feat(aide): add role and playbook

playbooks/aide.yml

@@ -0,0 +1,23 @@
+- name: 'Playbook linuxfabrik.lfops.aide'
+  hosts:
+    - 'lfops_aide'
+
+  pre_tasks:
+    - ansible.builtin.import_role:
+        name: 'shared'
+        tasks_from: 'log-start.yml'
+      tags:
+        - 'always'
+
+
+  roles:
+
+    - role: 'linuxfabrik.lfops.aide'
+
+
+  post_tasks:
+    - ansible.builtin.import_role:
+        name: 'shared'
+        tasks_from: 'log-end.yml'
+      tags:
+        - 'always'

playbooks/all.yml

@@ -1,4 +1,5 @@
 - import_playbook: 'acme_sh.yml'
+- import_playbook: 'aide.yml'
 - import_playbook: 'alternatives.yml'
 - import_playbook: 'ansible_init.yml'
 - import_playbook: 'apache_httpd.yml'

roles/aide/README.md

@@ -0,0 +1,116 @@
+# Ansible Role linuxfabrik.lfops.aide
+
+This role ensures that AIDE is installed, configured, and scheduled for regular filesystem integrity checks.
+
+* The initial AIDE database is created only if `/var/lib/aide/aide.db.gz` does not already exist.
+* Many default paths are pre-configured in the AIDE config for exclusion and inclusion rules.
+* Exclusion always takes precedence over inclusion for any given path.
+
+
+## Tags
+
+| Tag | What it does | Reload / Restart |
+| --- | ------------ | ---------------- |
+| `aide` | Runs all tasks of the role | - |
+| `aide:configure` | Deploys `/etc/aide.conf` | - |
+| `aide:install` | Installs the AIDE package and initializes the AIDE database if it does not exist yet | - |
+| `aide:state` | Deploys the `aide-check.service` and `aide-check.timer` systemd units and sets the desired state | Reloads systemd daemon if unit files changed |
+| `aide:update_db` | Rebuilds the AIDE database; only runs if called explicitly | - |
+
+
+## Optional Role Variables
+
+`aide__check_time_on_calendar`
+
+* The time at which the AIDE check runs. See [systemd.time(7)](https://www.freedesktop.org/software/systemd/man/systemd.time.html) for the format.
+* Type: String.
+* Default: `'*-*-* 05:00:00'`
+
+`aide__exclude_recursive__host_var` / `aide__exclude_recursive__group_var`
+
+* Paths to exclude recursively from AIDE monitoring (prepended with `!` in the config).
+* Type: List of dictionaries.
+* Default: `[]`
+* Subkeys:
+
+    * `path`:
+
+        * Mandatory. Filesystem path to exclude recursively.
+        * Type: String.
+
+    * `state`:
+
+        * Optional. `present` or `absent`.
+        * Type: String.
+        * Default: `'present'`
+
+`aide__exclude_rules__host_var` / `aide__exclude_rules__group_var`
+
+* Paths to exclude from AIDE monitoring (prepended with `-` in the config).
+* Type: List of dictionaries.
+* Default: `[]`
+* Subkeys:
+
+    * `path`:
+
+        * Mandatory. Filesystem path to exclude.
+        * Type: String.
+
+    * `state`:
+
+        * Optional. `present` or `absent`.
+        * Type: String.
+        * Default: `'present'`
+
+`aide__include_rules__host_var` / `aide__include_rules__group_var`
+
+* Additional paths to monitor with a specific rule set.
+* Type: List of dictionaries.
+* Default:
+
+    ```yaml
+    - path: '/opt/python-venv'
+      attributes: 'CONTENT'
+    ```
+
+* Subkeys:
+
+    * `path`:
+
+        * Mandatory. Filesystem path to monitor.
+        * Type: String.
+
+    * `attributes`:
+
+        * Mandatory. AIDE rule set to apply (e.g. `CONTENT`, `CONTENT_EX`, `PERMS`, `NORMAL`).
+        * Type: String.
+
+    * `state`:
+
+        * Optional. `present` or `absent`.
+        * Type: String.
+        * Default: `'present'`
+
+`aide__timer_enabled`
+
+* Enables or disables the `aide-check.timer`, analogous to `systemctl enable/disable`.
+* Type: Bool.
+* Default: `true`
+
+`aide__timer_state`
+
+* Sets the state of the `aide-check.timer`, analogous to `systemctl start/stop`.
+* Type: String. One of `started`, `stopped`.
+* Default: `'started'`
+
+Example:
+//TODO: use test cases here, after test has been done
+
+## License
+
+[The Unlicense](https://unlicense.org/)
+
+
+## Author Information
+
+[Linuxfabrik GmbH, Zurich](https://www.linuxfabrik.ch)

