Add AIDE check to CIS playbook

Added a new play to the CIS playbook to ensure existing AIDE
installations are cleaned before applying CIS hardening for the first
time on Ubuntu Noble. Existing installations can become corrupted during
Jammy-Noble Upgrades

Author: stackhpc-ci

etc/kayobe/ansible/maintenance/cis.yml

@@ -1,5 +1,59 @@
 ---
-- name: Security hardening
+- name: CIS - Ensure existing AIDE installation is cleaned
+  hosts: cis-hardening
+  become: true
+  tags:
+    - cis
+  gather_facts: true
+  tasks:
+    - name: Gather package facts
+      ansible.builtin.package_facts:
+        manager: auto
+
+    - name: Check if AIDE cleanup has already run
+      ansible.builtin.stat:
+        path: /opt/kayobe/aide/aide_cleanup_complete.flag
+      register: aide_cleanup_flag
+
+    - name: Cleanup existing AIDE config
+      when:
+        - "'aide' in ansible_facts.packages"
+        - not aide_cleanup_flag.stat.exists
+        - ansible_facts.distribution == 'Ubuntu'
+      block:
+        - name: Stop AIDE service
+          ansible.builtin.service:
+            name: aide
+            state: stopped
+          failed_when: false # Service may not exist
+
+        - name: Remove old AIDE files
+          ansible.builtin.file:
+            path: "{{ item }}"
+            state: absent
+          loop:
+            - /var/lib/aide/aide.db
+            - /var/lib/aide/aide.db.new
+            - /etc/aide/aide.conf.d
+            - /etc/aide/aide.conf
+
+        - name: Ensure flag directory exists
+          ansible.builtin.file:
+            path: /opt/kayobe/aide
+            state: directory
+            mode: '0755'
+            owner: stack
+            group: stack
+
+        - name: Create flag file to prevent re-running cleanup
+          ansible.builtin.file:
+            path: /opt/kayobe/aide/aide_cleanup_complete.flag
+            state: touch
+            mode: '0644'
+            owner: stack
+            group: stack
+
+- name: CIS - General Prerequisites
   hosts: cis-hardening
   become: true
   tags:
@@ -31,6 +85,12 @@
         - "{{ kayobe_ansible_user }}"
         - "{{ kolla_ansible_user }}"
 
+- name: Security hardening
+  hosts: cis-hardening
+  become: true
+  tags:
+    - cis
+  tasks:
     - name: Run CIS hardening role (RHEL 9)
       ansible.builtin.include_role:
         name: ansible-lockdown.rhel9_cis

etc/kayobe/inventory/group_vars/cis-hardening/cis

@@ -152,8 +152,6 @@ ubtu24cis_ownership_adjust: false
 ubtu24cis_no_world_write_adjust: false
 ubtu24cis_suid_sgid_adjust: false
 
-# Prevent hardening from recursivley changing permissions on log files
-
 # Configure log rotation to prevent audit logs from filling the disk
 ubtu24cis_auditd:
   action_mail_acct: root