/home/zuul/src/opendev.org/openstack/ansible-hardening/tasks/rhel7stig/aide.yml
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Verify that AIDE configuration directory exists
  stat:
    path: "{{ item }}"
  register: aide_conf
  check_mode: no
  with_items:
    - /etc/aide/aide.conf.d
    - /etc/aide.conf
  tags:
    - always

- name: Exclude certain directories from AIDE
  template:
    src: ZZ_aide_exclusions.j2
    dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions
  when: aide_conf.results[0].stat.exists | bool
  tags:
    - medium
    - aide
    - V-71973

# NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration
# that meets the requirements of V-72069 and V-72071. That config
# is borrowed for Ubuntu 16.04 here.
- name: Configure AIDE to verify additional properties (Ubuntu)
  blockinfile:
    dest: "/etc/aide/aide.conf"
    insertbefore: EOF
    marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
    block: |
      # Rules borrowed from CentOS/RHEL AIDE configuration
      # (SELinux was removed for Ubuntu compatibility.)
      FIPSR = p+i+n+u+g+s+m+c+acl+xattrs+sha256
      NORMAL = FIPSR+sha512

      # The following two lines apply the NORMAL rule (above this line) to the
      # /bin and /sbin directories to meet the requirements of two STIG controls:
      #
      #   V-72069 - Verify ACLs
      #   V-72071 - Verify extended attributes
      #
      /bin    NORMAL
      /sbin   NORMAL
  when:
    - aide_conf.results[0].stat.exists | bool
    - ansible_os_family | lower == 'debian'
  tags:
    - low
    - aide
    - V-72069
    - V-72071
    - V-72073

# NOTE(hwoarang): Add acl and xattrs on SUSE to meet V-72069 and V-72071.
- name: Configure AIDE to verify additional properties (SUSE)
  lineinfile:
    dest: "/etc/aide.conf"
    regexp: '(^Binlib.*= )'
    line: '\1p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs'
    state: present
    backrefs: yes
  when:
    - aide_conf.results[1].stat.exists | bool
    - ansible_pkg_mgr == 'zypper'
  tags:
    - low
    - aide
    - V-72069
    - V-72071
    - V-72073

- name: Check to see if AIDE database is already in place
  stat:
    path: "{{ aide_database_file }}"
  register: aide_database
  check_mode: no
  tags:
    - always

- name: Initialize AIDE (this will take a few minutes)
  # NOTE(hwoarang): aideinit is an Ubuntu wrapper. An alternative
  # would be to use aideinit || aide -i but that will possibly mask
  # genuine aideinit failures.
  shell: "if test -x /usr/sbin/aideinit; then aideinit; else aide -i; fi"
  changed_when: false
  register: aide_init
  when:
    - aide_conf.results[0].stat.exists | bool or aide_conf.results[1].stat.exists | bool
    - not aide_database.stat.exists | bool
    - security_rhel7_initialize_aide | bool
  tags:
    - medium
    - aide
    - V-71973

# NOTE(mhayden): This is only needed for CentOS 7, RHEL 7 and SUSE since Ubuntu
# copies the new AIDE database into place automatically with its AIDE wrapper
# script.
- name: Move AIDE database into place
  command: "mv {{ aide_database_out_file }} {{ aide_database_file }}"
  changed_when: false
  when:
    - aide_init is not skipped
    - ansible_pkg_mgr in ['yum', 'zypper']
  tags:
    - medium
    - aide
    - V-71973

# NOTE(mhayden): This is only needed for CentOS 7, RHEL 7 and SUSE since the AIDE
# package doesn't come with a cron job file. Ubuntu packages a cron job for
# AIDE checks already.
- name: Create AIDE cron job
  cron:
    name: aide
    cron_file: aide
    user: root
    special_time: daily
    job: "/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root"
  when:
    - ansible_pkg_mgr in ['yum', 'zypper']
  tags:
    - medium
    - aide
    - V-71975