feat(roles/aide): add aide remediation

playbooks/all.yml

@@ -118,6 +118,7 @@
 - import_playbook: 'repo_remi.yml'
 - import_playbook: 'repo_rpmfusion.yml'
 - import_playbook: 'repo_sury.yml'
+- import_playbook: 'rl9_cis.yml
 - import_playbook: 'rsyslog.yml'
 - import_playbook: 'selinux.yml'
 - import_playbook: 'setup_basic.yml'

playbooks/rl9_cis.yml

@@ -0,0 +1,22 @@
+- name: 'Playbook linuxfabrik.lfops.rl9_cis'
+  hosts: 
+    - 'lfops_rl9_cis'
+
+  pre_tasks:
+    - ansible.builtin.import_role:
+        name: 'shared'
+        tasks_from: 'log-start.yml'
+      tags:
+        - 'always'
+
+
+  roles:
+    - role: 'linuxfabrik.lfops.aide'
+
+
+  post_tasks:
+    - ansible.builtin.import_role:
+        name: 'shared'
+        tasks_from: 'log-end.yml'
+      tags:
+        - 'always'

roles/acme_sh/tasks/main.yml

@@ -29,6 +29,7 @@
 
   - name: 'Deploy /etc/systemd/system/acme-sh.service'
     ansible.builtin.template:
+      backup: true
       src: 'etc/systemd/system/acme-sh.service.j2'
       dest: '/etc/systemd/system/acme-sh.service'
       owner: 'root'
@@ -37,6 +38,7 @@
 
   - name: 'Deploy /etc/systemd/system/acme-sh.timer'
     ansible.builtin.template:
+      backup: true
       src: 'etc/systemd/system/acme-sh.timer.j2'
       dest: '/etc/systemd/system/acme-sh.timer'
       owner: 'root'

roles/aide/README.md

@@ -0,0 +1,46 @@
+# Ansible Role linuxfabrik.lfops.aide
+
+This role ensures that AIDE is installed, configured, and scheduled for regular filesystem integrity checks.
+
+* The initial AIDE database is created only if `/var/lib/aide/aide.db.gz` does not already exist.
+
+
+## Tags
+
+| Tag | What it does | Reload / Restart |
+| --- | ------------ | ---------------- |
+| `aide` | Runs all tasks of the role | - |
+| `aide:configure` | Deploys the `/etc/aide.conf` configuration file | - |
+| `aide:install` | Installs the AIDE package and initializes the AIDE database if it does not exist yet | - |
+| `aide:update_db` | Rebuilds the AIDE database; Only runs if called explicitly | - |
+| `aide:state` | Deploys and enables the `aide-check.service` and `aide-check.timer` systemd units | Reloads systemd daemon if unit files changed |
+
+
+## Optional Role Variables
+
+| Variable | Description | Default Value |
+| -------- | ----------- | ------------- |
+| `aide__check_time_on_calendar` | Specifies at what time of the day the aide check runs. Have a look at [systemd.time(7)](https://www.freedesktop.org/software/systemd/man/systemd.time.html) for the format. | `'05:00:00'` |
+| `aide__include_rules` | List of paths to monitor with their AIDE rule group. | `['/srv CONTENT_EX', '/opt/venv CONTENT']` |
+| `aide__exclude_rules` | List of paths to exclude from monitoring. | `['/srv/app/tmp', '/srv/app/cache']` |
+
+Example:
+```yaml
+# optional
+aide__check_time_on_calendar: '03:00:00'
+aide__include_rules:
+  - '/etc CONTENT_EX'      # Extended content + file type + access
+  - '/srv/app/node_modules CONTENT'    # Content + file type
+aide__exclude_rules:
+  - '/var/log'
+```
+
+
+## License
+
+[The Unlicense](https://unlicense.org/)
+
+
+## Author Information
+
+[Linuxfabrik GmbH, Zurich](https://www.linuxfabrik.ch)

roles/aide/defaults/main.yml

@@ -0,0 +1,10 @@
+aide__check_time_on_calendar: '05:00:00' #5 AM
+
+#vars for aide.conf
+aide__include_rules: 
+  - '/srv CONTENT_EX' # Extended content + file type + access.
+  - '/opt/venv CONTENT' # Content + file type.
+
+aide__exclude_rules:
+  - '/srv/app/tmp'  
+  - '/srv/app/cache'

roles/aide/handlers/main.yml

@@ -0,0 +1,7 @@
+- name: 'aide: init db'
+  ansible.builtin.service:
+    name: 
+
+- name: 'aide: enable aidecheck.service'
+  ansible.builtin.service:
+    name: 'aidecheck.service'

roles/aide/tasks/main.yml

@@ -0,0 +1,91 @@
+    # CIS_Rocky_Linux_9_Benchmark_v2.0.0 
+- block:
+
+  - name: '6.1.1 Ensure AIDE is installed'
+    ansible.builtin.package:
+      name: 
+        - 'aide'
+      state: 'present'
+
+  - name: 'Initialize AIDE database'
+    ansible.builtin.command: 'aide --init --before "database_out=file:/var/lib/aide/aide.db.gz"'
+    args:
+      creates: '/var/lib/aide/aide.db.gz'
+
+  tags: 
+    - 'aide'
+    - 'aide:install'
+
+
+  # CIS_Rocky_Linux_9_Benchmark_v2.0.0 
+- block:
+
+  - name: '6.1.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools'
+    ansible.builtin.template:
+      backup: true
+      src: 'etc/aide.conf.j2'
+      dest: '/etc/aide.conf'
+      owner: 'root'
+      group: 'root'
+      mode: 0o644
+
+  tags:
+    - 'aide'
+    - 'aide:configure'
+
+
+  # CIS_Rocky_Linux_9_Benchmark_v2.0.0 
+- block:
+
+  - name: 'Update AIDE database'
+    ansible.builtin.command: "aide --init --before 'database_out=file:/var/lib/aide/aide.db.gz'"
+    changed_when: "'AIDE initialized database at' in aide__dbupdate_result.stdout"
+    register: 'aide__dbupdate_result'
+
+  tags:
+    - 'never'
+    - 'aide:update_db'
+
+
+  # 6.1.2 Ensure filesystem integrity is regularly checked
+    # CIS_Rocky_Linux_9_Benchmark_v2.0.0 
+- block:
+
+  - name: 'Create /etc/systemd/system/aide-check.service'
+    ansible.builtin.template:
+      src: 'etc/systemd/system/aide-check.service.j2'
+      dest: '/etc/systemd/system/aide-check.service'
+      owner: 'root'
+      group: 'root'
+      mode: 0o644
+    register: '__aide__service_unit_result'
+
+  - name: 'Create /etc/systemd/system/aide-check.timer'
+    ansible.builtin.template:
+      src: 'etc/systemd/system/aide-check.timer.j2'
+      dest: '/etc/systemd/system/aide-check.timer'
+      owner: 'root'
+      group: 'root'
+      mode: 0o644
+    register: '__aide__timer_unit_result'
+
+  - name: 'Reload systemd'
+    ansible.builtin.systemd:
+      daemon_reload: true 
+    when:   
+      - '__aide__service_unit_result is changed or __aide__timer_unit_result is changed'
+
+  - name: 'Enable aide-check.service'
+    ansible.builtin.systemd:
+      name: 'aide-check.service'
+      enabled: true
+
+  - name: 'Enable aide-check.timer'
+    ansible.builtin.systemd:
+      name: 'aide-check.timer'
+      state: 'started'
+      enabled: true
+
+  tags: 
+    - 'aide'
+    - 'aide:state'