Skip to content

feat(roles/aide): add aide remediation #201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jihan-lf wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(roles/aide): add aide remediation #201

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions playbooks/all.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@
- import_playbook: 'repo_remi.yml'
- import_playbook: 'repo_rpmfusion.yml'
- import_playbook: 'repo_sury.yml'
- import_playbook: 'rl9_cis.yml
- import_playbook: 'rsyslog.yml'
- import_playbook: 'selinux.yml'
- import_playbook: 'setup_basic.yml'
Expand Down
22 changes: 22 additions & 0 deletions playbooks/rl9_cis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
- name: 'Playbook linuxfabrik.lfops.rl9_cis'
hosts:
- 'lfops_rl9_cis'

pre_tasks:
- ansible.builtin.import_role:
name: 'shared'
tasks_from: 'log-start.yml'
tags:
- 'always'


roles:
- role: 'linuxfabrik.lfops.aide'


post_tasks:
- ansible.builtin.import_role:
name: 'shared'
tasks_from: 'log-end.yml'
tags:
- 'always'
2 changes: 2 additions & 0 deletions roles/acme_sh/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@

- name: 'Deploy /etc/systemd/system/acme-sh.service'
ansible.builtin.template:
backup: true
src: 'etc/systemd/system/acme-sh.service.j2'
dest: '/etc/systemd/system/acme-sh.service'
owner: 'root'
Expand All @@ -37,6 +38,7 @@

- name: 'Deploy /etc/systemd/system/acme-sh.timer'
ansible.builtin.template:
backup: true
src: 'etc/systemd/system/acme-sh.timer.j2'
dest: '/etc/systemd/system/acme-sh.timer'
owner: 'root'
Expand Down
46 changes: 46 additions & 0 deletions roles/aide/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# Ansible Role linuxfabrik.lfops.aide

This role ensures that AIDE is installed, configured, and scheduled for regular filesystem integrity checks.

* The initial AIDE database is created only if `/var/lib/aide/aide.db.gz` does not already exist.


## Tags

| Tag | What it does | Reload / Restart |
| --- | ------------ | ---------------- |
| `aide` | Runs all tasks of the role | - |
| `aide:configure` | Deploys the `/etc/aide.conf` configuration file | - |
| `aide:install` | Installs the AIDE package and initializes the AIDE database if it does not exist yet | - |
| `aide:update_db` | Rebuilds the AIDE database; Only runs if called explicitly | - |
| `aide:state` | Deploys and enables the `aide-check.service` and `aide-check.timer` systemd units | Reloads systemd daemon if unit files changed |


## Optional Role Variables

| Variable | Description | Default Value |
| -------- | ----------- | ------------- |
| `aide__check_time_on_calendar` | Specifies at what time of the day the aide check runs. Have a look at [systemd.time(7)](https://www.freedesktop.org/software/systemd/man/systemd.time.html) for the format. | `'05:00:00'` |
| `aide__include_rules` | List of paths to monitor with their AIDE rule group. | `['/srv CONTENT_EX', '/opt/venv CONTENT']` |
| `aide__exclude_rules` | List of paths to exclude from monitoring. | `['/srv/app/tmp', '/srv/app/cache']` |

Example:
```yaml
# optional
aide__check_time_on_calendar: '03:00:00'
aide__include_rules:
- '/etc CONTENT_EX' # Extended content + file type + access
- '/srv/app/node_modules CONTENT' # Content + file type
aide__exclude_rules:
- '/var/log'
```


## License

[The Unlicense](https://unlicense.org/)


## Author Information

[Linuxfabrik GmbH, Zurich](https://www.linuxfabrik.ch)
10 changes: 10 additions & 0 deletions roles/aide/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
aide__check_time_on_calendar: '05:00:00' #5 AM

#vars for aide.conf
aide__include_rules:
- '/srv CONTENT_EX' # Extended content + file type + access.
- '/opt/venv CONTENT' # Content + file type.

aide__exclude_rules:
- '/srv/app/tmp'
- '/srv/app/cache'
7 changes: 7 additions & 0 deletions roles/aide/handlers/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
- name: 'aide: init db'
ansible.builtin.service:
name:

- name: 'aide: enable aidecheck.service'
ansible.builtin.service:
name: 'aidecheck.service'
91 changes: 91 additions & 0 deletions roles/aide/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
# CIS_Rocky_Linux_9_Benchmark_v2.0.0
- block:

- name: '6.1.1 Ensure AIDE is installed'
ansible.builtin.package:
name:
- 'aide'
state: 'present'

- name: 'Initialize AIDE database'
ansible.builtin.command: 'aide --init --before "database_out=file:/var/lib/aide/aide.db.gz"'
args:
creates: '/var/lib/aide/aide.db.gz'

tags:
- 'aide'
- 'aide:install'


# CIS_Rocky_Linux_9_Benchmark_v2.0.0
- block:

- name: '6.1.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools'
ansible.builtin.template:
backup: true
src: 'etc/aide.conf.j2'
dest: '/etc/aide.conf'
owner: 'root'
group: 'root'
mode: 0o644

tags:
- 'aide'
- 'aide:configure'


# CIS_Rocky_Linux_9_Benchmark_v2.0.0
- block:

- name: 'Update AIDE database'
ansible.builtin.command: "aide --init --before 'database_out=file:/var/lib/aide/aide.db.gz'"
changed_when: "'AIDE initialized database at' in aide__dbupdate_result.stdout"
register: 'aide__dbupdate_result'

tags:
- 'never'
- 'aide:update_db'


# 6.1.2 Ensure filesystem integrity is regularly checked
# CIS_Rocky_Linux_9_Benchmark_v2.0.0
- block:

- name: 'Create /etc/systemd/system/aide-check.service'
ansible.builtin.template:
src: 'etc/systemd/system/aide-check.service.j2'
dest: '/etc/systemd/system/aide-check.service'
owner: 'root'
group: 'root'
mode: 0o644
register: '__aide__service_unit_result'

- name: 'Create /etc/systemd/system/aide-check.timer'
ansible.builtin.template:
src: 'etc/systemd/system/aide-check.timer.j2'
dest: '/etc/systemd/system/aide-check.timer'
owner: 'root'
group: 'root'
mode: 0o644
register: '__aide__timer_unit_result'

- name: 'Reload systemd'
ansible.builtin.systemd:
daemon_reload: true
when:
- '__aide__service_unit_result is changed or __aide__timer_unit_result is changed'

- name: 'Enable aide-check.service'
ansible.builtin.systemd:
name: 'aide-check.service'
enabled: true

- name: 'Enable aide-check.timer'
ansible.builtin.systemd:
name: 'aide-check.timer'
state: 'started'
enabled: true

tags:
- 'aide'
- 'aide:state'
Loading