From 5c653f2c85a2c27c9d8f82bbefded7a4f59e282c Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Fri, 8 Nov 2024 15:38:51 +0100 Subject: [PATCH] Added custom template functionality Signed-off-by: Radovan Sroka --- README.md | 27 +- defaults/main.yml | 6 +- .../aide-custom.conf.j2 | 0 examples/custom-template.yml | 16 + examples/default.yml | 1 - examples/deploy.yml | 7 +- examples/just_check.yml | 1 - examples/just_update.yml | 1 - tasks/main.yml | 9 +- templates/foo.conf.j2 | 9 - tests/files/aide-custom.conf.j2 | 319 ++++++++++++++++++ tests/tests_custom_template.yml | 17 + tests/tests_default.yml | 17 +- tests/tests_deploy.yml | 3 +- 14 files changed, 396 insertions(+), 37 deletions(-) rename templates/aide.conf.j2 => examples/aide-custom.conf.j2 (100%) create mode 100644 examples/custom-template.yml delete mode 100644 templates/foo.conf.j2 create mode 100644 tests/files/aide-custom.conf.j2 create mode 100644 tests/tests_custom_template.yml diff --git a/README.md b/README.md index bec57af..79d18f2 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,21 @@ only. ## Role Variables +### aide_custom_template + +This variable takes a string to specify a path where the custom template for aide.conf is located. + +To be sure that everething is correct, template needs to start with following snippet: + +``` jinja +{{ ansible_managed | comment }} +{{ "system_role:aide" | comment(prefix="", postfix="") }} +``` + +Default: `null` + +Type: `string` + ### aide_db_fetch_dir This variable takes a string to specify the directory on the Ansible Control @@ -45,17 +60,13 @@ same directory as the playbook. In case you like to store the fetched AIDE database files somewhere else you need to specify a different path here. -### aide_install +Default: `files` -With this variable the role ensures that the `aide` package is installed on the remote nodes - -Default: `false` +Type: `string -Type: `bool` - -### aide_generate_config +### aide_install -Generates the file `/etc/aide.conf` using `templates/aide.conf.j2`; the template needs to be adjusted to fit your requirements; if you do not use this varable the default configuration file shipped with the `aide` package will be used. +With this variable the role ensures that the `aide` package is installed on the remote nodes Default: `false` diff --git a/defaults/main.yml b/defaults/main.yml index 11db323..27479e2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,15 +3,15 @@ # Here is the right place to put the role's input variables. # This file also serves as a documentation for such a variables. +# Path to template file +aide_custom_template: null + # Examples of role input variables: aide_db_fetch_dir: files # Enable install phase aide_install: false -# Enable config file generation phase -aide_generate_config: false - # Enable initialization of the database phase aide_init: false diff --git a/templates/aide.conf.j2 b/examples/aide-custom.conf.j2 similarity index 100% rename from templates/aide.conf.j2 rename to examples/aide-custom.conf.j2 diff --git a/examples/custom-template.yml b/examples/custom-template.yml new file mode 100644 index 0000000..f167e17 --- /dev/null +++ b/examples/custom-template.yml @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: MIT +--- +- name: Example aide role invocation + hosts: targets + tasks: + - name: Include role aide + vars: + aide_custom_template: /tmp/aide-custom.conf.j2 + aide_db_fetch_dir: files + aide_install: true + aide_init: true + aide_fetch_db: true + aide_check: true + aide_update: true + ansible.builtin.include_role: + name: linux-system-roles.aide diff --git a/examples/default.yml b/examples/default.yml index 9425f00..2c27811 100644 --- a/examples/default.yml +++ b/examples/default.yml @@ -7,7 +7,6 @@ vars: aide_db_fetch_dir: files aide_install: false - aide_generate_config: false aide_init: false aide_fetch_db: false aide_check: false diff --git a/examples/deploy.yml b/examples/deploy.yml index 76f2df0..5c7bfc9 100644 --- a/examples/deploy.yml +++ b/examples/deploy.yml @@ -7,10 +7,9 @@ vars: aide_db_fetch_dir: files aide_install: true - aide_generate_config: true aide_init: true - aide_fetch_db: true - aide_check: true - aide_update: true + aide_fetch_db: false + aide_check: false + aide_update: false ansible.builtin.include_role: name: linux-system-roles.aide diff --git a/examples/just_check.yml b/examples/just_check.yml index ee161f5..ec3c325 100644 --- a/examples/just_check.yml +++ b/examples/just_check.yml @@ -7,7 +7,6 @@ vars: aide_db_fetch_dir: files aide_install: false - aide_generate_config: false aide_init: false aide_fetch_db: false aide_check: true diff --git a/examples/just_update.yml b/examples/just_update.yml index b26a498..1c6afbd 100644 --- a/examples/just_update.yml +++ b/examples/just_update.yml @@ -7,7 +7,6 @@ vars: aide_db_fetch_dir: files aide_install: false - aide_generate_config: false aide_init: false aide_fetch_db: false aide_check: false diff --git a/tasks/main.yml b/tasks/main.yml index 7f1aa31..669b989 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -22,12 +22,15 @@ - name: Generate "/etc/{{ __aide_config }}" ansible.builtin.template: - src: "{{ __aide_config }}.j2" +# remote_src: true + src: "{{ aide_custom_template }}" dest: "/etc/{{ __aide_config }}" - backup: true mode: "0400" when: - - aide_generate_config + - aide_custom_template + +#- name: Print Header +# ansible.builtin.shell: head /etc/aide.conf || true - name: Initialize AIDE database when: diff --git a/templates/foo.conf.j2 b/templates/foo.conf.j2 deleted file mode 100644 index 2ed6d2e..0000000 --- a/templates/foo.conf.j2 +++ /dev/null @@ -1,9 +0,0 @@ -# SPDX-License-Identifier: MIT -# -# Example of a template of configuration file -# -{{ ansible_managed | comment }} -{{ "system_role:aide" | comment(prefix="", postfix="") }} -[foo] -foo = {{ template_foo }} -bar = {{ template_bar }} diff --git a/tests/files/aide-custom.conf.j2 b/tests/files/aide-custom.conf.j2 new file mode 100644 index 0000000..e0ce4cf --- /dev/null +++ b/tests/files/aide-custom.conf.j2 @@ -0,0 +1,319 @@ +{{ ansible_managed | comment }} +{{ "system_role:aide" | comment(prefix="", postfix="") }} +# Example configuration file for AIDE. + +@@define DBDIR /var/lib/aide +@@define LOGDIR /var/log/aide + +{% if ansible_facts['os_family'] == 'RedHat' and + ansible_facts['distribution_major_version'] in ['8','9'] %} +# The location of the database to be read. +database=file:@@{DBDIR}/aide.db.gz +{% else %} +# The location of the database to be read. +database_in=file:@@{DBDIR}/aide.db.gz +{% endif %} + +# The location of the database to be written. +#database_out=sql:host:port:database:login_name:passwd:table +#database_out=file:aide.db.new +database_out=file:@@{DBDIR}/aide.db.new.gz + +# Whether to gzip the output to database +gzip_dbout=yes + +{% if ansible_facts['os_family'] == 'RedHat' and + ansible_facts['distribution_major_version'] in ['8','9'] %} +# Default. +verbose=5 +{% else %} +# Default. +log_level=warning +report_level=changed_attributes +{% endif %} + +report_url=file:@@{LOGDIR}/aide.log +report_url=stdout +#report_url=stderr +#NOT IMPLEMENTED report_url=mailto:root@foo.com +#NOT IMPLEMENTED report_url=syslog:LOG_AUTH + +# These are the default rules. +# +#p: permissions +#i: inode: +#n: number of links +#u: user +#g: group +#s: size +#b: block count +#m: mtime +#a: atime +#c: ctime +#S: check for growing size +#acl: Access Control Lists +#selinux SELinux security context +#xattrs: Extended file attributes +#md5: md5 checksum +#sha1: sha1 checksum +#sha256: sha256 checksum +#sha512: sha512 checksum +#rmd160: rmd160 checksum +#tiger: tiger checksum + +#haval: haval checksum (MHASH only) +#gost: gost checksum (MHASH only) +#crc32: crc32 checksum (MHASH only) +#whirlpool: whirlpool checksum (MHASH only) + +#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 +#L: p+i+n+u+g+acl+selinux+xattrs +#E: Empty group +#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs + +# You can create custom rules like this. +# With MHASH... +# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger +# Everything but access time (Ie. all changes) +EVERYTHING = R+ALLXTRAHASHES + +# Sane +# NORMAL = R+sha512 +NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512 + +# For directories, don't bother doing hashes +DIR = p+i+n+u+g+acl+selinux+xattrs + +# Access control only +PERMS = p+u+g+acl+selinux+xattrs + +# Logfile are special, in that they often change +LOG = p+u+g+n+S+acl+selinux+xattrs + +# Content + file type. +CONTENT = sha512+ftype + +# Extended content + file type + access. +CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs + +# Some files get updated automatically, so the inode/ctime/mtime change +# but we want to know when the data inside them changes +DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512 + +# Next decide what directories/files you want in the database. + +/boot CONTENT_EX +/opt CONTENT + +# Admins dot files constantly change, just check perms +/root/\..* PERMS +!/root/.xauth* +# Otherwise get all of /root. +/root CONTENT_EX + +# These are too volatile +!/usr/src +!/usr/tmp +!/root/.ansible* + +# Otherwise get all of /usr. +/usr CONTENT_EX + +# trusted databases +/etc/hosts$ CONTENT_EX +/etc/host.conf$ CONTENT_EX +/etc/hostname$ CONTENT_EX +/etc/issue$ CONTENT_EX +/etc/issue.net$ CONTENT_EX +/etc/protocols$ CONTENT_EX +/etc/services$ CONTENT_EX +/etc/localtime$ CONTENT_EX +/etc/alternatives CONTENT_EX +/etc/sysconfig CONTENT_EX +/etc/mime.types$ CONTENT_EX +/etc/terminfo CONTENT_EX +/etc/exports$ CONTENT_EX +/etc/fstab$ CONTENT_EX +/etc/passwd$ CONTENT_EX +/etc/group$ CONTENT_EX +/etc/gshadow$ CONTENT_EX +/etc/shadow$ CONTENT_EX +/etc/subgid$ CONTENT_EX +/etc/subuid$ CONTENT_EX +/etc/security/opasswd$ CONTENT_EX +/etc/skel CONTENT_EX +/etc/sssd CONTENT_EX +/etc/machine-id$ CONTENT_EX +/etc/swid CONTENT_EX +/etc/system-release-cpe$ CONTENT_EX +/etc/shells$ CONTENT_EX +/etc/tmux.conf$ CONTENT_EX +/etc/xattr.conf$ CONTENT_EX + +# networking +/etc/firewalld CONTENT_EX +!/etc/NetworkManager/system-connections +/etc/NetworkManager CONTENT_EX +/etc/networks$ CONTENT_EX +/etc/dhcp CONTENT_EX +/etc/wpa_supplicant CONTENT_EX +/etc/resolv.conf$ DATAONLY +/etc/nscd.conf$ CONTENT_EX + +# logins and accounts +/etc/login.defs$ CONTENT_EX +/etc/libuser.conf$ CONTENT_EX +/var/log/faillog$ PERMS +/var/log/lastlog$ PERMS +/var/run/faillock PERMS +/etc/pam.d CONTENT_EX +/etc/security CONTENT_EX +/etc/securetty$ CONTENT_EX +/etc/polkit-1 CONTENT_EX +/etc/sudo.conf$ CONTENT_EX +/etc/sudoers$ CONTENT_EX +/etc/sudoers.d CONTENT_EX + +# Shell/X startup files +/etc/profile$ CONTENT_EX +/etc/profile.d CONTENT_EX +/etc/bashrc$ CONTENT_EX +/etc/bash_completion.d CONTENT_EX +/etc/zprofile$ CONTENT_EX +/etc/zshrc$ CONTENT_EX +/etc/zlogin$ CONTENT_EX +/etc/zlogout$ CONTENT_EX +/etc/X11 CONTENT_EX + +# Pkg manager +/etc/dnf CONTENT_EX +/etc/yum.conf$ CONTENT_EX +/etc/yum CONTENT_EX +/etc/yum.repos.d CONTENT_EX + +# This gets new/removes-old filenames daily +!/var/log/sa +# As we are checking it, we've truncated yesterdays size to zero. +!