roles/aide/defaults/main.yml

@@ -0,0 +1,39 @@
+aide__check_time_on_calendar: '*-*-* 05:00:00'
+aide__exclude_rules__dependent_var: []
+aide__exclude_rules__group_var: []
+aide__exclude_rules__host_var: []
+aide__exclude_rules__role_var: []
+aide__exclude_rules__combined_var: '{{ (
+      aide__exclude_rules__role_var +
+      aide__exclude_rules__dependent_var +
+      aide__exclude_rules__group_var +
+      aide__exclude_rules__host_var
+    ) | linuxfabrik.lfops.combine_lod(unique_key="path")
+  }}'
+aide__exclude_recursive__dependent_var: []
+aide__exclude_recursive__group_var: []
+aide__exclude_recursive__host_var: []
+aide__exclude_recursive__role_var: []
+aide__exclude_recursive__combined_var: '{{ (
+      aide__exclude_recursive__role_var +
+      aide__exclude_recursive__dependent_var +
+      aide__exclude_recursive__group_var +
+      aide__exclude_recursive__host_var
+    ) | linuxfabrik.lfops.combine_lod(unique_key="path")
+  }}'
+aide__include_rules__dependent_var: []
+aide__include_rules__group_var: []
+aide__include_rules__host_var: []
+aide__include_rules__role_var:
+  - path: '/opt/python-venv'
+    attributes: 'CONTENT'
+    state: 'present'
+aide__include_rules__combined_var: '{{ (
+      aide__include_rules__role_var +
+      aide__include_rules__dependent_var +
+      aide__include_rules__group_var +
+      aide__include_rules__host_var
+    ) | linuxfabrik.lfops.combine_lod(unique_key="path")
+  }}'
+aide__timer_state: 'started'
+aide__timer_enabled: true

roles/aide/tasks/main.yml

@@ -0,0 +1,88 @@
+- block:
+
+  - name: 'Install AIDE'
+    ansible.builtin.package:
+      name:
+        - 'aide'
+      state: 'present'
+
+  - name: 'Initialize AIDE database'
+    ansible.builtin.command: 'aide --init --before "database_out=file:/var/lib/aide/aide.db.gz"'
+    args:
+      creates: '/var/lib/aide/aide.db.gz'
+
+  tags:
+    - 'aide'
+
+
+- block:
+
+  - name: 'Deploy /etc/aide.conf'
+    ansible.builtin.template:
+      backup: true
+      src: 'etc/aide.conf.j2'
+      dest: '/etc/aide.conf'
+      owner: 'root'
+      group: 'root'
+      mode: 0o644
+
+  tags:
+    - 'aide'
+    - 'aide:configure'
+
+
+- block:
+
+  - name: 'Deploy /etc/systemd/system/aide-check.service'
+    ansible.builtin.template:
+      src: 'etc/systemd/system/aide-check.service.j2'
+      dest: '/etc/systemd/system/aide-check.service'
+      owner: 'root'
+      group: 'root'
+      mode: 0o644
+    register: '__aide__service_unit_result'
+
+  - name: 'Deploy /etc/systemd/system/aide-check.timer'
+    ansible.builtin.template:
+      src: 'etc/systemd/system/aide-check.timer.j2'
+      dest: '/etc/systemd/system/aide-check.timer'
+      owner: 'root'
+      group: 'root'
+      mode: 0o644
+    register: '__aide__timer_unit_result'
+
+  - name: 'Reload systemd'
+    ansible.builtin.systemd:
+      daemon_reload: true
+    when:
+      - '__aide__service_unit_result is changed or __aide__timer_unit_result is changed'
+
+  tags:
+    - 'aide'
+
+
+- block:
+
+  - name: 'systemctl {{ aide__timer_enabled | bool | ternary("enable", "disable") }} aide-check.timer'
+    ansible.builtin.service:
+      name: 'aide-check.timer'
+      enabled: '{{ aide__timer_enabled | bool }}'
+
+  - name: 'systemctl {{ aide__timer_state }} aide-check.timer'
+    ansible.builtin.service:
+      name: 'aide-check.timer'
+      state: '{{ aide__timer_state }}'
+
+  tags:
+    - 'aide'
+    - 'aide:state'
+
+
+- block:
+
+  - name: 'Update AIDE database'
+    ansible.builtin.command: "aide --init --before 'database_out=file:/var/lib/aide/aide.db.gz'"
+
+  tags:
+    - 'never'
+    - 'aide:update_db'