aide variablizing

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

defaults/main.yml

@@ -1034,8 +1034,7 @@ min_int_uid: 1000
 max_int_uid: 65533
 
 ## Section6 vars
-
-## Control 6.1.1 - allow aide to be configured
+## Control 6.1.x - allow aide to be configured
 # AIDE is a file integrity checking tool, similar in nature to Tripwire.
 # While it cannot prevent intrusions, it can detect unauthorized changes
 # to configuration files by alerting when the files are changed. Review
@@ -1043,6 +1042,16 @@ max_int_uid: 65533
 # By setting this variable to `true`, all of the settings related to AIDE will be applied!
 rhel9cis_config_aide: true
 
+# If DB file older than below will automatically rebuild DB
+# e.g. options:1w = 1 week, 1d = 1day 1h = 1 hour
+rhel9cis_aide_db_file_age: 1w
+
+# If aide already setup this forces a new DB to be created
+rhel9cis_aide_db_recreate: false
+
+# allows to change db file, not config need to be adjusted too
+rhel9cis_aide_db_file: /var/lib/aide/aide.db
+
 ## Control 6.1.2 AIDE cron settings
 
 ## How the aide schedule is run either cron or timer

tasks/section_6/cis_6.1.x.yml

@@ -11,18 +11,45 @@
     - patch
     - rule_6.1.1
     - NIST800-53R5_AU-2
+  block:
     block:
     - name: "6.1.1 | PATCH | Ensure AIDE is installed"
+      when:
+        - "'aide' not in ansible_facts.packages or
+          'aide-common' not in ansible_facts.packages"
       ansible.builtin.package:
-        name: aide
+        name: ['aide', 'aide-common']
         state: present
-      register: discovered_aide_installed
+        update_cache: true
+      register: discovered_aide_pkg_added
 
-    - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB"
-      when: discovered_aide_installed.changed  # noqa: no-handler
+    - name: "6.1.1 | PATCH | Ensure AIDE is installed | Recapture packages"
+      when: discovered_aide_pkg_added.skipped is not defined
+      ansible.builtin.package_facts:
+        manager: auto
+
+    - name: "6.1.1 | AUDIT | Ensure AIDE is installed | Check file exists"
+      ansible.builtin.stat:
+        path: "{{ rhel9cis_aide_db_file }}"
+      register: discovered_aide_db_file
+
+    - name: "6.1.1 | AUDIT | Ensure AIDE is installed | Check current db file age"
+      when: discovered_aide_db_file.stat.exists
+      ansible.builtin.find:
+        path: "{{ rhel9cis_aide_db_file | dirname }}"
+        pattern: "{{ rhel9cis_aide_db_file | basename }}"
+        age: "{{ rhel9cis_aide_db_file_age }}"
+      register: discovered_aide_db_age
+
+    - name: "6.1.1 | PATCH | Ensure AIDE is installed | Configure AIDE"
+      when:
+        - not ansible_check_mode
+        - not discovered_aide_db_file.stat.exists or
+          (discovered_aide_db_age.files | length > 0) or
+          rhel9cis_aide_db_recreate
       block:
         - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB"
-          ansible.builtin.shell: /usr/sbin/aide --init
+          ansible.builtin.shell: "{{ aide_initiate_command }}"
 
         - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB | Wait for file before continuing"
           ansible.builtin.wait_for:

vars/main.yml

@@ -44,3 +44,15 @@ container_vars_file: is_container.yml
 # rhel9cis is left off the front of this var for consistency in testing pipeline
 # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks
 system_is_ec2: false
+
+# Aide initiate command for new DB creation
+aide_initiate_command: aideinit -y -f
+
+# Audit vars
+audit_bins:
+  - /sbin/auditctl
+  - /sbin/aureport
+  - /sbin/ausearch
+  - /sbin/autrace
+  - /sbin/auditd
+  - /sbin/augenrules