/var/log/aide.log + +# auditing +# AIDE produces an audit record, so this becomes perpetual motion. +/var/log/audit PERMS +/etc/audit CONTENT_EX +/etc/libaudit.conf$ CONTENT_EX +/etc/aide.conf$ CONTENT_EX + +# System logs +/etc/rsyslog.conf$ CONTENT_EX +/etc/rsyslog.d CONTENT_EX +/etc/logrotate.conf$ CONTENT_EX +/etc/logrotate.d CONTENT_EX +/etc/systemd/journald.conf$ CONTENT_EX +/var/log LOG+ANF+ARF +/var/run/utmp LOG + +# secrets +/etc/pkcs11 CONTENT_EX +/etc/pki CONTENT_EX +/etc/crypto-policies CONTENT_EX +/etc/certmonger CONTENT_EX +/var/lib/systemd/random-seed$ PERMS + +# init system +/etc/systemd CONTENT_EX +/etc/rc.d CONTENT_EX +/etc/tmpfiles.d CONTENT_EX + +# boot config +/etc/default CONTENT_EX +/etc/grub.d CONTENT_EX +/etc/dracut.conf$ CONTENT_EX +/etc/dracut.conf.d CONTENT_EX + +# glibc linker +/etc/ld.so.cache$ CONTENT_EX +/etc/ld.so.conf$ CONTENT_EX +/etc/ld.so.conf.d CONTENT_EX +/etc/ld.so.preload$ CONTENT_EX + +# kernel config +/etc/sysctl.conf$ CONTENT_EX +/etc/sysctl.d CONTENT_EX +/etc/modprobe.d CONTENT_EX +/etc/modules-load.d CONTENT_EX +/etc/depmod.d CONTENT_EX +/etc/udev CONTENT_EX +/etc/crypttab$ CONTENT_EX + +#### Daemons #### + +# cron jobs +/etc/at.allow$ CONTENT +/etc/at.deny$ CONTENT +/etc/anacrontab$ CONTENT_EX +/etc/cron.allow$ CONTENT_EX +/etc/cron.deny$ CONTENT_EX +/etc/cron.d CONTENT_EX +/etc/cron.daily CONTENT_EX +/etc/cron.hourly CONTENT_EX +/etc/cron.monthly CONTENT_EX +/etc/cron.weekly CONTENT_EX +/etc/crontab$ CONTENT_EX +/var/spool/cron/root CONTENT + +# time keeping +/etc/chrony.conf$ CONTENT_EX +/etc/chrony.keys$ CONTENT_EX + +# mail +/etc/aliases$ CONTENT_EX +/etc/aliases.db$ CONTENT_EX +/etc/postfix CONTENT_EX + +# ssh +/etc/ssh/sshd_config$ CONTENT_EX +/etc/ssh/ssh_config$ CONTENT_EX + +# stunnel +/etc/stunnel CONTENT_EX + +# printing +/etc/cups CONTENT_EX +/etc/cupshelpers CONTENT_EX +/etc/avahi CONTENT_EX + +# web server +/etc/httpd CONTENT_EX + +# dns +/etc/named CONTENT_EX +/etc/named.conf$ CONTENT_EX +/etc/named.iscdlv.key$ CONTENT_EX +/etc/named.rfc1912.zones$ CONTENT_EX +/etc/named.root.key$ CONTENT_EX + +# xinetd +/etc/xinetd.conf$ CONTENT_EX +/etc/xinetd.d CONTENT_EX + +# IPsec +/etc/ipsec.conf$ CONTENT_EX +/etc/ipsec.secrets$ CONTENT_EX +/etc/ipsec.d CONTENT_EX + +# USB guard +/etc/usbguard CONTENT_EX + +# Ignore some files +!/etc/mtab$ +!/etc/.*~ + +# Now everything else +/etc PERMS + +# With AIDE's default verbosity level of 5, these would give lots of +# warnings upon tree traversal. It might change with future version. +# +#=/lost\+found DIR +#=/home DIR diff --git a/tests/tests_custom_template.yml b/tests/tests_custom_template.yml new file mode 100644 index 0000000..ebf5cad --- /dev/null +++ b/tests/tests_custom_template.yml @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: MIT +--- +- name: Ensure that the role runs with default parameters + hosts: all + gather_facts: false # test that role works in this case + roles: + - role: linux-system-roles.aide + vars: + aide_custom_template: files/aide-custom.conf.j2 + aide_install: true + aide_init: true + tasks: + - name: Check header for ansible_managed, fingerprint + include_tasks: tasks/check_header.yml + vars: + __file: /etc/aide.conf + __fingerprint: system_role:aide diff --git a/tests/tests_default.yml b/tests/tests_default.yml index af98ed0..c450dde 100644 --- a/tests/tests_default.yml +++ b/tests/tests_default.yml @@ -6,8 +6,15 @@ roles: - linux-system-roles.aide tasks: - - name: Check header for ansible_managed, fingerprint - include_tasks: tasks/check_not_present_header.yml - vars: - __file: /etc/aide.conf - __fingerprint: system_role:aide + - name: Check if file exists + block: + - name: Check if the file exists + ansible.builtin.stat: + path: "/etc/aide.conf" + register: file_check + + - name: Assert that the file exists + ansible.builtin.assert: + that: + - not file_check.stat.exists + fail_msg: "The file does exist." diff --git a/tests/tests_deploy.yml b/tests/tests_deploy.yml index 2c09e27..d141281 100644 --- a/tests/tests_deploy.yml +++ b/tests/tests_deploy.yml @@ -7,11 +7,10 @@ - role: linux-system-roles.aide vars: aide_install: true - aide_generate_config: true aide_init: true tasks: - name: Check header for ansible_managed, fingerprint - include_tasks: tasks/check_header.yml + include_tasks: tasks/check_not_present_header.yml vars: __file: /etc/aide.conf __fingerprint: system_role:aide