aide

Based on ahuffman.aide

Description

An Ansible role to install, configure, and schedule AIDE.

Please Note
The default settings will deploy the configuration options that come with a default aide.conf after installing the tool.
This has only been thoroughly tested on Fedora and RHEL7 Operating Systems. Please open issues if you have a problem on your platform.

Role Variables

Variable Name Description Required Default Value Type
aide_pkg Name of the aide package to install. Override with a specific version if required. Yes "aide" string
aide_conf_path Path to the aide configuration file Yes "/etc/aide.conf" string
aide_update_db Whether or not to force an update of the aide database on this Role invocation Yes False boolean
aide_dbdir Directory to create the aide database Yes "/var/lib/aide" string
aide_logdir Directory to create aide logs Yes "/var/log/aide" string
aide_database_filename Filename to create the aide database as. Yes "aide.db.gz" string
aide_database_out_filename Filename to create the updated aide database as Yes "aide.db.new.gz" string
aide_gzip_dbout Whether or not to compress the database output file Yes True boolean
aide_verbose Aide's verbosity level. Valid values are 0-255. Yes 5 integer
aide_report_url List of report URLs No ["file:@@{LOGDIR}/aide.log", "stdout"] list
aide_acl_no_symlink_follow Whether to check ACLs for symlinks or not. Yes True boolean
aide_warn_dead_symlinks Whether to warn about dead symlinks or not. Yes False boolean
aide_summarize_changes Whether to summarize changes in the added, removed and changed files sections of the report or not Yes False boolean
aide_report_attributes list of default rules to report No Undefined list
aide_grouped Whether to group the files in the report by added, removed and changed files or not. Yes False boolean
aide_ignore_list (DEPRECATED, will be removed in a future release). Special group definition that lists attributes whose change is to be ignored in the final report. No [] list
aide_config_version The value of config_version is printed in the report and also printed to the database. This is for informational purposes only. It has no other functionality. No "1" string
aide_cron_schedule_check Whether or not to setup a cron job for running an aide check Yes True boolean
aide_cron_email_notify_recipients List of email recipients to get an email notification after a cronjob. Leave list empty if you do not want this functionality. Yes [] list
aide_cronjob_name Comment to insert prior to the cronjob in the crontab Yes "aide scheduled database checkup" string
aide_cron_sched_min Minute to schedule the start of the cronjob at No "0" string
aide_cron_sched_hr Hour to schedule the start of the cronjob at No "1" string
aide_cron_sched_day Day to schedule the start of the cronjob at No "*" string
aide_cron_sched_mon Month to schedule the start of the cronjob at No "*" string
aide_cron_sched_wkd Weekday to schedule the start of the cronjob at No "*" string

Defining and Undefining aide.conf Variables

aide_macros:   
  define:   
     - name: "Give it a name"
       variable: "Name_of_Variable"
       value: "Value of the variable"
     - name: "DBDIR var"
       variable: "DBDIR"
       value: "/var/lib/aide"
  undefine:   
     - name: "Some var to undefine"
       variable: "Name_of_Variable"  #This would effectively undefine the variable we defined above
     - name: "Undefining DBDIR var"
       variable: "DBDIR"

Defining Rules/Groups, Selection paths, and Ignore/Negative Selection Paths

A YAML spec was built to handle all of these items in a relatively organized way.

Attributes available to a rule

aide_rules:   
  - name: "My first rule"                                                #Required   
    rule: "FIPSR"                                                        #Required   
    comment: "Comment to put above this rule declaration"                #Optional   
    attributes: []  #List made up of default rules or defined rules      #Required except on special negative rule   
    paths:                                                               #Optional   
       - "/my/include/path/1"  #Cannot start with '!' see Ignore/Negative Selection Paths   
       - "/my/include/path/2"

A Special Rule to handle Ignore/Negative Selection Paths is available

Add a rule to your aide_rules: definition with rule: negative
Here's an example, and you can also find an example in this Role's defaults/main.yml:

aide_rules:   
  - name: "My negative/ignore selections"                                #Required   
    rule: "negative"                                                     #Required   
    paths:                                                             #Required   
       - "/my/ignore/path/1"
       - "/my/ignore/path/2"

Do not include an '!' in front of the paths, the template logic will automatically do this for you.

Scheduled Cron Aide Checks

The default is to setup an 'aide --check' in crontab. Should you wish to change this after already allowing this role to create the cron job, simply switch the variable aide_cron_schedule_check to False. This will remove the cron job from your system's crontab on the next playbook run. One caveat to be aware of is that the aide_cronjob_name variable must match what's currently in the crontab to be removed properly.

Example Playbook

- name: "Install and configure aide"
  hosts: "servers"
  roles:
     - "sergeykudelin.aide"

License

MIT

Author Information

Main contributor Andrew J. Huffman Current owner [Sergey Kudelin] (https://github.com/sergeykudelin)

About

An Ansible role to install, configure, and schedule AIDE. Based on ahuffman.aide

Install
ansible-galaxy install sergeykudelin/ansible-aide
GitHub repository
License
mit
Downloads
107