tripleo

Security Hardening in tripleo-docs Incorrect indentation in YAML example

Bug #1815208 reported by Laura Marsh
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Triaged
Low
Unassigned
tripleo victoria-3 "tripleo victoria"

Bug Description

This bug tracker is for errors with the documentation, use the following as a template and remove or add fields as you see fit. Convert [ ] into [x] to check boxes:

- [x] This doc is inaccurate in this way: The formatting of the YAML in the upstream documentation is wrong. I've attached a copy of the YAML with proper formatting to this BZ.

Additionally, we need to clearly identify and call out directories that should and should not be included. Because with the provided example, the run to create the initial aide DB causes a timeout in the deployment process (I will be opening a second BZ for that).

In my attached example file, I've also excluded /var/lib/docker. We have NO clear documentation on utilizing AIDE on a system running docker. Because of how AIDE works, if files change alot, they should not be in scope for AIDE as it will provided no benefit. With docker, there's alot of these on the filesystem so we need to provide the customer with better recommended scoping of what to and what not to monitor.

Refer to correct YAML format (attachment) here https://bugzilla.redhat.com/show_bug.cgi?id=1673171

- [ ] This is a doc addition request.

- [x] I have a fix to the document that I can paste below including example: input and output.

resource_registry:
  OS::TripleO::Services::Aide: /usr/share/openstack-tripleo-heat-templates/puppet/services/aide.yaml

parameter_defaults:
  AideHour: 12
  AideMinute: 30
  AideRules:
    'TripleORules':
      content: 'TripleORules = p+sha256'
      order : 1
    'etc':
      content: '/etc/ TripleORules'
      order : 2
    'boot':
      content: '/boot/ TripleORules'
      order : 3
    'sbin':
      content: '/sbin/ TripleORules'
      order : 4
    'var':
      content: '/var/ TripleORules'
      order : 5
    'not var/log':
      content: '!/var/log.*'
      order : 6
    'not var/spool':
      content: '!/var/spool.*'
      order : 7
    'not /var/adm/utmp':
      content: '!/var/adm/utmp$'
      order: 8
    'not nova instances':
      content: '!/var/lib/nova/instances.*'
      order: 9
    'not docker':
      content: '!/var/lib/docker.*'
      order: 10

-----------------------------------
Release: 0.0.1.dev1094 on 2018-06-04 16:04:36
SHA: 311a01795c4d9dc2b59f3f2647305d59b88efcb4
Source: https://git.openstack.org/cgit/openstack/tripleo-docs/tree/doc/source/install/advanced_deployment/security_hardening.rst
URL: https://docs.openstack.org/tripleo-docs/latest/install/advanced_deployment/security_hardening.html

Revision history for this message
Juan Antonio Osorio Robles (juan-osorio-robles) wrote :

If you have a fix, could you submit that?

Changed in tripleo:
status: New → Triaged
importance: Undecided → Low
milestone: none → stein-rc1
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: stein-rc1 → train-1
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: train-1 → train-2
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: train-2 → train-3
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: train-3 → ussuri-1
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: ussuri-1 → ussuri-2
wes hayutin (weshayutin)
Changed in tripleo:
milestone: ussuri-2 → ussuri-3
wes hayutin (weshayutin)
Changed in tripleo:
milestone: ussuri-3 → ussuri-rc3
wes hayutin (weshayutin)
Changed in tripleo:
milestone: ussuri-rc3 → victoria-1
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: victoria-1 → victoria-3
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.