Add auditd to Node image for photon OS

  - Add auditd service
  - Enable on boot
  - Read log dir once sysprep cleans log dirs
  - Add containerd audit rules
  - Make sure all auditd customizations happen for photon OS only
  SYSPREP ROLE
  - Include Photon OS tasks at end.
  - Move machine mode fact out of OS specific sysprep role to set
  at begining of role execution.

images/capi/ansible/roles/node/defaults/main.yml

@@ -46,6 +46,7 @@ common_debs:
 - socat
 
 common_photon_rpms:
+- audit
 - conntrack-tools
 - distrib-compat
 - ebtables

images/capi/ansible/roles/node/tasks/main.yml

@@ -12,6 +12,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
+- import_tasks: photon.yml
+  when: ansible_os_family == "VMware Photon OS"
+
 - name: Ensure overlay module is present
   modprobe:
     name: overlay

images/capi/ansible/roles/node/tasks/photon.yml

@@ -0,0 +1,28 @@
+# Copyright 2019 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+# Enable causes auditd to correctly
+# create auto-start symlink.
+# Auditd is diabled by default in Photon OS: https://github.com/vmware/photon/blob/366cf888f3b3c7e54f883c2e3223f5a752fe0e60/SPECS/audit/audit.spec#L104
+- name: Ensure auditd is running and comes on at reboot
+  service:
+    name: auditd
+    state: started
+    enabled: yes
+
+- name: configure auditd rules for containerd
+  template:
+    src: photon-os/etc/audit/rules.d/containerd.rules
+    dest: /etc/audit/rules.d/containerd.rules

images/capi/ansible/roles/node/templates/photon-os/etc/audit/rules.d/containerd.rules

@@ -0,0 +1,10 @@
+-w /var/lib/containerd/ -p rwxa -k containerd
+-w /etc/containerd/ -p rwxa -k containerd
+-w /etc/systemd/system/containerd.service -p rwxa -k containerd
+-w /etc/systemd/system/containerd.service.d/ -p rwxa -k containerd
+-w /run/containerd/ -p rwxa -k containerd
+-w /usr/local/bin/containerd-shim -p rwxa -k containerd
+-w /usr/local/bin/containerd-shim-runc-v1 -p rwxa -k containerd
+-w /usr/local/bin/containerd-shim-runc-v2 -p rwxa -k containerd
+-w /usr/local/sbin/runc -p rwxa -k containerd
+-w /usr/local/bin/containerd -p rwxa -k containerd

images/capi/ansible/roles/setup/tasks/photon.yml

@@ -44,4 +44,4 @@
 
 - name: install extra RPMs
   command: tdnf install {{ extra_rpms }} -y
-  when: extra_rpms != ""
+  when: extra_rpms != ""

images/capi/ansible/roles/sysprep/tasks/debian.yml

@@ -12,11 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
-- name: Define file modes
-  set_fact:
-    last_log_mode:   "0664"
-    machine_id_mode: "0644"
-
 - name: Remove extra repos
   file:
     path: "/etc/apt/sources.list.d/{{ item | basename }}"

images/capi/ansible/roles/sysprep/tasks/main.yml

@@ -12,15 +12,18 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
+# Used across all OS
+- name: Define file modes
+  set_fact:
+    last_log_mode:   "0644"
+    machine_id_mode: "0444"
+
 - import_tasks: debian.yml
   when: ansible_os_family == "Debian"
 
 - import_tasks: redhat.yml
   when: ansible_os_family == "RedHat"
 
-- import_tasks: photon.yml
-  when: ansible_os_family == "VMware Photon OS"
-
 - name: Truncate machine id
   file:
     state: "{{ item.state }}"
@@ -132,7 +135,7 @@
   - { path: /var/log, state: directory }
   - { path: /var/log/sa, state: directory }
 
-- name: Create a log directory for kube-apiserver audit logs
+- name: Create a log directory for kube-apiserver, k8s audit logs
   file:
     path: "{{ item.path }}"
     state: "{{ item.state }}"
@@ -151,3 +154,9 @@
   loop:
   - { path: /root/.bash_history }
   - { path: "/home/{{ ansible_env.SUDO_USER }}/.bash_history" }
+
+# Include vs import to execute in the end.
+# We want to execute in the end to make sure log dir
+# created for auditd does not get deleted by the task above
+- include_tasks: photon.yml
+  when: ansible_os_family == "VMware Photon OS"

images/capi/ansible/roles/sysprep/tasks/photon.yml

@@ -12,11 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
-- name: Define file modes
-  set_fact:
-    last_log_mode:   "0644"
-    machine_id_mode: "0444"
-
 - name: set hostname
   command: hostnamectl set-hostname localhost.local
 
@@ -46,3 +41,12 @@
   user:
     name: root
     password_lock: yes
+
+- name: Create a log directory for auditd
+  file:
+    path: "/var/log/audit"
+    state: directory
+    mode: "0640"
+    owner: root
+    group: root
+  when: kubernetes_semver != '' # Ensure audit log is not created for HA Proxy images, since this task is shared amongst build targets

images/capi/ansible/roles/sysprep/tasks/redhat.yml

@@ -12,11 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
-- name: Define file modes
-  set_fact:
-    last_log_mode:   "0644"
-    machine_id_mode: "0444"
-
 - import_tasks: rpm_repos.yml
 
 - name: Remove yum package caches