AIDE migration

[Vincent056]

This PR adds the ability to run aide 0.18 config checks and migration.

The aide0.18 will be compiled as an additional binary and used by FIO to check our migrated config. This new binary will reside in the container image, and we will launch a new pod to check the aide config migration every time we need to re-init.

Add config check to existing, upgrade case, check if migration checks needed annotation, if so we launch the pod, pod checks for aide migration and issue warning return result as a config map, the config map controller pick up the change, remove migration checks needed annotation.

We will try to perform the migration if a user-defined config is detected. We will issue warning messages in the log, and have a failed annotation key in the FIO instance if we cannot pre-migrate the config.

Annotation keys added:

    // AideConfigMigrationIgnoreAnnotationKey tells us to ignore the deprecated config options
    AideConfigMigrationIgnoreAnnotationKey = "file-integrity.openshift.io/migration-ignore-deprecation"
    // AideConfigMigrationFailedAnnotationKey tells us that the migration failed
    AideConfigAutoMigrationFailedAnnotationKey = "file-integrity.openshift.io/migration-failed"
    // AideConfigMigrationCheckDisabledAnnotationKey tells us that the migration check is disabled
    AideConfigMigrationCheckDisabledAnnotationKey = "file-integrity.openshift.io/migration-check-disabled"

example of event message:

7m17s       Warning   FileIntegrityAIDEConfigMigration   fileintegrity/example-fileintegrity            Migration check failed: Detected error config during the migration check: Invalid configureline error

AIDE Configuration Changes

• Only contains things that are being deprecated or removed along with their potential replacement

Removed Features in AIDE v0.17

• ignore_list

  • Attributes whose changes are ignored in the report.

• report_attributes

  • Attributes always printed in the report for changed files. If an attribute is both ignored and forced, it is not considered for file change but will be printed in the final report if the file has otherwise changed.

• verbose (type: number, range: 0 - 255, default: 5)

  • Removed, use log_level and report_level options instead.

New Features in AIDE v0.17

• database_in (type: URL, default: see \fB--version\fP output, added in AIDE v0.17)
• log_level (type: log level, default: \fBwarning\fR)
• report_level (type: report_level, default: \fBchanged_attributes\fR)
  • Specifies the log level. Log messages are written to \fIstderr\fR. If there are multiple \fIlog_level\fR lines, the first one is used. The --log-level or -L command line option overwrites this option.

New Features in AIDE v0.16

• report_ignore_added_attrs (type: attribute expression, default: empty)

  • Attributes whose addition is ignored in the report.

• report_ignore_removed_attrs (type: attribute expression, default: empty)

  • Attributes whose removal is ignored in the report.

• report_ignore_e2fsattrs (type: string, default: 0)

  • List (no delimiter) of ext2 file attributes to be ignored in the report.

• report_force_attrs (type: attribute expression, default: empty)

  • Attributes always printed in the report for changed files.

Deprecated Features in AIDE v0.18 (to be removed in AIDE v0.20)

• @@ifdef VARIABLE

  • Same as @@if defined VARIABLE.

• @@ifndef VARIABLE

  • Same as @@if not defined VARIABLE.

• @@ifhost HOSTNAME

  • Same as @@if hostname HOSTNAME.

• @@ifnhost HOSTNAME

  • Same as @@if not hostname HOSTNAME.

• Special attributes

  • S
  • Check for growing size. (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
  • Use growing+s attributes instead.

Removed Features in AIDE v0.19

• database
  • The URL from which the database is read. Only one of these lines is allowed. If there are multiple database lines, the first is used.

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Vincent056

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/file-integrity-operator/blob/master/OWNERS)~~ [Vincent056] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[Vincent056]

/retest

[Vincent056]

we will save migrated config in:

kind: ConfigMap
apiVersion: v1
metadata:
  name: example-fileintegrity
  namespace: openshift-file-integrity
  uid: 3e68694f-fed1-403f-805f-813eec85ff38
  resourceVersion: '68362036'
  creationTimestamp: '2024-06-28T06:22:38Z'
  labels:
    file-integrity.openshift.io/aide-conf: ''
    file-integrity.openshift.io/owner: example-fileintegrity
  annotations:
    kubernetes.io/description: hi
  managedFields:
    - manager: Mozilla
      operation: Update
      apiVersion: v1
      time: '2024-07-12T06:37:37Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:metadata':
          'f:annotations':
            .: {}
            'f:kubernetes.io/description': {}
    - manager: file-integrity-operator
      operation: Update
      apiVersion: v1
      time: '2024-07-12T18:35:21Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:data':
          .: {}
          'f:aide-0.18.conf': {}
          'f:aide.conf': {}
        'f:metadata':
          'f:labels':
            .: {}
            'f:file-integrity.openshift.io/aide-conf': {}
            'f:file-integrity.openshift.io/owner': {}
data:
  aide-0.18.conf: |-
    @@define DBDIR /hostroot/etc/kubernetes
    @@define LOGDIR /hostroot/etc/kubernetes
    database_in=file:@@{DBDIR}/aide.db.gz
    database_out=file:@@{DBDIR}/aide.db.gz.new
    gzip_dbout=yes
    log_level=notice
    report_level=added_removed_attributes
    report_url=file:@@{LOGDIR}/aide.log.new
    report_url=stdoutx
    PERMS = p+u+g+acl+selinux+xattrs
    CONTENTEX=sha512+ftype+p+u+g+n+acl+selinux+xattrs

    /hostroot/boot/        CONTENTEX
    /hostroot/root/\..* PERMS
    /hostroot/root/   CONTENTEX
    !/hostroot/root/\.kube
    !/hostroot/usr/src/
    !/hostroot/usr/tmp/

    /hostroot/usr/    CONTENTEX

    # OpenShift specific excludes
    !/hostroot/opt/
    !/hostroot/var
    !/hostroot/etc/NetworkManager/system-connections/
    !/hostroot/etc/mtab$
    !/hostroot/etc/.*~
    !/hostroot/etc/kubernetes/static-pod-resources
    !/hostroot/etc/kubernetes/test
    !/hostroot/etc/kubernetes/aide.*
    !/hostroot/etc/kubernetes/manifests
    !/hostroot/etc/kubernetes/kubelet-ca.crt
    !/hostroot/etc/docker/certs.d
    !/hostroot/etc/selinux/targeted
    !/hostroot/etc/openvswitch/conf.db
    !/hostroot/etc/kubernetes/cni/net.d
    !/hostroot/etc/kubernetes/cni/net.d/*
    !/hostroot/etc/machine-config-daemon/currentconfig$
    !/hostroot/etc/machine-config-daemon/node-annotation.json*
    !/hostroot/etc/pki/ca-trust/extracted/java/cacerts$
    !/hostroot/etc/cvo/updatepayloads
    !/hostroot/etc/cni/multus/certs
    !/hostroot/etc/kubernetes/compliance-operator
    !/hostroot/etc/kubernetes/node-feature-discovery

    # Catch everything else in /etc
    /hostroot/etc/    CONTENTEX
  aide.conf: |-
    @@define DBDIR /hostroot/etc/kubernetes
    @@define LOGDIR /hostroot/etc/kubernetes
    database=file:@@{DBDIR}/aide.db.gz
    database_out=file:@@{DBDIR}/aide.db.gz.new
    gzip_dbout=yes
    verbose=6
    report_url=file:@@{LOGDIR}/aide.log.new
    report_url=stdoutx
    PERMS = p+u+g+acl+selinux+xattrs
    CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs

    /hostroot/boot/        CONTENT_EX
    /hostroot/root/\..* PERMS
    /hostroot/root/   CONTENT_EX
    !/hostroot/root/\.kube
    !/hostroot/usr/src/
    !/hostroot/usr/tmp/

    /hostroot/usr/    CONTENT_EX

    # OpenShift specific excludes
    !/hostroot/opt/
    !/hostroot/var
    !/hostroot/etc/NetworkManager/system-connections/
    !/hostroot/etc/mtab$
    !/hostroot/etc/.*~
    !/hostroot/etc/kubernetes/static-pod-resources
    !/hostroot/etc/kubernetes/test
    !/hostroot/etc/kubernetes/aide.*
    !/hostroot/etc/kubernetes/manifests
    !/hostroot/etc/kubernetes/kubelet-ca.crt
    !/hostroot/etc/docker/certs.d
    !/hostroot/etc/selinux/targeted
    !/hostroot/etc/openvswitch/conf.db
    !/hostroot/etc/kubernetes/cni/net.d
    !/hostroot/etc/kubernetes/cni/net.d/*
    !/hostroot/etc/machine-config-daemon/currentconfig$
    !/hostroot/etc/machine-config-daemon/node-annotation.json*
    !/hostroot/etc/pki/ca-trust/extracted/java/cacerts$
    !/hostroot/etc/cvo/updatepayloads
    !/hostroot/etc/cni/multus/certs
    !/hostroot/etc/kubernetes/compliance-operator
    !/hostroot/etc/kubernetes/node-feature-discovery

    # Catch everything else in /etc
    /hostroot/etc/    CONTENT_EX

[Vincent056]

@rhmdnd this should be ready for some reviews

[Vincent056]

Took an initial pass, but I still need to come back and look through the config map controller and file integrity controller logic.

Posting the feedback I have for now.

thanks for the detail reviews!

[Vincent056]

/retest

[Vincent056]

/retest

[openshift-ci[bot]]

@Vincent056: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-merge-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.