From 24fabfd0a3e8830460e11852d9fa628eaaea96ea Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Fri, 25 Oct 2024 16:46:09 +0200 Subject: [PATCH 01/12] feat: Import code for role Signed-off-by: Radovan Sroka --- README.md | 123 +++++------ ansible_pytest_extra_requirements.txt | 6 + contributing.md | 2 +- defaults/main.yml | 3 +- examples/simple.yml | 19 +- meta/main.yml | 64 +++++- pylint_extra_requirements.txt | 3 + pytest_extra_requirements.txt | 7 + tasks/main.yml | 84 ++++++- tasks/set_vars.yml | 8 +- templates/aide.conf.j2 | 304 ++++++++++++++++++++++++++ templates/foo.conf.j2 | 2 +- tests/tests_default.yml | 2 +- vars/Fedora.yml | 4 +- vars/RedHat_10.yml | 4 +- vars/RedHat_7.yml | 4 +- vars/RedHat_8.yml | 4 +- vars/RedHat_9.yml | 4 +- vars/main.yml | 10 +- 19 files changed, 547 insertions(+), 110 deletions(-) create mode 100644 ansible_pytest_extra_requirements.txt create mode 100644 pylint_extra_requirements.txt create mode 100644 pytest_extra_requirements.txt create mode 100644 templates/aide.conf.j2 diff --git a/README.md b/README.md index 900c259..183ad85 100644 --- a/README.md +++ b/README.md @@ -1,102 +1,93 @@ -# Role Name +# AIDE [![ansible-lint.yml](https://github.com/linux-system-roles/aide/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/aide/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/ansible-test.yml) [![markdownlint.yml](https://github.com/linux-system-roles/aide/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/markdownlint.yml) [![shellcheck.yml](https://github.com/linux-system-roles/aide/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/aide/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/aide/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/aide/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/woke.yml) -Ansible role for managing Advanced Intrusion Detection Environment (AIDE). +This is an ansible role that installs and configures the [Advanced Intrusion Detection Environment (AIDE)](https://aide.github.io). For Day 2 tasks it can run integrity checks and update the AIDE database. -## Requirements +_Notice:_ This is a very early stage of a work in progress. Please use with +extreme caution as it might break your system. -Any prerequisites that may not be covered by Ansible itself or the role should -be mentioned here. This includes platform dependencies not managed by the -role, hardware requirements, external collections, etc. There should be a -distinction between *control node* requirements (like collections) and -*managed node* requirements (like special hardware, platform provisioning). +## What does this role do for you? -### Collection requirements +* It ensures that the `aide` package is installed on the remote nodes +* As an optional task it can generate the `/etc/aide.conf` file and template it out to the remote nodes +* It initializes the AIDE database +* The AIDE databases from the remote nodes are stored in a central directory on the controller node +* It runs AIDE integrity checks on the remote nodes +* It updates the AIDE databases and stores them on the controller node -For instance, if the role depends on some collections and has a -`meta/collection-requirements.yml` file for installing those dependencies, and -in order to manage `rpm-ostree` systems, it should be mentioned here that the - user should run +## How does the role do that? -```bash -ansible-galaxy collection install -vv -r meta/collection-requirements.yml -``` +* The role is controlled by using [Ansible Tags](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_tags.html) +* If you run the playbook without specifying any tag the role will change nothing on your remote nodes +* To execute some supported use cases you need to explicitly specify one or more of the following tags -on the *control node* before using the role. +### Available tags to control and use the role -## Role Variables +* __install__ - With this tag the role ensures that the `aide` package is installed on the remote nodes +* __generate_config__ - Generates the file `/etc/aide.conf` using `templates/aide.conf.j2`; the template needs to be adjusted to fit your requirements; if you do not use this tag the default configuration file shipped with the `aide` package will be used +* __init__ - Initializes the AIDE database and fetches it from the remote nodes to store it on the controller node +* __check__ - Runs an integrity check on the remote nodes +* __update__ - Updates the AIDE database and stores it on the controller node -A description of all input variables (i.e. variables that are defined in -`defaults/main.yml`) for the role should go here as these form an API of the -role. Each variable should have its own section e.g. +## What does this role not do for you? -### aide_foo +* It does not explain how to create a good AIDE configuration that suits your requirements; that task remains for you to accomplish -This variable is required. It is a string that lists the foo of the role. -There is no default value. +## Requirements + +This role has no special requirements as it uses `ansible.builtin` modules +only. + +## Role Variables -### aide_bar +### aide_db_fetch_dir -This variable is optional. It is a boolean that tells the role to disable bar. -The default value is `true`. +This variable takes a string to specify the directory on the Ansible Control +Node (ACN) where the role will store the AIDE database fetched from the remote +nodes. The default value is `files` which is expected to be a directory in the +same directory as the playbook. -Variables that are not intended as input, like variables defined in -`vars/main.yml`, variables that are read from other roles and/or the global -scope (ie. hostvars, group vars, etc.) can be also mentioned here but keep in -mind that as these are probably not part of the role API they may change during -the lifetime. +In case you like to store the fetched AIDE database files somewhere else you +need to specify a different path here. Example of setting the variables: ```yaml -aide_foo: "oof" -aide_bar: false +aide_db_fetch_dir: files ``` -## Variables Exported by the Role - -This section is optional. Some roles may export variables for playbooks to -use later. These are analogous to "return values" in Ansible modules. For -example, if a role performs some action that will require a system reboot, but -the user wants to defer the reboot, the role might set a variable like -`aide_reboot_needed: true` that the playbook can use to reboot at a more -convenient time. - -Example: - -### aide_reboot_needed - -Default `false` - if `true`, this means a reboot is needed to apply the changes -made by the role - ## Example Playbook Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: ```yaml -- name: Manage the aide subsystem - hosts: all - vars: - aide_foo: "foo foo!" - aide_bar: false - roles: - - linux-system-roles.aide +# SPDX-License-Identifier: MIT +--- +- name: Example aide role invocation + hosts: targets + tasks: + - name: Include role aide + tags: + - install + - generate_config + - init + - check + - update + vars: + aide_db_fetch_dir: files + ansible.builtin.include_role: + name: aide ``` -More examples can be provided in the [`examples/`](examples) directory. These -can be useful, especially for documentation. - -## rpm-ostree - -See README-ostree.md +More examples can be found in the [`examples/`](examples) directory. ## License -Whenever possible, please prefer MIT. +MIT. ## Author Information -An optional section for the role authors to include contact information, or a -website (HTML is not allowed). +* Radovan Sroka +* Joerg Kastning diff --git a/ansible_pytest_extra_requirements.txt b/ansible_pytest_extra_requirements.txt new file mode 100644 index 0000000..6bafb6f --- /dev/null +++ b/ansible_pytest_extra_requirements.txt @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: MIT + +# ansible and dependencies for all supported platforms +ansible ; python_version > "2.6" +idna<2.8 ; python_version < "2.7" +PyYAML<5.1 ; python_version < "2.7" diff --git a/contributing.md b/contributing.md index 4bc2ae1..4695c44 100644 --- a/contributing.md +++ b/contributing.md @@ -1,4 +1,4 @@ -# Contributing to the aide Linux System Role +# Contributing to the Aide Linux System Role ## Where to start diff --git a/defaults/main.yml b/defaults/main.yml index a5858b6..40217d4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,5 +4,4 @@ # This file also serves as a documentation for such a variables. # Examples of role input variables: -aide_foo: foo -aide_bar: true +aide_db_fetch_dir: files diff --git a/examples/simple.yml b/examples/simple.yml index 10359eb..044fc5d 100644 --- a/examples/simple.yml +++ b/examples/simple.yml @@ -1,9 +1,16 @@ # SPDX-License-Identifier: MIT --- - name: Example aide role invocation - hosts: all - vars: - aide_foo: example variable value - aide_bar: false - roles: - - linux-system-roles.aide + hosts: targets + tasks: + - name: Include role aide + tags: + - install + - generate_config + - init + - check + - update + vars: + aide_db_fetch_dir: files + ansible.builtin.include_role: + name: linux-system-roles.aide diff --git a/meta/main.yml b/meta/main.yml index a8a1444..b71972d 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,20 +1,68 @@ # SPDX-License-Identifier: MIT --- galaxy_info: - author: John Doe - description: Basic template for Linux system roles - company: John Doe, Inc. + # Replace with role's author name: + author: Joerg Kastning + # Replace with the real description of what is role's purpose: + description: Install, configure and operate AIDE + # Replace with the company the role's author is member of: + company: Red Hat + + # If the issue tracker for your role is not on github, uncomment the next + # line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY license: MIT + min_ansible_version: "2.9" + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, Galaxy + # will use this branch. During import Galaxy will access files on this + # branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually main) will be used. + # github_branch: + + # + # platforms is a list of platforms, and each platform has a name and a list + # of versions. + # + # platforms: + # - name: Fedora + # versions: + # - all + # - "25" + # - name: SomePlatform + # versions: + # - all + # - "1.0" + # - "7" + # - "99.99" platforms: + # Replace the below with your platform list: - name: Fedora versions: - all - name: EL versions: - - "9" - galaxy_tags: - - el9 - - el10 - - fedora + - all + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that + # describes and categorizes the role. Users find roles by searching for tags. + # Be sure to remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric + # characters. Maximum 20 tags per role. + dependencies: [] +# List your role dependencies here, one per line. Be sure to remove the '[]' +# above, if you add dependencies to this list. diff --git a/pylint_extra_requirements.txt b/pylint_extra_requirements.txt new file mode 100644 index 0000000..8d280fc --- /dev/null +++ b/pylint_extra_requirements.txt @@ -0,0 +1,3 @@ +# SPDX-License-Identifier: MIT + +# Write extra requirements for running pylint here: diff --git a/pytest_extra_requirements.txt b/pytest_extra_requirements.txt new file mode 100644 index 0000000..8e11eaa --- /dev/null +++ b/pytest_extra_requirements.txt @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: MIT + +# Write extra requirements for running pytest here: +# If you need ansible then uncomment the following line: +-ransible_pytest_extra_requirements.txt +# If you need mock then uncomment the following line: +mock ; python_version < "3.0" diff --git a/tasks/main.yml b/tasks/main.yml index e756be5..73fedb2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -5,23 +5,93 @@ # Examples of some tasks: - name: Ensure required packages are installed - package: + ansible.builtin.package: name: "{{ __aide_packages }}" state: present use: "{{ (__aide_is_ostree | d(false)) | ternary('ansible.posix.rhel_rpm_ostree', omit) }}" + tags: + - never + - install - name: Ensure required services are enabled and started - service: + ansible.builtin.service: name: "{{ item }}" state: started enabled: true loop: "{{ __aide_services }}" + tags: + - never -- name: Generate /etc/{{ __aide_foo_config }} - template: - src: "{{ __aide_foo_config }}.j2" - dest: /etc/{{ __aide_foo_config }} +- name: Generate "/etc/{{ __aide_config }}" + ansible.builtin.template: + src: "{{ __aide_config }}.j2" + dest: "/etc/{{ __aide_config }}" backup: true mode: "0400" - notify: Handler for aide to restart services + tags: + - never + - generate_config + +- name: Initialize AIDE database and fetch it + become: true + tags: + - never + - init + block: + - name: Initialize AIDE database + ansible.builtin.command: + cmd: aide --init + + - name: Fetch AIDE database + ansible.builtin.fetch: + src: "{{ __aide_db_new_name }}" + dest: "{{ aide_db_fetch_dir }}" + + - name: Remove remote AIDE database file + ansible.builtin.file: + path: "{{ __aide_db_new_name }}" + state: absent + +- name: Check AIDE integrity + become: true + tags: + - never + - check + block: + - name: Copy AIDE reference database to remote + ansible.builtin.copy: + src: + "{{ aide_db_fetch_dir }}/{{ inventory_hostname }}/var/lib/aide/\ + aide.db.new.gz" + dest: "{{ __aide_db_name }}" + owner: root + group: root + mode: "0440" + + - name: Check against AIDE reference database + ansible.builtin.command: + cmd: aide --check + changed_when: false + +- name: Update AIDE database and fetch it + become: true + tags: + - never + - update + block: + - name: Update AIDE database + ansible.builtin.command: + cmd: aide --update + register: __aide_update_result + failed_when: __aide_update_result.rc > 7 + + - name: Fetch AIDE database + ansible.builtin.fetch: + src: "{{ __aide_db_new_name }}" + dest: "{{ aide_db_fetch_dir }}" + + - name: Remove remote AIDE database file + ansible.builtin.file: + path: "{{ __aide_db_new_name }}" + state: absent diff --git a/tasks/set_vars.yml b/tasks/set_vars.yml index c1ef3f6..48d2fc2 100644 --- a/tasks/set_vars.yml +++ b/tasks/set_vars.yml @@ -1,12 +1,12 @@ --- - name: Ensure ansible_facts used by role setup: - gather_subset: "{{ __template_required_facts_subsets }}" - when: __template_required_facts | + gather_subset: "{{ __aide_required_facts_subsets }}" + when: __aide_required_facts | difference(ansible_facts.keys() | list) | length > 0 - name: Determine if system is ostree and set flag - when: not __template_is_ostree is defined + when: not __aide_is_ostree is defined block: - name: Check if system is ostree stat: @@ -15,7 +15,7 @@ - name: Set flag to indicate system is ostree set_fact: - __template_is_ostree: "{{ __ostree_booted_stat.stat.exists }}" + __aide_is_ostree: "{{ __ostree_booted_stat.stat.exists }}" - name: Set platform/version specific variables include_vars: "{{ __vars_file }}" diff --git a/templates/aide.conf.j2 b/templates/aide.conf.j2 new file mode 100644 index 0000000..02d06b6 --- /dev/null +++ b/templates/aide.conf.j2 @@ -0,0 +1,304 @@ +# Example configuration file for AIDE. + +@@define DBDIR /var/lib/aide +@@define LOGDIR /var/log/aide + +# The location of the database to be read. +database=file:@@{DBDIR}/aide.db.gz + +# The location of the database to be written. +#database_out=sql:host:port:database:login_name:passwd:table +#database_out=file:aide.db.new +database_out=file:@@{DBDIR}/aide.db.new.gz + +# Whether to gzip the output to database +gzip_dbout=yes + +# Default. +verbose=5 + +report_url=file:@@{LOGDIR}/aide.log +report_url=stdout +#report_url=stderr +#NOT IMPLEMENTED report_url=mailto:root@foo.com +#NOT IMPLEMENTED report_url=syslog:LOG_AUTH + +# These are the default rules. +# +#p: permissions +#i: inode: +#n: number of links +#u: user +#g: group +#s: size +#b: block count +#m: mtime +#a: atime +#c: ctime +#S: check for growing size +#acl: Access Control Lists +#selinux SELinux security context +#xattrs: Extended file attributes +#md5: md5 checksum +#sha1: sha1 checksum +#sha256: sha256 checksum +#sha512: sha512 checksum +#rmd160: rmd160 checksum +#tiger: tiger checksum + +#haval: haval checksum (MHASH only) +#gost: gost checksum (MHASH only) +#crc32: crc32 checksum (MHASH only) +#whirlpool: whirlpool checksum (MHASH only) + +#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 +#L: p+i+n+u+g+acl+selinux+xattrs +#E: Empty group +#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs + +# You can create custom rules like this. +# With MHASH... +# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger +# Everything but access time (Ie. all changes) +EVERYTHING = R+ALLXTRAHASHES + +# Sane +# NORMAL = R+sha512 +NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512 + +# For directories, don't bother doing hashes +DIR = p+i+n+u+g+acl+selinux+xattrs + +# Access control only +PERMS = p+u+g+acl+selinux+xattrs + +# Logfile are special, in that they often change +LOG = p+u+g+n+S+acl+selinux+xattrs + +# Content + file type. +CONTENT = sha512+ftype + +# Extended content + file type + access. +CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs + +# Some files get updated automatically, so the inode/ctime/mtime change +# but we want to know when the data inside them changes +DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512 + +# Next decide what directories/files you want in the database. + +/boot CONTENT_EX +/opt CONTENT + +# Admins dot files constantly change, just check perms +/root/\..* PERMS +!/root/.xauth* +# Otherwise get all of /root. +/root CONTENT_EX + +# These are too volatile +!/usr/src +!/usr/tmp +!/root/.ansible* + +# Otherwise get all of /usr. +/usr CONTENT_EX + +# trusted databases +/etc/hosts$ CONTENT_EX +/etc/host.conf$ CONTENT_EX +/etc/hostname$ CONTENT_EX +/etc/issue$ CONTENT_EX +/etc/issue.net$ CONTENT_EX +/etc/protocols$ CONTENT_EX +/etc/services$ CONTENT_EX +/etc/localtime$ CONTENT_EX +/etc/alternatives CONTENT_EX +/etc/sysconfig CONTENT_EX +/etc/mime.types$ CONTENT_EX +/etc/terminfo CONTENT_EX +/etc/exports$ CONTENT_EX +/etc/fstab$ CONTENT_EX +/etc/passwd$ CONTENT_EX +/etc/group$ CONTENT_EX +/etc/gshadow$ CONTENT_EX +/etc/shadow$ CONTENT_EX +/etc/subgid$ CONTENT_EX +/etc/subuid$ CONTENT_EX +/etc/security/opasswd$ CONTENT_EX +/etc/skel CONTENT_EX +/etc/sssd CONTENT_EX +/etc/machine-id$ CONTENT_EX +/etc/swid CONTENT_EX +/etc/system-release-cpe$ CONTENT_EX +/etc/shells$ CONTENT_EX +/etc/tmux.conf$ CONTENT_EX +/etc/xattr.conf$ CONTENT_EX + +# networking +/etc/firewalld CONTENT_EX +!/etc/NetworkManager/system-connections +/etc/NetworkManager CONTENT_EX +/etc/networks$ CONTENT_EX +/etc/dhcp CONTENT_EX +/etc/wpa_supplicant CONTENT_EX +/etc/resolv.conf$ DATAONLY +/etc/nscd.conf$ CONTENT_EX + +# logins and accounts +/etc/login.defs$ CONTENT_EX +/etc/libuser.conf$ CONTENT_EX +/var/log/faillog$ PERMS +/var/log/lastlog$ PERMS +/var/run/faillock PERMS +/etc/pam.d CONTENT_EX +/etc/security CONTENT_EX +/etc/securetty$ CONTENT_EX +/etc/polkit-1 CONTENT_EX +/etc/sudo.conf$ CONTENT_EX +/etc/sudoers$ CONTENT_EX +/etc/sudoers.d CONTENT_EX + +# Shell/X startup files +/etc/profile$ CONTENT_EX +/etc/profile.d CONTENT_EX +/etc/bashrc$ CONTENT_EX +/etc/bash_completion.d CONTENT_EX +/etc/zprofile$ CONTENT_EX +/etc/zshrc$ CONTENT_EX +/etc/zlogin$ CONTENT_EX +/etc/zlogout$ CONTENT_EX +/etc/X11 CONTENT_EX + +# Pkg manager +/etc/dnf CONTENT_EX +/etc/yum.conf$ CONTENT_EX +/etc/yum CONTENT_EX +/etc/yum.repos.d CONTENT_EX + +# This gets new/removes-old filenames daily +!/var/log/sa +# As we are checking it, we've truncated yesterdays size to zero. +!/var/log/aide.log + +# auditing +# AIDE produces an audit record, so this becomes perpetual motion. +/var/log/audit PERMS +/etc/audit CONTENT_EX +/etc/libaudit.conf$ CONTENT_EX +/etc/aide.conf$ CONTENT_EX + +# System logs +/etc/rsyslog.conf$ CONTENT_EX +/etc/rsyslog.d CONTENT_EX +/etc/logrotate.conf$ CONTENT_EX +/etc/logrotate.d CONTENT_EX +/etc/systemd/journald.conf$ CONTENT_EX +/var/log LOG+ANF+ARF +/var/run/utmp LOG + +# secrets +/etc/pkcs11 CONTENT_EX +/etc/pki CONTENT_EX +/etc/crypto-policies CONTENT_EX +/etc/certmonger CONTENT_EX +/var/lib/systemd/random-seed$ PERMS + +# init system +/etc/systemd CONTENT_EX +/etc/rc.d CONTENT_EX +/etc/tmpfiles.d CONTENT_EX + +# boot config +/etc/default CONTENT_EX +/etc/grub.d CONTENT_EX +/etc/dracut.conf$ CONTENT_EX +/etc/dracut.conf.d CONTENT_EX + +# glibc linker +/etc/ld.so.cache$ CONTENT_EX +/etc/ld.so.conf$ CONTENT_EX +/etc/ld.so.conf.d CONTENT_EX +/etc/ld.so.preload$ CONTENT_EX + +# kernel config +/etc/sysctl.conf$ CONTENT_EX +/etc/sysctl.d CONTENT_EX +/etc/modprobe.d CONTENT_EX +/etc/modules-load.d CONTENT_EX +/etc/depmod.d CONTENT_EX +/etc/udev CONTENT_EX +/etc/crypttab$ CONTENT_EX + +#### Daemons #### + +# cron jobs +/etc/at.allow$ CONTENT +/etc/at.deny$ CONTENT +/etc/anacrontab$ CONTENT_EX +/etc/cron.allow$ CONTENT_EX +/etc/cron.deny$ CONTENT_EX +/etc/cron.d CONTENT_EX +/etc/cron.daily CONTENT_EX +/etc/cron.hourly CONTENT_EX +/etc/cron.monthly CONTENT_EX +/etc/cron.weekly CONTENT_EX +/etc/crontab$ CONTENT_EX +/var/spool/cron/root CONTENT + +# time keeping +/etc/chrony.conf$ CONTENT_EX +/etc/chrony.keys$ CONTENT_EX + +# mail +/etc/aliases$ CONTENT_EX +/etc/aliases.db$ CONTENT_EX +/etc/postfix CONTENT_EX + +# ssh +/etc/ssh/sshd_config$ CONTENT_EX +/etc/ssh/ssh_config$ CONTENT_EX + +# stunnel +/etc/stunnel CONTENT_EX + +# printing +/etc/cups CONTENT_EX +/etc/cupshelpers CONTENT_EX +/etc/avahi CONTENT_EX + +# web server +/etc/httpd CONTENT_EX + +# dns +/etc/named CONTENT_EX +/etc/named.conf$ CONTENT_EX +/etc/named.iscdlv.key$ CONTENT_EX +/etc/named.rfc1912.zones$ CONTENT_EX +/etc/named.root.key$ CONTENT_EX + +# xinetd +/etc/xinetd.conf$ CONTENT_EX +/etc/xinetd.d CONTENT_EX + +# IPsec +/etc/ipsec.conf$ CONTENT_EX +/etc/ipsec.secrets$ CONTENT_EX +/etc/ipsec.d CONTENT_EX + +# USB guard +/etc/usbguard CONTENT_EX + +# Ignore some files +!/etc/mtab$ +!/etc/.*~ + +# Now everything else +/etc PERMS + +# With AIDE's default verbosity level of 5, these would give lots of +# warnings upon tree traversal. It might change with future version. +# +#=/lost\+found DIR +#=/home DIR diff --git a/templates/foo.conf.j2 b/templates/foo.conf.j2 index 5fc204b..2ed6d2e 100644 --- a/templates/foo.conf.j2 +++ b/templates/foo.conf.j2 @@ -3,7 +3,7 @@ # Example of a template of configuration file # {{ ansible_managed | comment }} -{{ "system_role:template" | comment(prefix="", postfix="") }} +{{ "system_role:aide" | comment(prefix="", postfix="") }} [foo] foo = {{ template_foo }} bar = {{ template_bar }} diff --git a/tests/tests_default.yml b/tests/tests_default.yml index b82e8f2..081b7cb 100644 --- a/tests/tests_default.yml +++ b/tests/tests_default.yml @@ -9,5 +9,5 @@ - name: Check header for ansible_managed, fingerprint include_tasks: tasks/check_header.yml vars: - __file: /etc/foo.conf + __file: /etc/aide.conf __fingerprint: system_role:aide diff --git a/vars/Fedora.yml b/vars/Fedora.yml index a783f79..c40e953 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -3,5 +3,5 @@ # Put internal variables here with Fedora specific values. # Example: -__template_packages: [] -__template_services: [] +__aide_packages: [] +__aide_services: [] diff --git a/vars/RedHat_10.yml b/vars/RedHat_10.yml index c1a73a0..1b63f8a 100644 --- a/vars/RedHat_10.yml +++ b/vars/RedHat_10.yml @@ -3,5 +3,5 @@ # Put internal variables here with Red Hat Enterprise Linux 10 specific values. # Example: -__template_packages: [] -__template_services: [] +__aide_packages: [] +__aide_services: [] diff --git a/vars/RedHat_7.yml b/vars/RedHat_7.yml index 3815df4..89e8e92 100644 --- a/vars/RedHat_7.yml +++ b/vars/RedHat_7.yml @@ -3,5 +3,5 @@ # Put internal variables here with Red Hat Enterprise Linux 7 specific values. # Example: -__template_packages: [] -__template_services: [] +__aide_packages: [] +__aide_services: [] diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml index 954bf90..4a11f9c 100644 --- a/vars/RedHat_8.yml +++ b/vars/RedHat_8.yml @@ -3,5 +3,5 @@ # Put internal variables here with Red Hat Enterprise Linux 8 specific values. # Example: -__template_packages: [] -__template_services: [] +__aide_packages: [] +__aide_services: [] diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml index b367bff..dadc3a1 100644 --- a/vars/RedHat_9.yml +++ b/vars/RedHat_9.yml @@ -3,5 +3,5 @@ # Put internal variables here with Red Hat Enterprise Linux 9 specific values. # Example: -__template_packages: [] -__template_services: [] +__aide_packages: [] +__aide_services: [] diff --git a/vars/main.yml b/vars/main.yml index 3c51452..4434101 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -5,9 +5,10 @@ # value in a platform/version specific file in vars/ # Examples of non-distribution specific (generic) internal variables: -__aide_foo_config: foo.conf -__aide_packages: [] -__aide_services: [] +__aide_config: aide.conf +__aide_packages: ['aide'] +__aide_db_name: /var/lib/aide/aide.db.gz +__aide_db_new_name: /var/lib/aide/aide.db.new.gz # ansible_facts required by the role __aide_required_facts: - distribution @@ -35,5 +36,6 @@ __aide_rh_distros_fedora: "{{ __aide_rh_distros + ['Fedora'] }}" __aide_is_rh_distro: "{{ ansible_distribution in __aide_rh_distros }}" # Use this in conditionals to check if distro is Red Hat or clone, or Fedora -__aide_is_rh_distro_fedora: "{{ ansible_distribution in __aide_rh_distros_fedora }}" +__aide_is_rh_distro_fedora: \ + "{{ ansible_distribution in __aide_rh_distros_fedora }}" # END - DO NOT EDIT THIS BLOCK - rh distros variables From f852360ee2d64971d441681c07bd23aa0a07dfb4 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Thu, 7 Nov 2024 10:25:07 +0100 Subject: [PATCH 02/12] Fix suggestions Signed-off-by: Radovan Sroka --- pylint_extra_requirements.txt | 3 --- pytest_extra_requirements.txt | 7 ------- tasks/main.yml | 4 +++- templates/aide.conf.j2 | 2 ++ 4 files changed, 5 insertions(+), 11 deletions(-) delete mode 100644 pylint_extra_requirements.txt delete mode 100644 pytest_extra_requirements.txt diff --git a/pylint_extra_requirements.txt b/pylint_extra_requirements.txt deleted file mode 100644 index 8d280fc..0000000 --- a/pylint_extra_requirements.txt +++ /dev/null @@ -1,3 +0,0 @@ -# SPDX-License-Identifier: MIT - -# Write extra requirements for running pylint here: diff --git a/pytest_extra_requirements.txt b/pytest_extra_requirements.txt deleted file mode 100644 index 8e11eaa..0000000 --- a/pytest_extra_requirements.txt +++ /dev/null @@ -1,7 +0,0 @@ -# SPDX-License-Identifier: MIT - -# Write extra requirements for running pytest here: -# If you need ansible then uncomment the following line: --ransible_pytest_extra_requirements.txt -# If you need mock then uncomment the following line: -mock ; python_version < "3.0" diff --git a/tasks/main.yml b/tasks/main.yml index 73fedb2..89e7dde 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -42,6 +42,7 @@ - name: Initialize AIDE database ansible.builtin.command: cmd: aide --init + changed_when: true - name: Fetch AIDE database ansible.builtin.fetch: @@ -72,7 +73,7 @@ - name: Check against AIDE reference database ansible.builtin.command: cmd: aide --check - changed_when: false + changed_when: true - name: Update AIDE database and fetch it become: true @@ -85,6 +86,7 @@ cmd: aide --update register: __aide_update_result failed_when: __aide_update_result.rc > 7 + changed_when: true - name: Fetch AIDE database ansible.builtin.fetch: diff --git a/templates/aide.conf.j2 b/templates/aide.conf.j2 index 02d06b6..60b69a4 100644 --- a/templates/aide.conf.j2 +++ b/templates/aide.conf.j2 @@ -1,3 +1,5 @@ +{{ ansible_managed | comment }} +{{ "system_role:aide" | comment(prefix="", postfix="") }} # Example configuration file for AIDE. @@define DBDIR /var/lib/aide From eec95a9787f809478571b16490b766ad2e6e0c01 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Thu, 7 Nov 2024 11:01:18 +0100 Subject: [PATCH 03/12] Switch from using tags to variables Signed-off-by: Radovan Sroka --- README.md | 67 +++++++++++++++++------- defaults/main.yml | 15 ++++++ examples/{simple.yml => default.yml} | 11 ++-- examples/deploy.yml | 15 ++++++ examples/just_check.yml | 15 ++++++ examples/just_update.yml | 15 ++++++ meta/main.yml | 10 ++-- tasks/main.yml | 30 ++++------- tests/tasks/check_not_present_header.yml | 16 ++++++ tests/tests_default.yml | 2 +- tests/tests_deploy.yml | 17 ++++++ vars/AlmaLinux_10.yml | 1 - vars/AlmaLinux_8.yml | 1 - vars/AlmaLinux_9.yml | 1 - vars/CentOS_10.yml | 1 - vars/CentOS_7.yml | 1 - vars/CentOS_8.yml | 1 - vars/CentOS_9.yml | 1 - vars/Fedora.yml | 7 --- vars/RedHat_10.yml | 7 --- vars/RedHat_7.yml | 7 --- vars/RedHat_8.yml | 7 --- vars/RedHat_9.yml | 7 --- vars/Rocky_10.yml | 1 - vars/Rocky_8.yml | 1 - vars/Rocky_9.yml | 1 - vars/main.yml | 1 + 27 files changed, 164 insertions(+), 95 deletions(-) rename examples/{simple.yml => default.yml} (63%) create mode 100644 examples/deploy.yml create mode 100644 examples/just_check.yml create mode 100644 examples/just_update.yml create mode 100644 tests/tasks/check_not_present_header.yml create mode 100644 tests/tests_deploy.yml delete mode 120000 vars/AlmaLinux_10.yml delete mode 120000 vars/AlmaLinux_8.yml delete mode 120000 vars/AlmaLinux_9.yml delete mode 120000 vars/CentOS_10.yml delete mode 120000 vars/CentOS_7.yml delete mode 120000 vars/CentOS_8.yml delete mode 120000 vars/CentOS_9.yml delete mode 100644 vars/Fedora.yml delete mode 100644 vars/RedHat_10.yml delete mode 100644 vars/RedHat_7.yml delete mode 100644 vars/RedHat_8.yml delete mode 100644 vars/RedHat_9.yml delete mode 120000 vars/Rocky_10.yml delete mode 120000 vars/Rocky_8.yml delete mode 120000 vars/Rocky_9.yml diff --git a/README.md b/README.md index 183ad85..40a06d0 100644 --- a/README.md +++ b/README.md @@ -18,18 +18,12 @@ extreme caution as it might break your system. ## How does the role do that? -* The role is controlled by using [Ansible Tags](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_tags.html) -* If you run the playbook without specifying any tag the role will change nothing on your remote nodes -* To execute some supported use cases you need to explicitly specify one or more of the following tags +* The role is controlled by using role variables +* If you run the playbook without specifying any role variable the role will change nothing on your remote nodes +* To execute some supported use cases you need to explicitly specify one or more of the following variables ### Available tags to control and use the role -* __install__ - With this tag the role ensures that the `aide` package is installed on the remote nodes -* __generate_config__ - Generates the file `/etc/aide.conf` using `templates/aide.conf.j2`; the template needs to be adjusted to fit your requirements; if you do not use this tag the default configuration file shipped with the `aide` package will be used -* __init__ - Initializes the AIDE database and fetches it from the remote nodes to store it on the controller node -* __check__ - Runs an integrity check on the remote nodes -* __update__ - Updates the AIDE database and stores it on the controller node - ## What does this role not do for you? * It does not explain how to create a good AIDE configuration that suits your requirements; that task remains for you to accomplish @@ -51,11 +45,45 @@ same directory as the playbook. In case you like to store the fetched AIDE database files somewhere else you need to specify a different path here. -Example of setting the variables: +### aide_install -```yaml -aide_db_fetch_dir: files -``` +With this variable the role ensures that the `aide` package is installed on the remote nodes + +Default: `false` + +Type: `bool` + +### aide_generate_config + +Generates the file `/etc/aide.conf` using `templates/aide.conf.j2`; the template needs to be adjusted to fit your requirements; if you do not use this varable the default configuration file shipped with the `aide` package will be used. + +Default: `false` + +Type: `bool` + +### aide_init + +Initializes the AIDE database and fetches it from the remote nodes to store it on the controller node + +Default: `false` + +Type: `bool` + +### aide_check + +Runs an integrity check on the remote nodes + +Default: `false` + +Type: `bool` + +### aide_update + +Updates the AIDE database and stores it on the controller node + +Default: `false` + +Type: `bool` ## Example Playbook @@ -69,16 +97,15 @@ passed in as parameters) is always nice for users too: hosts: targets tasks: - name: Include role aide - tags: - - install - - generate_config - - init - - check - - update vars: aide_db_fetch_dir: files + aide_install: true + aide_generate_config: true + aide_init: true + aide_check: false + aide_update: false ansible.builtin.include_role: - name: aide + name: linux-system-roles.aide ``` More examples can be found in the [`examples/`](examples) directory. diff --git a/defaults/main.yml b/defaults/main.yml index 40217d4..cd74b8a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,3 +5,18 @@ # Examples of role input variables: aide_db_fetch_dir: files + +# Enable install phase +aide_install: false + +# Enable config file generation phase +aide_generate_config: false + +# Enable initialization of the database phase +aide_init: false + +# Enable check database phase +aide_check: false + +# Enable database update phase +aide_update: false diff --git a/examples/simple.yml b/examples/default.yml similarity index 63% rename from examples/simple.yml rename to examples/default.yml index 044fc5d..bcdd356 100644 --- a/examples/simple.yml +++ b/examples/default.yml @@ -4,13 +4,12 @@ hosts: targets tasks: - name: Include role aide - tags: - - install - - generate_config - - init - - check - - update vars: aide_db_fetch_dir: files + aide_install: true + aide_generate_config: true + aide_init: true + aide_check: false + aide_update: false ansible.builtin.include_role: name: linux-system-roles.aide diff --git a/examples/deploy.yml b/examples/deploy.yml new file mode 100644 index 0000000..bcdd356 --- /dev/null +++ b/examples/deploy.yml @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: MIT +--- +- name: Example aide role invocation + hosts: targets + tasks: + - name: Include role aide + vars: + aide_db_fetch_dir: files + aide_install: true + aide_generate_config: true + aide_init: true + aide_check: false + aide_update: false + ansible.builtin.include_role: + name: linux-system-roles.aide diff --git a/examples/just_check.yml b/examples/just_check.yml new file mode 100644 index 0000000..a270d53 --- /dev/null +++ b/examples/just_check.yml @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: MIT +--- +- name: Example aide role invocation + hosts: targets + tasks: + - name: Include role aide + vars: + aide_db_fetch_dir: files + aide_install: false + aide_generate_config: false + aide_init: false + aide_check: true + aide_update: false + ansible.builtin.include_role: + name: linux-system-roles.aide diff --git a/examples/just_update.yml b/examples/just_update.yml new file mode 100644 index 0000000..310b67d --- /dev/null +++ b/examples/just_update.yml @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: MIT +--- +- name: Example aide role invocation + hosts: targets + tasks: + - name: Include role aide + vars: + aide_db_fetch_dir: files + aide_install: false + aide_generate_config: false + aide_init: false + aide_check: false + aide_update: true + ansible.builtin.include_role: + name: linux-system-roles.aide diff --git a/meta/main.yml b/meta/main.yml index b71972d..96430ee 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -6,7 +6,7 @@ galaxy_info: # Replace with the real description of what is role's purpose: description: Install, configure and operate AIDE # Replace with the company the role's author is member of: - company: Red Hat + company: Red Hat Inc. # If the issue tracker for your role is not on github, uncomment the next # line and provide a value @@ -53,9 +53,13 @@ galaxy_info: - all - name: EL versions: - - all + - "9" + - "10" - galaxy_tags: [] + galaxy_tags: + - el9 + - el10 + - fedora # List tags for your role here, one per line. A tag is a keyword that # describes and categorizes the role. Users find roles by searching for tags. # Be sure to remove the '[]' above, if you add tags to this list. diff --git a/tasks/main.yml b/tasks/main.yml index 89e7dde..2243c0a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -10,9 +10,8 @@ state: present use: "{{ (__aide_is_ostree | d(false)) | ternary('ansible.posix.rhel_rpm_ostree', omit) }}" - tags: - - never - - install + when: + - aide_install - name: Ensure required services are enabled and started ansible.builtin.service: @@ -20,8 +19,6 @@ state: started enabled: true loop: "{{ __aide_services }}" - tags: - - never - name: Generate "/etc/{{ __aide_config }}" ansible.builtin.template: @@ -29,15 +26,12 @@ dest: "/etc/{{ __aide_config }}" backup: true mode: "0400" - tags: - - never - - generate_config + when: + - aide_generate_config - name: Initialize AIDE database and fetch it - become: true - tags: - - never - - init + when: + - aide_init block: - name: Initialize AIDE database ansible.builtin.command: @@ -55,10 +49,8 @@ state: absent - name: Check AIDE integrity - become: true - tags: - - never - - check + when: + - aide_check block: - name: Copy AIDE reference database to remote ansible.builtin.copy: @@ -76,10 +68,8 @@ changed_when: true - name: Update AIDE database and fetch it - become: true - tags: - - never - - update + when: + - aide_update block: - name: Update AIDE database ansible.builtin.command: diff --git a/tests/tasks/check_not_present_header.yml b/tests/tasks/check_not_present_header.yml new file mode 100644 index 0000000..3362e18 --- /dev/null +++ b/tests/tasks/check_not_present_header.yml @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: MIT +--- +- name: Get file + slurp: + path: "{{ __file }}" + register: __content + when: not __file_content is defined + +- name: Check for presence of ansible managed header, fingerprint + assert: + that: + - ansible_managed not in content + - __fingerprint not in content + vars: + content: "{{ (__file_content | d(__content)).content | b64decode }}" + ansible_managed: "{{ lookup('template', 'get_ansible_managed.j2') }}" diff --git a/tests/tests_default.yml b/tests/tests_default.yml index 081b7cb..af98ed0 100644 --- a/tests/tests_default.yml +++ b/tests/tests_default.yml @@ -7,7 +7,7 @@ - linux-system-roles.aide tasks: - name: Check header for ansible_managed, fingerprint - include_tasks: tasks/check_header.yml + include_tasks: tasks/check_not_present_header.yml vars: __file: /etc/aide.conf __fingerprint: system_role:aide diff --git a/tests/tests_deploy.yml b/tests/tests_deploy.yml new file mode 100644 index 0000000..2c09e27 --- /dev/null +++ b/tests/tests_deploy.yml @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: MIT +--- +- name: Ensure that the role runs with default parameters + hosts: all + gather_facts: false # test that role works in this case + roles: + - role: linux-system-roles.aide + vars: + aide_install: true + aide_generate_config: true + aide_init: true + tasks: + - name: Check header for ansible_managed, fingerprint + include_tasks: tasks/check_header.yml + vars: + __file: /etc/aide.conf + __fingerprint: system_role:aide diff --git a/vars/AlmaLinux_10.yml b/vars/AlmaLinux_10.yml deleted file mode 120000 index f830d5f..0000000 --- a/vars/AlmaLinux_10.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_10.yml \ No newline at end of file diff --git a/vars/AlmaLinux_8.yml b/vars/AlmaLinux_8.yml deleted file mode 120000 index ad7713d..0000000 --- a/vars/AlmaLinux_8.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_8.yml \ No newline at end of file diff --git a/vars/AlmaLinux_9.yml b/vars/AlmaLinux_9.yml deleted file mode 120000 index 0eb3795..0000000 --- a/vars/AlmaLinux_9.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_9.yml \ No newline at end of file diff --git a/vars/CentOS_10.yml b/vars/CentOS_10.yml deleted file mode 120000 index f830d5f..0000000 --- a/vars/CentOS_10.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_10.yml \ No newline at end of file diff --git a/vars/CentOS_7.yml b/vars/CentOS_7.yml deleted file mode 120000 index 105e630..0000000 --- a/vars/CentOS_7.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_7.yml \ No newline at end of file diff --git a/vars/CentOS_8.yml b/vars/CentOS_8.yml deleted file mode 120000 index ad7713d..0000000 --- a/vars/CentOS_8.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_8.yml \ No newline at end of file diff --git a/vars/CentOS_9.yml b/vars/CentOS_9.yml deleted file mode 120000 index 0eb3795..0000000 --- a/vars/CentOS_9.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_9.yml \ No newline at end of file diff --git a/vars/Fedora.yml b/vars/Fedora.yml deleted file mode 100644 index c40e953..0000000 --- a/vars/Fedora.yml +++ /dev/null @@ -1,7 +0,0 @@ -# SPDX-License-Identifier: MIT ---- -# Put internal variables here with Fedora specific values. - -# Example: -__aide_packages: [] -__aide_services: [] diff --git a/vars/RedHat_10.yml b/vars/RedHat_10.yml deleted file mode 100644 index 1b63f8a..0000000 --- a/vars/RedHat_10.yml +++ /dev/null @@ -1,7 +0,0 @@ -# SPDX-License-Identifier: MIT ---- -# Put internal variables here with Red Hat Enterprise Linux 10 specific values. - -# Example: -__aide_packages: [] -__aide_services: [] diff --git a/vars/RedHat_7.yml b/vars/RedHat_7.yml deleted file mode 100644 index 89e8e92..0000000 --- a/vars/RedHat_7.yml +++ /dev/null @@ -1,7 +0,0 @@ -# SPDX-License-Identifier: MIT ---- -# Put internal variables here with Red Hat Enterprise Linux 7 specific values. - -# Example: -__aide_packages: [] -__aide_services: [] diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml deleted file mode 100644 index 4a11f9c..0000000 --- a/vars/RedHat_8.yml +++ /dev/null @@ -1,7 +0,0 @@ -# SPDX-License-Identifier: MIT ---- -# Put internal variables here with Red Hat Enterprise Linux 8 specific values. - -# Example: -__aide_packages: [] -__aide_services: [] diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml deleted file mode 100644 index dadc3a1..0000000 --- a/vars/RedHat_9.yml +++ /dev/null @@ -1,7 +0,0 @@ -# SPDX-License-Identifier: MIT ---- -# Put internal variables here with Red Hat Enterprise Linux 9 specific values. - -# Example: -__aide_packages: [] -__aide_services: [] diff --git a/vars/Rocky_10.yml b/vars/Rocky_10.yml deleted file mode 120000 index f830d5f..0000000 --- a/vars/Rocky_10.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_10.yml \ No newline at end of file diff --git a/vars/Rocky_8.yml b/vars/Rocky_8.yml deleted file mode 120000 index ad7713d..0000000 --- a/vars/Rocky_8.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_8.yml \ No newline at end of file diff --git a/vars/Rocky_9.yml b/vars/Rocky_9.yml deleted file mode 120000 index 0eb3795..0000000 --- a/vars/Rocky_9.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_9.yml \ No newline at end of file diff --git a/vars/main.yml b/vars/main.yml index 4434101..13c2628 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -7,6 +7,7 @@ # Examples of non-distribution specific (generic) internal variables: __aide_config: aide.conf __aide_packages: ['aide'] +__aide_services: [] __aide_db_name: /var/lib/aide/aide.db.gz __aide_db_new_name: /var/lib/aide/aide.db.new.gz # ansible_facts required by the role From a4a60d180c61bccf3ff43b64eee2d4bd9bb303b6 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Thu, 7 Nov 2024 22:17:54 +0100 Subject: [PATCH 04/12] Splited init and fetch Signed-off-by: Radovan Sroka --- README.md | 10 +++++++++- defaults/main.yml | 3 +++ examples/default.yml | 7 ++++--- examples/deploy.yml | 5 +++-- examples/just_check.yml | 1 + examples/just_update.yml | 1 + tasks/main.yml | 37 +++++++++++++++++++++++++++++++------ templates/aide.conf.j2 | 13 +++++++++++++ 8 files changed, 65 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 40a06d0..bec57af 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,15 @@ Type: `bool` ### aide_init -Initializes the AIDE database and fetches it from the remote nodes to store it on the controller node +Initializes the AIDE database. + +Default: `false` + +Type: `bool` + +### aide_fetch_db + +Fetches database from the remote nodes to store it on the controller node Default: `false` diff --git a/defaults/main.yml b/defaults/main.yml index cd74b8a..11db323 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -15,6 +15,9 @@ aide_generate_config: false # Enable initialization of the database phase aide_init: false +# Fetch db +aide_fetch_db: false + # Enable check database phase aide_check: false diff --git a/examples/default.yml b/examples/default.yml index bcdd356..9425f00 100644 --- a/examples/default.yml +++ b/examples/default.yml @@ -6,9 +6,10 @@ - name: Include role aide vars: aide_db_fetch_dir: files - aide_install: true - aide_generate_config: true - aide_init: true + aide_install: false + aide_generate_config: false + aide_init: false + aide_fetch_db: false aide_check: false aide_update: false ansible.builtin.include_role: diff --git a/examples/deploy.yml b/examples/deploy.yml index bcdd356..76f2df0 100644 --- a/examples/deploy.yml +++ b/examples/deploy.yml @@ -9,7 +9,8 @@ aide_install: true aide_generate_config: true aide_init: true - aide_check: false - aide_update: false + aide_fetch_db: true + aide_check: true + aide_update: true ansible.builtin.include_role: name: linux-system-roles.aide diff --git a/examples/just_check.yml b/examples/just_check.yml index a270d53..ee161f5 100644 --- a/examples/just_check.yml +++ b/examples/just_check.yml @@ -9,6 +9,7 @@ aide_install: false aide_generate_config: false aide_init: false + aide_fetch_db: false aide_check: true aide_update: false ansible.builtin.include_role: diff --git a/examples/just_update.yml b/examples/just_update.yml index 310b67d..b26a498 100644 --- a/examples/just_update.yml +++ b/examples/just_update.yml @@ -9,6 +9,7 @@ aide_install: false aide_generate_config: false aide_init: false + aide_fetch_db: false aide_check: false aide_update: true ansible.builtin.include_role: diff --git a/tasks/main.yml b/tasks/main.yml index 2243c0a..7f1aa31 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -29,7 +29,7 @@ when: - aide_generate_config -- name: Initialize AIDE database and fetch it +- name: Initialize AIDE database when: - aide_init block: @@ -38,6 +38,29 @@ cmd: aide --init changed_when: true + - name: Copy AIDE reference database + ansible.builtin.copy: + remote_src: true + src: "{{ __aide_db_new_name }}" + dest: "{{ __aide_db_name }}" + owner: root + group: root + mode: "0440" + force: yes + when: + - not aide_fetch_db + + - name: Remove remote AIDE database file + ansible.builtin.file: + path: "{{ __aide_db_new_name }}" + state: absent + when: + - not aide_fetch_db + +- name: Fetch AIDE database + when: + - aide_fetch_db + block: - name: Fetch AIDE database ansible.builtin.fetch: src: "{{ __aide_db_new_name }}" @@ -52,15 +75,16 @@ when: - aide_check block: - - name: Copy AIDE reference database to remote + - name: Copy AIDE reference database ansible.builtin.copy: - src: - "{{ aide_db_fetch_dir }}/{{ inventory_hostname }}/var/lib/aide/\ - aide.db.new.gz" + src: "{{ aide_db_fetch_dir }}/{{ inventory_hostname }}\ + {{ __aide_db_new_name }}" dest: "{{ __aide_db_name }}" owner: root group: root mode: "0440" + when: + - aide_fetch_db - name: Check against AIDE reference database ansible.builtin.command: @@ -75,7 +99,8 @@ ansible.builtin.command: cmd: aide --update register: __aide_update_result - failed_when: __aide_update_result.rc > 7 + failed_when: "'AIDE found NO differences between database and filesystem. Looks okay!!'\ + not in __aide_update_result.stdout" changed_when: true - name: Fetch AIDE database diff --git a/templates/aide.conf.j2 b/templates/aide.conf.j2 index 60b69a4..e0ce4cf 100644 --- a/templates/aide.conf.j2 +++ b/templates/aide.conf.j2 @@ -5,8 +5,14 @@ @@define DBDIR /var/lib/aide @@define LOGDIR /var/log/aide +{% if ansible_facts['os_family'] == 'RedHat' and + ansible_facts['distribution_major_version'] in ['8','9'] %} # The location of the database to be read. database=file:@@{DBDIR}/aide.db.gz +{% else %} +# The location of the database to be read. +database_in=file:@@{DBDIR}/aide.db.gz +{% endif %} # The location of the database to be written. #database_out=sql:host:port:database:login_name:passwd:table @@ -16,8 +22,15 @@ database_out=file:@@{DBDIR}/aide.db.new.gz # Whether to gzip the output to database gzip_dbout=yes +{% if ansible_facts['os_family'] == 'RedHat' and + ansible_facts['distribution_major_version'] in ['8','9'] %} # Default. verbose=5 +{% else %} +# Default. +log_level=warning +report_level=changed_attributes +{% endif %} report_url=file:@@{LOGDIR}/aide.log report_url=stdout From 5c653f2c85a2c27c9d8f82bbefded7a4f59e282c Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Fri, 8 Nov 2024 15:38:51 +0100 Subject: [PATCH 05/12] Added custom template functionality Signed-off-by: Radovan Sroka --- README.md | 27 +- defaults/main.yml | 6 +- .../aide-custom.conf.j2 | 0 examples/custom-template.yml | 16 + examples/default.yml | 1 - examples/deploy.yml | 7 +- examples/just_check.yml | 1 - examples/just_update.yml | 1 - tasks/main.yml | 9 +- templates/foo.conf.j2 | 9 - tests/files/aide-custom.conf.j2 | 319 ++++++++++++++++++ tests/tests_custom_template.yml | 17 + tests/tests_default.yml | 17 +- tests/tests_deploy.yml | 3 +- 14 files changed, 396 insertions(+), 37 deletions(-) rename templates/aide.conf.j2 => examples/aide-custom.conf.j2 (100%) create mode 100644 examples/custom-template.yml delete mode 100644 templates/foo.conf.j2 create mode 100644 tests/files/aide-custom.conf.j2 create mode 100644 tests/tests_custom_template.yml diff --git a/README.md b/README.md index bec57af..79d18f2 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,21 @@ only. ## Role Variables +### aide_custom_template + +This variable takes a string to specify a path where the custom template for aide.conf is located. + +To be sure that everething is correct, template needs to start with following snippet: + +``` jinja +{{ ansible_managed | comment }} +{{ "system_role:aide" | comment(prefix="", postfix="") }} +``` + +Default: `null` + +Type: `string` + ### aide_db_fetch_dir This variable takes a string to specify the directory on the Ansible Control @@ -45,17 +60,13 @@ same directory as the playbook. In case you like to store the fetched AIDE database files somewhere else you need to specify a different path here. -### aide_install +Default: `files` -With this variable the role ensures that the `aide` package is installed on the remote nodes - -Default: `false` +Type: `string -Type: `bool` - -### aide_generate_config +### aide_install -Generates the file `/etc/aide.conf` using `templates/aide.conf.j2`; the template needs to be adjusted to fit your requirements; if you do not use this varable the default configuration file shipped with the `aide` package will be used. +With this variable the role ensures that the `aide` package is installed on the remote nodes Default: `false` diff --git a/defaults/main.yml b/defaults/main.yml index 11db323..27479e2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,15 +3,15 @@ # Here is the right place to put the role's input variables. # This file also serves as a documentation for such a variables. +# Path to template file +aide_custom_template: null + # Examples of role input variables: aide_db_fetch_dir: files # Enable install phase aide_install: false -# Enable config file generation phase -aide_generate_config: false - # Enable initialization of the database phase aide_init: false diff --git a/templates/aide.conf.j2 b/examples/aide-custom.conf.j2 similarity index 100% rename from templates/aide.conf.j2 rename to examples/aide-custom.conf.j2 diff --git a/examples/custom-template.yml b/examples/custom-template.yml new file mode 100644 index 0000000..f167e17 --- /dev/null +++ b/examples/custom-template.yml @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: MIT +--- +- name: Example aide role invocation + hosts: targets + tasks: + - name: Include role aide + vars: + aide_custom_template: /tmp/aide-custom.conf.j2 + aide_db_fetch_dir: files + aide_install: true + aide_init: true + aide_fetch_db: true + aide_check: true + aide_update: true + ansible.builtin.include_role: + name: linux-system-roles.aide diff --git a/examples/default.yml b/examples/default.yml index 9425f00..2c27811 100644 --- a/examples/default.yml +++ b/examples/default.yml @@ -7,7 +7,6 @@ vars: aide_db_fetch_dir: files aide_install: false - aide_generate_config: false aide_init: false aide_fetch_db: false aide_check: false diff --git a/examples/deploy.yml b/examples/deploy.yml index 76f2df0..5c7bfc9 100644 --- a/examples/deploy.yml +++ b/examples/deploy.yml @@ -7,10 +7,9 @@ vars: aide_db_fetch_dir: files aide_install: true - aide_generate_config: true aide_init: true - aide_fetch_db: true - aide_check: true - aide_update: true + aide_fetch_db: false + aide_check: false + aide_update: false ansible.builtin.include_role: name: linux-system-roles.aide diff --git a/examples/just_check.yml b/examples/just_check.yml index ee161f5..ec3c325 100644 --- a/examples/just_check.yml +++ b/examples/just_check.yml @@ -7,7 +7,6 @@ vars: aide_db_fetch_dir: files aide_install: false - aide_generate_config: false aide_init: false aide_fetch_db: false aide_check: true diff --git a/examples/just_update.yml b/examples/just_update.yml index b26a498..1c6afbd 100644 --- a/examples/just_update.yml +++ b/examples/just_update.yml @@ -7,7 +7,6 @@ vars: aide_db_fetch_dir: files aide_install: false - aide_generate_config: false aide_init: false aide_fetch_db: false aide_check: false diff --git a/tasks/main.yml b/tasks/main.yml index 7f1aa31..669b989 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -22,12 +22,15 @@ - name: Generate "/etc/{{ __aide_config }}" ansible.builtin.template: - src: "{{ __aide_config }}.j2" +# remote_src: true + src: "{{ aide_custom_template }}" dest: "/etc/{{ __aide_config }}" - backup: true mode: "0400" when: - - aide_generate_config + - aide_custom_template + +#- name: Print Header +# ansible.builtin.shell: head /etc/aide.conf || true - name: Initialize AIDE database when: diff --git a/templates/foo.conf.j2 b/templates/foo.conf.j2 deleted file mode 100644 index 2ed6d2e..0000000 --- a/templates/foo.conf.j2 +++ /dev/null @@ -1,9 +0,0 @@ -# SPDX-License-Identifier: MIT -# -# Example of a template of configuration file -# -{{ ansible_managed | comment }} -{{ "system_role:aide" | comment(prefix="", postfix="") }} -[foo] -foo = {{ template_foo }} -bar = {{ template_bar }} diff --git a/tests/files/aide-custom.conf.j2 b/tests/files/aide-custom.conf.j2 new file mode 100644 index 0000000..e0ce4cf --- /dev/null +++ b/tests/files/aide-custom.conf.j2 @@ -0,0 +1,319 @@ +{{ ansible_managed | comment }} +{{ "system_role:aide" | comment(prefix="", postfix="") }} +# Example configuration file for AIDE. + +@@define DBDIR /var/lib/aide +@@define LOGDIR /var/log/aide + +{% if ansible_facts['os_family'] == 'RedHat' and + ansible_facts['distribution_major_version'] in ['8','9'] %} +# The location of the database to be read. +database=file:@@{DBDIR}/aide.db.gz +{% else %} +# The location of the database to be read. +database_in=file:@@{DBDIR}/aide.db.gz +{% endif %} + +# The location of the database to be written. +#database_out=sql:host:port:database:login_name:passwd:table +#database_out=file:aide.db.new +database_out=file:@@{DBDIR}/aide.db.new.gz + +# Whether to gzip the output to database +gzip_dbout=yes + +{% if ansible_facts['os_family'] == 'RedHat' and + ansible_facts['distribution_major_version'] in ['8','9'] %} +# Default. +verbose=5 +{% else %} +# Default. +log_level=warning +report_level=changed_attributes +{% endif %} + +report_url=file:@@{LOGDIR}/aide.log +report_url=stdout +#report_url=stderr +#NOT IMPLEMENTED report_url=mailto:root@foo.com +#NOT IMPLEMENTED report_url=syslog:LOG_AUTH + +# These are the default rules. +# +#p: permissions +#i: inode: +#n: number of links +#u: user +#g: group +#s: size +#b: block count +#m: mtime +#a: atime +#c: ctime +#S: check for growing size +#acl: Access Control Lists +#selinux SELinux security context +#xattrs: Extended file attributes +#md5: md5 checksum +#sha1: sha1 checksum +#sha256: sha256 checksum +#sha512: sha512 checksum +#rmd160: rmd160 checksum +#tiger: tiger checksum + +#haval: haval checksum (MHASH only) +#gost: gost checksum (MHASH only) +#crc32: crc32 checksum (MHASH only) +#whirlpool: whirlpool checksum (MHASH only) + +#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 +#L: p+i+n+u+g+acl+selinux+xattrs +#E: Empty group +#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs + +# You can create custom rules like this. +# With MHASH... +# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger +# Everything but access time (Ie. all changes) +EVERYTHING = R+ALLXTRAHASHES + +# Sane +# NORMAL = R+sha512 +NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512 + +# For directories, don't bother doing hashes +DIR = p+i+n+u+g+acl+selinux+xattrs + +# Access control only +PERMS = p+u+g+acl+selinux+xattrs + +# Logfile are special, in that they often change +LOG = p+u+g+n+S+acl+selinux+xattrs + +# Content + file type. +CONTENT = sha512+ftype + +# Extended content + file type + access. +CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs + +# Some files get updated automatically, so the inode/ctime/mtime change +# but we want to know when the data inside them changes +DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512 + +# Next decide what directories/files you want in the database. + +/boot CONTENT_EX +/opt CONTENT + +# Admins dot files constantly change, just check perms +/root/\..* PERMS +!/root/.xauth* +# Otherwise get all of /root. +/root CONTENT_EX + +# These are too volatile +!/usr/src +!/usr/tmp +!/root/.ansible* + +# Otherwise get all of /usr. +/usr CONTENT_EX + +# trusted databases +/etc/hosts$ CONTENT_EX +/etc/host.conf$ CONTENT_EX +/etc/hostname$ CONTENT_EX +/etc/issue$ CONTENT_EX +/etc/issue.net$ CONTENT_EX +/etc/protocols$ CONTENT_EX +/etc/services$ CONTENT_EX +/etc/localtime$ CONTENT_EX +/etc/alternatives CONTENT_EX +/etc/sysconfig CONTENT_EX +/etc/mime.types$ CONTENT_EX +/etc/terminfo CONTENT_EX +/etc/exports$ CONTENT_EX +/etc/fstab$ CONTENT_EX +/etc/passwd$ CONTENT_EX +/etc/group$ CONTENT_EX +/etc/gshadow$ CONTENT_EX +/etc/shadow$ CONTENT_EX +/etc/subgid$ CONTENT_EX +/etc/subuid$ CONTENT_EX +/etc/security/opasswd$ CONTENT_EX +/etc/skel CONTENT_EX +/etc/sssd CONTENT_EX +/etc/machine-id$ CONTENT_EX +/etc/swid CONTENT_EX +/etc/system-release-cpe$ CONTENT_EX +/etc/shells$ CONTENT_EX +/etc/tmux.conf$ CONTENT_EX +/etc/xattr.conf$ CONTENT_EX + +# networking +/etc/firewalld CONTENT_EX +!/etc/NetworkManager/system-connections +/etc/NetworkManager CONTENT_EX +/etc/networks$ CONTENT_EX +/etc/dhcp CONTENT_EX +/etc/wpa_supplicant CONTENT_EX +/etc/resolv.conf$ DATAONLY +/etc/nscd.conf$ CONTENT_EX + +# logins and accounts +/etc/login.defs$ CONTENT_EX +/etc/libuser.conf$ CONTENT_EX +/var/log/faillog$ PERMS +/var/log/lastlog$ PERMS +/var/run/faillock PERMS +/etc/pam.d CONTENT_EX +/etc/security CONTENT_EX +/etc/securetty$ CONTENT_EX +/etc/polkit-1 CONTENT_EX +/etc/sudo.conf$ CONTENT_EX +/etc/sudoers$ CONTENT_EX +/etc/sudoers.d CONTENT_EX + +# Shell/X startup files +/etc/profile$ CONTENT_EX +/etc/profile.d CONTENT_EX +/etc/bashrc$ CONTENT_EX +/etc/bash_completion.d CONTENT_EX +/etc/zprofile$ CONTENT_EX +/etc/zshrc$ CONTENT_EX +/etc/zlogin$ CONTENT_EX +/etc/zlogout$ CONTENT_EX +/etc/X11 CONTENT_EX + +# Pkg manager +/etc/dnf CONTENT_EX +/etc/yum.conf$ CONTENT_EX +/etc/yum CONTENT_EX +/etc/yum.repos.d CONTENT_EX + +# This gets new/removes-old filenames daily +!/var/log/sa +# As we are checking it, we've truncated yesterdays size to zero. +!/var/log/aide.log + +# auditing +# AIDE produces an audit record, so this becomes perpetual motion. +/var/log/audit PERMS +/etc/audit CONTENT_EX +/etc/libaudit.conf$ CONTENT_EX +/etc/aide.conf$ CONTENT_EX + +# System logs +/etc/rsyslog.conf$ CONTENT_EX +/etc/rsyslog.d CONTENT_EX +/etc/logrotate.conf$ CONTENT_EX +/etc/logrotate.d CONTENT_EX +/etc/systemd/journald.conf$ CONTENT_EX +/var/log LOG+ANF+ARF +/var/run/utmp LOG + +# secrets +/etc/pkcs11 CONTENT_EX +/etc/pki CONTENT_EX +/etc/crypto-policies CONTENT_EX +/etc/certmonger CONTENT_EX +/var/lib/systemd/random-seed$ PERMS + +# init system +/etc/systemd CONTENT_EX +/etc/rc.d CONTENT_EX +/etc/tmpfiles.d CONTENT_EX + +# boot config +/etc/default CONTENT_EX +/etc/grub.d CONTENT_EX +/etc/dracut.conf$ CONTENT_EX +/etc/dracut.conf.d CONTENT_EX + +# glibc linker +/etc/ld.so.cache$ CONTENT_EX +/etc/ld.so.conf$ CONTENT_EX +/etc/ld.so.conf.d CONTENT_EX +/etc/ld.so.preload$ CONTENT_EX + +# kernel config +/etc/sysctl.conf$ CONTENT_EX +/etc/sysctl.d CONTENT_EX +/etc/modprobe.d CONTENT_EX +/etc/modules-load.d CONTENT_EX +/etc/depmod.d CONTENT_EX +/etc/udev CONTENT_EX +/etc/crypttab$ CONTENT_EX + +#### Daemons #### + +# cron jobs +/etc/at.allow$ CONTENT +/etc/at.deny$ CONTENT +/etc/anacrontab$ CONTENT_EX +/etc/cron.allow$ CONTENT_EX +/etc/cron.deny$ CONTENT_EX +/etc/cron.d CONTENT_EX +/etc/cron.daily CONTENT_EX +/etc/cron.hourly CONTENT_EX +/etc/cron.monthly CONTENT_EX +/etc/cron.weekly CONTENT_EX +/etc/crontab$ CONTENT_EX +/var/spool/cron/root CONTENT + +# time keeping +/etc/chrony.conf$ CONTENT_EX +/etc/chrony.keys$ CONTENT_EX + +# mail +/etc/aliases$ CONTENT_EX +/etc/aliases.db$ CONTENT_EX +/etc/postfix CONTENT_EX + +# ssh +/etc/ssh/sshd_config$ CONTENT_EX +/etc/ssh/ssh_config$ CONTENT_EX + +# stunnel +/etc/stunnel CONTENT_EX + +# printing +/etc/cups CONTENT_EX +/etc/cupshelpers CONTENT_EX +/etc/avahi CONTENT_EX + +# web server +/etc/httpd CONTENT_EX + +# dns +/etc/named CONTENT_EX +/etc/named.conf$ CONTENT_EX +/etc/named.iscdlv.key$ CONTENT_EX +/etc/named.rfc1912.zones$ CONTENT_EX +/etc/named.root.key$ CONTENT_EX + +# xinetd +/etc/xinetd.conf$ CONTENT_EX +/etc/xinetd.d CONTENT_EX + +# IPsec +/etc/ipsec.conf$ CONTENT_EX +/etc/ipsec.secrets$ CONTENT_EX +/etc/ipsec.d CONTENT_EX + +# USB guard +/etc/usbguard CONTENT_EX + +# Ignore some files +!/etc/mtab$ +!/etc/.*~ + +# Now everything else +/etc PERMS + +# With AIDE's default verbosity level of 5, these would give lots of +# warnings upon tree traversal. It might change with future version. +# +#=/lost\+found DIR +#=/home DIR diff --git a/tests/tests_custom_template.yml b/tests/tests_custom_template.yml new file mode 100644 index 0000000..ebf5cad --- /dev/null +++ b/tests/tests_custom_template.yml @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: MIT +--- +- name: Ensure that the role runs with default parameters + hosts: all + gather_facts: false # test that role works in this case + roles: + - role: linux-system-roles.aide + vars: + aide_custom_template: files/aide-custom.conf.j2 + aide_install: true + aide_init: true + tasks: + - name: Check header for ansible_managed, fingerprint + include_tasks: tasks/check_header.yml + vars: + __file: /etc/aide.conf + __fingerprint: system_role:aide diff --git a/tests/tests_default.yml b/tests/tests_default.yml index af98ed0..c450dde 100644 --- a/tests/tests_default.yml +++ b/tests/tests_default.yml @@ -6,8 +6,15 @@ roles: - linux-system-roles.aide tasks: - - name: Check header for ansible_managed, fingerprint - include_tasks: tasks/check_not_present_header.yml - vars: - __file: /etc/aide.conf - __fingerprint: system_role:aide + - name: Check if file exists + block: + - name: Check if the file exists + ansible.builtin.stat: + path: "/etc/aide.conf" + register: file_check + + - name: Assert that the file exists + ansible.builtin.assert: + that: + - not file_check.stat.exists + fail_msg: "The file does exist." diff --git a/tests/tests_deploy.yml b/tests/tests_deploy.yml index 2c09e27..d141281 100644 --- a/tests/tests_deploy.yml +++ b/tests/tests_deploy.yml @@ -7,11 +7,10 @@ - role: linux-system-roles.aide vars: aide_install: true - aide_generate_config: true aide_init: true tasks: - name: Check header for ansible_managed, fingerprint - include_tasks: tasks/check_header.yml + include_tasks: tasks/check_not_present_header.yml vars: __file: /etc/aide.conf __fingerprint: system_role:aide From dc7c6918171a6666e2126666186f6c1b8fdae6a4 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Fri, 8 Nov 2024 16:43:29 +0100 Subject: [PATCH 06/12] Fix review items and enable rhel8 Signed-off-by: Radovan Sroka --- meta/main.yml | 3 ++- tasks/main.yml | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/meta/main.yml b/meta/main.yml index 96430ee..298a07e 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -53,10 +53,11 @@ galaxy_info: - all - name: EL versions: + - "8" - "9" - - "10" galaxy_tags: + - el8 - el9 - el10 - fedora diff --git a/tasks/main.yml b/tasks/main.yml index 669b989..22297fb 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -29,8 +29,8 @@ when: - aide_custom_template -#- name: Print Header -# ansible.builtin.shell: head /etc/aide.conf || true +# - name: Print Header +# ansible.builtin.shell: head /etc/aide.conf || true - name: Initialize AIDE database when: @@ -44,12 +44,12 @@ - name: Copy AIDE reference database ansible.builtin.copy: remote_src: true - src: "{{ __aide_db_new_name }}" + src: "{{ __aide_db_new_name }}" dest: "{{ __aide_db_name }}" owner: root group: root mode: "0440" - force: yes + force: true when: - not aide_fetch_db From 21c764541dbce1a1b5f9249a69e1ee0c72d3bbda Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Fri, 8 Nov 2024 16:59:53 +0100 Subject: [PATCH 07/12] Remove environment_settings from github workflows due to broken environment processing in a testing farm Signed-off-by: Radovan Sroka --- .github/workflows/tft.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/tft.yml b/.github/workflows/tft.yml index 0ade297..d1b9ea4 100644 --- a/.github/workflows/tft.yml +++ b/.github/workflows/tft.yml @@ -160,7 +160,6 @@ jobs: git_url: https://github.com/linux-system-roles/tft-tests git_ref: main pipeline_settings: '{ "type": "tmt-multihost" }' - environment_settings: '{ "provisioning": { "tags": { "BusinessUnit": "system_roles" } } }' # Keeping ARTIFACTS_URL at the bottom makes the link in logs clickable variables: "ANSIBLE_VER=${{ matrix.ansible_version }};\ REPO_NAME=${{ github.event.repository.name }};\ From c850c6b27c445af32f546362459fce539272858c Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Mon, 11 Nov 2024 14:32:26 +0100 Subject: [PATCH 08/12] Fix other suggestions Signed-off-by: Radovan Sroka --- README.md | 11 +---------- defaults/main.yml | 2 +- examples/custom-template.yml | 2 +- tasks/main.yml | 23 ++++++++++++----------- tests/tests_custom_template.yml | 2 +- 5 files changed, 16 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 79d18f2..1ab698e 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,6 @@ This is an ansible role that installs and configures the [Advanced Intrusion Detection Environment (AIDE)](https://aide.github.io). For Day 2 tasks it can run integrity checks and update the AIDE database. -_Notice:_ This is a very early stage of a work in progress. Please use with -extreme caution as it might break your system. - ## What does this role do for you? * It ensures that the `aide` package is installed on the remote nodes @@ -16,12 +13,6 @@ extreme caution as it might break your system. * It runs AIDE integrity checks on the remote nodes * It updates the AIDE databases and stores them on the controller node -## How does the role do that? - -* The role is controlled by using role variables -* If you run the playbook without specifying any role variable the role will change nothing on your remote nodes -* To execute some supported use cases you need to explicitly specify one or more of the following variables - ### Available tags to control and use the role ## What does this role not do for you? @@ -35,7 +26,7 @@ only. ## Role Variables -### aide_custom_template +### aide_db_template This variable takes a string to specify a path where the custom template for aide.conf is located. diff --git a/defaults/main.yml b/defaults/main.yml index 27479e2..92cc167 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,7 +4,7 @@ # This file also serves as a documentation for such a variables. # Path to template file -aide_custom_template: null +aide_db_template: null # Examples of role input variables: aide_db_fetch_dir: files diff --git a/examples/custom-template.yml b/examples/custom-template.yml index f167e17..2b9e19d 100644 --- a/examples/custom-template.yml +++ b/examples/custom-template.yml @@ -5,7 +5,7 @@ tasks: - name: Include role aide vars: - aide_custom_template: /tmp/aide-custom.conf.j2 + aide_db_template: /tmp/aide-custom.conf.j2 aide_db_fetch_dir: files aide_install: true aide_init: true diff --git a/tasks/main.yml b/tasks/main.yml index 22297fb..baaf7a3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -11,7 +11,7 @@ use: "{{ (__aide_is_ostree | d(false)) | ternary('ansible.posix.rhel_rpm_ostree', omit) }}" when: - - aide_install + - aide_install | bool - name: Ensure required services are enabled and started ansible.builtin.service: @@ -22,19 +22,20 @@ - name: Generate "/etc/{{ __aide_config }}" ansible.builtin.template: -# remote_src: true - src: "{{ aide_custom_template }}" + src: "{{ aide_db_template }}" dest: "/etc/{{ __aide_config }}" mode: "0400" when: - - aide_custom_template + - aide_db_template is defined + - aide_db_template is not none + - aide_db_template is string # - name: Print Header # ansible.builtin.shell: head /etc/aide.conf || true - name: Initialize AIDE database when: - - aide_init + - aide_init | bool block: - name: Initialize AIDE database ansible.builtin.command: @@ -51,18 +52,18 @@ mode: "0440" force: true when: - - not aide_fetch_db + - not aide_fetch_db | bool - name: Remove remote AIDE database file ansible.builtin.file: path: "{{ __aide_db_new_name }}" state: absent when: - - not aide_fetch_db + - not aide_fetch_db | bool - name: Fetch AIDE database when: - - aide_fetch_db + - aide_fetch_db | bool block: - name: Fetch AIDE database ansible.builtin.fetch: @@ -76,7 +77,7 @@ - name: Check AIDE integrity when: - - aide_check + - aide_check | bool block: - name: Copy AIDE reference database ansible.builtin.copy: @@ -87,7 +88,7 @@ group: root mode: "0440" when: - - aide_fetch_db + - aide_fetch_db | bool - name: Check against AIDE reference database ansible.builtin.command: @@ -96,7 +97,7 @@ - name: Update AIDE database and fetch it when: - - aide_update + - aide_update | bool block: - name: Update AIDE database ansible.builtin.command: diff --git a/tests/tests_custom_template.yml b/tests/tests_custom_template.yml index ebf5cad..999a22b 100644 --- a/tests/tests_custom_template.yml +++ b/tests/tests_custom_template.yml @@ -6,7 +6,7 @@ roles: - role: linux-system-roles.aide vars: - aide_custom_template: files/aide-custom.conf.j2 + aide_db_template: files/aide-custom.conf.j2 aide_install: true aide_init: true tasks: From 46db6ac5ed2a9bbc2a96ad50b3d51fa6f4fa641d Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Mon, 11 Nov 2024 15:26:44 +0100 Subject: [PATCH 09/12] Remove aide_install phase and do it uncoditionally Signed-off-by: Radovan Sroka --- README.md | 8 -------- defaults/main.yml | 3 --- examples/custom-template.yml | 1 - examples/default.yml | 1 - examples/deploy.yml | 1 - examples/just_check.yml | 1 - examples/just_update.yml | 1 - tasks/main.yml | 2 -- tests/tests_default.yml | 10 ++++++++-- tests/tests_deploy.yml | 1 - 10 files changed, 8 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 1ab698e..5c5832b 100644 --- a/README.md +++ b/README.md @@ -55,14 +55,6 @@ Default: `files` Type: `string -### aide_install - -With this variable the role ensures that the `aide` package is installed on the remote nodes - -Default: `false` - -Type: `bool` - ### aide_init Initializes the AIDE database. diff --git a/defaults/main.yml b/defaults/main.yml index 92cc167..f04914f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -9,9 +9,6 @@ aide_db_template: null # Examples of role input variables: aide_db_fetch_dir: files -# Enable install phase -aide_install: false - # Enable initialization of the database phase aide_init: false diff --git a/examples/custom-template.yml b/examples/custom-template.yml index 2b9e19d..318b551 100644 --- a/examples/custom-template.yml +++ b/examples/custom-template.yml @@ -7,7 +7,6 @@ vars: aide_db_template: /tmp/aide-custom.conf.j2 aide_db_fetch_dir: files - aide_install: true aide_init: true aide_fetch_db: true aide_check: true diff --git a/examples/default.yml b/examples/default.yml index 2c27811..8bcc5b2 100644 --- a/examples/default.yml +++ b/examples/default.yml @@ -6,7 +6,6 @@ - name: Include role aide vars: aide_db_fetch_dir: files - aide_install: false aide_init: false aide_fetch_db: false aide_check: false diff --git a/examples/deploy.yml b/examples/deploy.yml index 5c7bfc9..589c241 100644 --- a/examples/deploy.yml +++ b/examples/deploy.yml @@ -6,7 +6,6 @@ - name: Include role aide vars: aide_db_fetch_dir: files - aide_install: true aide_init: true aide_fetch_db: false aide_check: false diff --git a/examples/just_check.yml b/examples/just_check.yml index ec3c325..45f6253 100644 --- a/examples/just_check.yml +++ b/examples/just_check.yml @@ -6,7 +6,6 @@ - name: Include role aide vars: aide_db_fetch_dir: files - aide_install: false aide_init: false aide_fetch_db: false aide_check: true diff --git a/examples/just_update.yml b/examples/just_update.yml index 1c6afbd..d337390 100644 --- a/examples/just_update.yml +++ b/examples/just_update.yml @@ -6,7 +6,6 @@ - name: Include role aide vars: aide_db_fetch_dir: files - aide_install: false aide_init: false aide_fetch_db: false aide_check: false diff --git a/tasks/main.yml b/tasks/main.yml index baaf7a3..70ab28e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -10,8 +10,6 @@ state: present use: "{{ (__aide_is_ostree | d(false)) | ternary('ansible.posix.rhel_rpm_ostree', omit) }}" - when: - - aide_install | bool - name: Ensure required services are enabled and started ansible.builtin.service: diff --git a/tests/tests_default.yml b/tests/tests_default.yml index c450dde..8385f8b 100644 --- a/tests/tests_default.yml +++ b/tests/tests_default.yml @@ -16,5 +16,11 @@ - name: Assert that the file exists ansible.builtin.assert: that: - - not file_check.stat.exists - fail_msg: "The file does exist." + - file_check.stat.exists + fail_msg: "The file does not exist." + + - name: Check header for not present ansible_managed, fingerprint + include_tasks: tasks/check_not_present_header.yml + vars: + __file: /etc/aide.conf + __fingerprint: system_role:aide diff --git a/tests/tests_deploy.yml b/tests/tests_deploy.yml index d141281..5fcce4a 100644 --- a/tests/tests_deploy.yml +++ b/tests/tests_deploy.yml @@ -6,7 +6,6 @@ roles: - role: linux-system-roles.aide vars: - aide_install: true aide_init: true tasks: - name: Check header for ansible_managed, fingerprint From 028a2918e9822bf010e85bb539d63d9a49c11c1e Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Mon, 11 Nov 2024 16:56:02 +0100 Subject: [PATCH 10/12] Revert "Remove environment_settings from github workflows" This reverts commit 21c764541dbce1a1b5f9249a69e1ee0c72d3bbda. --- .github/workflows/tft.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/tft.yml b/.github/workflows/tft.yml index d1b9ea4..0ade297 100644 --- a/.github/workflows/tft.yml +++ b/.github/workflows/tft.yml @@ -160,6 +160,7 @@ jobs: git_url: https://github.com/linux-system-roles/tft-tests git_ref: main pipeline_settings: '{ "type": "tmt-multihost" }' + environment_settings: '{ "provisioning": { "tags": { "BusinessUnit": "system_roles" } } }' # Keeping ARTIFACTS_URL at the bottom makes the link in logs clickable variables: "ANSIBLE_VER=${{ matrix.ansible_version }};\ REPO_NAME=${{ github.event.repository.name }};\ From 16771de27d02cbaba2bc9a37d5a3b5263c48c147 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Mon, 11 Nov 2024 17:19:31 +0100 Subject: [PATCH 11/12] Fix whens on one line Signed-off-by: Radovan Sroka --- README.md | 2 -- tasks/main.yml | 26 ++++++++------------------ 2 files changed, 8 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 5c5832b..f16bc8b 100644 --- a/README.md +++ b/README.md @@ -13,8 +13,6 @@ This is an ansible role that installs and configures the [Advanced Intrusion Det * It runs AIDE integrity checks on the remote nodes * It updates the AIDE databases and stores them on the controller node -### Available tags to control and use the role - ## What does this role not do for you? * It does not explain how to create a good AIDE configuration that suits your requirements; that task remains for you to accomplish diff --git a/tasks/main.yml b/tasks/main.yml index 70ab28e..cc7484e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -23,17 +23,13 @@ src: "{{ aide_db_template }}" dest: "/etc/{{ __aide_config }}" mode: "0400" - when: - - aide_db_template is defined - - aide_db_template is not none - - aide_db_template is string + when: aide_db_template is not none # - name: Print Header # ansible.builtin.shell: head /etc/aide.conf || true - name: Initialize AIDE database - when: - - aide_init | bool + when: aide_init | bool block: - name: Initialize AIDE database ansible.builtin.command: @@ -49,19 +45,16 @@ group: root mode: "0440" force: true - when: - - not aide_fetch_db | bool + when: not aide_fetch_db | bool - name: Remove remote AIDE database file ansible.builtin.file: path: "{{ __aide_db_new_name }}" state: absent - when: - - not aide_fetch_db | bool + when: not aide_fetch_db | bool - name: Fetch AIDE database - when: - - aide_fetch_db | bool + when: aide_fetch_db | bool block: - name: Fetch AIDE database ansible.builtin.fetch: @@ -74,8 +67,7 @@ state: absent - name: Check AIDE integrity - when: - - aide_check | bool + when: aide_check | bool block: - name: Copy AIDE reference database ansible.builtin.copy: @@ -85,8 +77,7 @@ owner: root group: root mode: "0440" - when: - - aide_fetch_db | bool + when: aide_fetch_db | bool - name: Check against AIDE reference database ansible.builtin.command: @@ -94,8 +85,7 @@ changed_when: true - name: Update AIDE database and fetch it - when: - - aide_update | bool + when: aide_update | bool block: - name: Update AIDE database ansible.builtin.command: From d3292b69a6978cd140f20867b1729b901b90c1d2 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Tue, 12 Nov 2024 10:36:21 +0100 Subject: [PATCH 12/12] Add link to original role Signed-off-by: Radovan Sroka --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index f16bc8b..b1a4250 100644 --- a/README.md +++ b/README.md @@ -118,3 +118,4 @@ MIT. * Radovan Sroka * Joerg Kastning +* Based on [Tronde/aide](https://github.com/Tronde/aide) ansible role