
Author: Major Hayden <email address hidden>
Date: Mon Aug 29 11:11:09 2016 -0500

    Ensure AIDE initializes on subsequent runs

    If a deployer installs AIDE the first time they apply the role
    without initializing AIDE and they want to initialize it later,
    the handler that does the initialization never fires.

    This patch does a few things:

      - Ensures AIDE initialization if the initialize_aide bool is True
      - Doesn't intialize the AIDE db if it already exists
      - Moves the new db into place on Red Hat systems
      - Moves the AIDE tasks into its own file with tags
      - Prevents AIDE from trawling through /var

    Manual backport of two reviews:
      * https://review.openstack.org/#/c/359554/
      * https://review.openstack.org/#/c/361460/

    Closes-Bug: 1616281
    Backport-of: I170eb3898b4336333b1fbe663ec4f069823898e0
    Change-Id: Iaedcce1d6416f2224f44376336c23702e6152a00

tags: added: in-liberty

This issue was fixed in the openstack/openstack-ansible-security 13.3.4 release.

This issue was fixed in the openstack/openstack-ansible-security 12.2.4 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers