feat(aide): add role and playbook

Author: jihan-lf

playbooks/aide.yml

@@ -0,0 +1,23 @@
+- name: 'Playbook linuxfabrik.lfops.aide'
+  hosts:
+    - 'aide'
+
+  pre_tasks:
+    - ansible.builtin.import_role:
+        name: 'shared'
+        tasks_from: 'log-start.yml'
+      tags:
+        - 'always'
+
+
+  roles:
+
+    - role: 'linuxfabrik.lfops.aide'
+
+
+  post_tasks:
+    - ansible.builtin.import_role:
+        name: 'shared'
+        tasks_from: 'log-end.yml'
+      tags:
+        - 'always'

playbooks/all.yml

@@ -1,4 +1,5 @@
 - import_playbook: 'acme_sh.yml'
+- import_playbook: 'aide.yml'
 - import_playbook: 'alternatives.yml'
 - import_playbook: 'ansible_init.yml'
 - import_playbook: 'apache_httpd.yml'

roles/aide/README.md

@@ -0,0 +1,39 @@
+# Ansible Role linuxfabrik.lfops.aide
+
+This role ensures that AIDE is installed, configured, and scheduled for regular filesystem integrity checks.
+
+* The initial AIDE database is created only if `/var/lib/aide/aide.db.gz` does not already exist.
+
+
+## Tags
+
+| Tag | What it does | Reload / Restart |
+| --- | ------------ | ---------------- |
+| `aide` | Runs all tasks of the role | - |
+| `aide:configure` | Deploys the `/etc/aide.conf` configuration file | - |
+| `aide:install` | Installs the AIDE package and initializes the AIDE database if it does not exist yet | - |
+| `aide:update_db` | Rebuilds the AIDE database; Only runs if called explicitly | - |
+| `aide:state` | Deploys and enables the `aide-check.service` and `aide-check.timer` systemd units | Reloads systemd daemon if unit files changed |
+
+
+## Optional Role Variables
+
+| Variable | Description | Default Value |
+| -------- | ----------- | ------------- |
+| `aide__check_time_on_calendar` | Specifies at what time of the day the aide check runs. Have a look at [systemd.time(7)](https://www.freedesktop.org/software/systemd/man/systemd.time.html) for the format. | `'05:00:00'` |
+
+Example:
+```yaml
+# optional
+aide__check_time_on_calendar: '03:00:00' #3 AM
+```
+
+
+## License
+
+[The Unlicense](https://unlicense.org/)
+
+
+## Author Information
+
+[Linuxfabrik GmbH, Zurich](https://www.linuxfabrik.ch)

roles/aide/defaults/main.yml

@@ -0,0 +1,11 @@
+aide__check_time_on_calendar: '05:00:00'
+
+#vars for aide.conf
+aide__include_rules:
+  - '/srv CONTENT_EX' # Extended content + file type + access.
+  - '/opt/venv CONTENT' # Content + file type.
+
+#for excluding paths prefixing path with ! is necessary
+aide__exclude_rules:
+  - '!/srv/app/tmp'
+  - '!/srv/app/cache'

roles/aide/handlers/main.yml

@@ -0,0 +1,7 @@
+- name: 'aide: init db'
+  ansible.builtin.service:
+    name: 
+
+- name: 'aide: enable aidecheck.service'
+  ansible.builtin.service:
+    name: 'aidecheck.service'

roles/aide/tasks/main.yml

@@ -0,0 +1,89 @@
+    # CIS_Rocky_Linux_9_Benchmark_v2.0.0 
+- block:
+
+  - name: '6.1.1 Ensure AIDE is installed'
+    ansible.builtin.package:
+      name: 
+        - 'aide'
+      state: 'present'
+
+  - name: 'Initialize AIDE database'
+    ansible.builtin.command: 'aide --init --before "database_out=file:/var/lib/aide/aide.db.gz"'
+    args:
+      creates: '/var/lib/aide/aide.db.gz'
+
+  tags: 
+    - 'aide'
+    - 'aide:install'
+
+
+  # CIS_Rocky_Linux_9_Benchmark_v2.0.0 
+- block:
+
+  - name: '6.1.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools'
+    ansible.builtin.template:
+      backup: true
+      src: 'etc/aide.conf.j2'
+      dest: '/etc/aide.conf'
+      owner: 'root'
+      group: 'root'
+      mode: 0o644
+
+  tags:
+    - 'aide'
+    - 'aide:configure'
+
+
+  # CIS_Rocky_Linux_9_Benchmark_v2.0.0 
+- block:
+
+  - name: 'Update AIDE database'
+    ansible.builtin.command: "aide --init --before 'database_out=file:/var/lib/aide/aide.db.gz'"
+    
+  tags:
+    - 'never'
+    - 'aide:update_db'
+
+
+  # 6.1.2 Ensure filesystem integrity is regularly checked
+    # CIS_Rocky_Linux_9_Benchmark_v2.0.0 
+- block:
+
+  - name: 'Create /etc/systemd/system/aide-check.service'
+    ansible.builtin.template:
+      src: 'etc/systemd/system/aide-check.service.j2'
+      dest: '/etc/systemd/system/aide-check.service'
+      owner: 'root'
+      group: 'root'
+      mode: 0o644
+    register: '__aide__service_unit_result'
+
+  - name: 'Create /etc/systemd/system/aide-check.timer'
+    ansible.builtin.template:
+      src: 'etc/systemd/system/aide-check.timer.j2'
+      dest: '/etc/systemd/system/aide-check.timer'
+      owner: 'root'
+      group: 'root'
+      mode: 0o644
+    register: '__aide__timer_unit_result'
+
+  - name: 'Reload systemd'
+    ansible.builtin.systemd:
+      daemon_reload: true 
+    when:   
+      - '__aide__service_unit_result is changed or __aide__timer_unit_result is changed'
+
+  - name: 'Enable aide-check.service'
+    ansible.builtin.systemd:
+      name: 'aide-check.service'
+      enabled: true
+      
+  - name: 'Enable aide-check.timer'
+    ansible.builtin.systemd:
+      name: 'aide-check.timer'
+      state: 'started'
+      enabled: true
+
+  tags: 
+    - 'aide'
+    - 'aide:state'