From 2827c752ac821b01eab3836caeed00be839c85ac Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 16:45:49 +0000 Subject: [PATCH] aide variablizing Signed-off-by: Mark Bolwell --- defaults/main.yml | 13 ++++++++++-- tasks/section_6/cis_6.1.x.yml | 37 ++++++++++++++++++++++++++++++----- vars/main.yml | 12 ++++++++++++ 3 files changed, 55 insertions(+), 7 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e210596..32bb5af 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1034,8 +1034,7 @@ min_int_uid: 1000 max_int_uid: 65533 ## Section6 vars - -## Control 6.1.1 - allow aide to be configured +## Control 6.1.x - allow aide to be configured # AIDE is a file integrity checking tool, similar in nature to Tripwire. # While it cannot prevent intrusions, it can detect unauthorized changes # to configuration files by alerting when the files are changed. Review @@ -1043,6 +1042,16 @@ max_int_uid: 65533 # By setting this variable to `true`, all of the settings related to AIDE will be applied! rhel9cis_config_aide: true +# If DB file older than below will automatically rebuild DB +# e.g. options:1w = 1 week, 1d = 1day 1h = 1 hour +rhel9cis_aide_db_file_age: 1w + +# If aide already setup this forces a new DB to be created +rhel9cis_aide_db_recreate: false + +# allows to change db file, not config need to be adjusted too +rhel9cis_aide_db_file: /var/lib/aide/aide.db + ## Control 6.1.2 AIDE cron settings ## How the aide schedule is run either cron or timer diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 898444f..950ca5e 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -12,17 +12,44 @@ - rule_6.1.1 - NIST800-53R5_AU-2 block: + block: - name: "6.1.1 | PATCH | Ensure AIDE is installed" + when: + - "'aide' not in ansible_facts.packages or + 'aide-common' not in ansible_facts.packages" ansible.builtin.package: - name: aide + name: ['aide', 'aide-common'] state: present - register: discovered_aide_installed + update_cache: true + register: discovered_aide_pkg_added - - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB" - when: discovered_aide_installed.changed # noqa: no-handler + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Recapture packages" + when: discovered_aide_pkg_added.skipped is not defined + ansible.builtin.package_facts: + manager: auto + + - name: "6.1.1 | AUDIT | Ensure AIDE is installed | Check file exists" + ansible.builtin.stat: + path: "{{ rhel9cis_aide_db_file }}" + register: discovered_aide_db_file + + - name: "6.1.1 | AUDIT | Ensure AIDE is installed | Check current db file age" + when: discovered_aide_db_file.stat.exists + ansible.builtin.find: + path: "{{ rhel9cis_aide_db_file | dirname }}" + pattern: "{{ rhel9cis_aide_db_file | basename }}" + age: "{{ rhel9cis_aide_db_file_age }}" + register: discovered_aide_db_age + + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Configure AIDE" + when: + - not ansible_check_mode + - not discovered_aide_db_file.stat.exists or + (discovered_aide_db_age.files | length > 0) or + rhel9cis_aide_db_recreate block: - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB" - ansible.builtin.shell: /usr/sbin/aide --init + ansible.builtin.shell: "{{ aide_initiate_command }}" - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB | Wait for file before continuing" ansible.builtin.wait_for: diff --git a/vars/main.yml b/vars/main.yml index ec72d0b..679c5b9 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -44,3 +44,15 @@ container_vars_file: is_container.yml # rhel9cis is left off the front of this var for consistency in testing pipeline # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks system_is_ec2: false + +# Aide initiate command for new DB creation +aide_initiate_command: aideinit -y -f + +# Audit vars +audit_bins: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules