Improvements to 6.1.1 logic

Signed-off-by: Mark Bolwell <[email protected]>
ansible-lockdown · Nov 19, 2024 · c2b422b · c2b422b
1 parent 685f4a0
commit c2b422b
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 10 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1039,13 +1039,23 @@ ubtu22cis_shell_session_file: /etc/profile.d/tmout.sh
 # By setting this variable to `true`, all of the settings related to AIDE will be applied!
 ubtu22cis_config_aide: true
 
+# If DB file older than below will automatically rebuild DB
+# e.g. options:1w = 1 week, 1d = 1day 1h = 1 hour
+ubtu22cis_aide_db_file_age: 1w
+
+# If aide already setup this forces a new DB to be created
+ubtu22cis_aide_db_recreate: false
+
+# allows to change db file, not config need to be adjusted too
+ubtu22cis_aide_db_file: /var/lib/aide/aide.db
+
 ## When Initializing aide this can take longer on some systems
 # changing the values enables user to change to thier own requirements
 ubtu22cis_aide_init:
     # Maximum Time in seconds
-    async: 45
+    async: 600
     # Polling Interval in seconds
-    poll: 0
+    poll: 15
 
 ## Control 6.1.2
 # Set how aide is scanned either cron or timer

diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml
@@ -26,15 +26,39 @@
       ansible.builtin.package_facts:
         manager: auto
 
+    - name: "6.1.1 | AUDIT | Ensure AIDE is installed | Check file exists"
+      ansible.builtin.stat:
+        path: "{{ ubtu22cis_aide_db_file }}"
+      register: discovered_aide_db_file
+
+    - name: "6.1.1 | AUDIT | Ensure AIDE is installed | Check current db file age"
+      when: discovered_aide_db_file.stat.exists
+      ansible.builtin.find:
+        path: "{{ ubtu22cis_aide_db_file | dirname }}"
+        pattern: "{{ ubtu22cis_aide_db_file | basename }}"
+        age: "{{ ubtu22cis_aide_db_file_age }}"
+      register: discovered_aide_db_age
+
     - name: "6.1.1 | PATCH | Ensure AIDE is installed | Configure AIDE"
-      ansible.builtin.shell: aideinit && mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-      args:
-        creates: /var/lib/aide/aide.db
-      changed_when: false
-      failed_when: false
-      async: "{{ ubtu22cis_aide_init.async }}"
-      poll: "{{ ubtu22cis_aide_init.poll }}"
-      when: not ansible_check_mode
+      when:
+        - not ansible_check_mode
+        - not discovered_aide_db_file.stat.exists or
+          (discovered_aide_db_age.files | length > 0) or
+          ubtu22cis_aide_db_recreate
+      block:
+        - name: "6.1.1 | PATCH | Ensure AIDE is installed | Remove current db file"
+          ansible.builtin.file:
+            path: "{{ ubtu22cis_aide_db_file }}"
+            state: absent
+
+        - name: "6.1.1 | PATCH | Ensure AIDE is installed | Configure AIDE"
+          when:
+            - not ansible_check_mode
+          ansible.builtin.shell: aideinit -y -f
+          args:
+            creates: "{{ ubtu22cis_aide_db_file }}"
+          async: "{{ ubtu22cis_aide_init.async }}"
+          poll: "{{ ubtu22cis_aide_init.poll }}"
 
 - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked"
   when: