Enable AIDE [+Docs]

This patch installs AIDE and optionally initializes the AIDE database. A
cron job is also deployed for CentOS/RHEL since it doesn't come with
the AIDE package itself.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: Iae04c95903960deee2d750037c08b50c4ce4f800

defaults/main.yml

@@ -384,6 +384,10 @@ security_unattended_upgrades_notifications: false
 #
 ###############################################################################
 
+## AIDE (aide)
+# Initialize the AIDE database immediately (may take time).
+security_rhel7_initialize_aide: no                           # RHEL-07-020130
+
 ## Audit daemon (auditd)
 # Send audit records to a different system using audisp.
 #security_audisp_remote_server: '10.0.21.1'                  # RHEL-07-030330

doc/metadata/rhel7/RHEL-07-020130.rst

@@ -1,7 +1,16 @@
 ---
 id: RHEL-07-020130
-status: not implemented
-tag: misc
+status: opt-in
+tag: aide
 ---
 
-This STIG requirement is not yet implemented.
+Initializing the AIDE database and completing the first AIDE run causes
+increased disk I/O and CPU usage for extended periods. Therefore, the AIDE
+database is not automatically initialized by the tasks in the security role.
+
+Deployers can enable the AIDE database initialization within the security role
+by setting the following Ansible variable:
+
+.. code-block::
+
+    security_rhel7_initialize_aide: yes

doc/metadata/rhel7/RHEL-07-020140.rst

@@ -1,7 +1,8 @@
 ---
 id: RHEL-07-020140
-status: not implemented
-tag: misc
+status: implemented
+tag: aide
 ---
 
-This STIG requirement is not yet implemented.
+The cron job for AIDE is configured to send emails to the root user after each
+AIDE run.

tasks/rhel7stig/aide.yml

@@ -0,0 +1,84 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Verify that AIDE configuration directory exists
+  stat:
+    path: /etc/aide/aide.conf.d
+  register: aide_conf
+  check_mode: no
+  tags:
+    - always
+
+- name: Exclude certain directories from AIDE
+  template:
+    src: ZZ_aide_exclusions.j2
+    dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions
+  when: aide_conf.stat.exists | bool
+  tags:
+    - medium
+    - aide
+    - RHEL-07-020130
+
+- name: Check to see if AIDE database is already in place
+  stat:
+    path: "{{ aide_database_file }}"
+  register: aide_database
+  check_mode: no
+  tags:
+    - always
+
+- name: Initialize AIDE (this will take a few minutes)
+  command: "aideinit"
+  changed_when: false
+  register: aide_init
+  when:
+    - aide_conf.stat.exists | bool
+    - not aide_database.stat.exists | bool
+    - security_rhel7_initialize_aide | bool
+  tags:
+    - medium
+    - aide
+    - RHEL-07-020130
+
+# NOTE(mhayden): This is only needed for CentOS 7 and RHEL 7 since Ubuntu
+# copies the new AIDE database into place automatically with its AIDE wrapper
+# script.
+- name: Move AIDE database into place
+  command: "mv /var/lib/aide/aide.db.new.gz {{ aide_database_file }}"
+  changed_when: false
+  when:
+    - aide_init | changed
+    - ansible_os_family | lower == 'redhat'
+  tags:
+    - medium
+    - aide
+    - RHEL-07-020130
+
+# NOTE(mhayden): This is only needed for CentOS 7 and RHEL 7 since the AIDE
+# package doesn't come with a cron job file. Ubuntu packages a cron job for
+# AIDE checks already.
+- name: Create AIDE cron job
+  cron:
+    name: aide
+    cron_file: aide
+    user: root
+    special_time: daily
+    job: "aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root"
+  when:
+    - ansible_os_family | lower == 'redhat'
+  tags:
+    - medium
+    - aide
+    - RHEL-07-020140

tasks/rhel7stig/main.yml

@@ -47,6 +47,7 @@
 # each file are tagged with the same name (for example, tasks in `auth.yml`
 # are tagged with `auth`). Also, the tag name matches up with the "STIG
 # Controls by Tag" section of the role documentation.
+- include: aide.yml
 - include: auditd.yml
 - include: auth.yml
 - include: file_perms.yml

tests/test.yml

@@ -86,3 +86,4 @@
     security_enable_firewalld: yes
     security_password_remember_password: 5
     security_disable_account_if_password_expires: yes
+    security_rhel7_initialize_aide: yes

vars/redhat.yml

@@ -98,6 +98,7 @@ stig_packages_rhel7:
   - packages:
       - audispd-plugins
       - audit
+      - aide
       - openssh-clients
       - openssh-server
       - screen

vars/ubuntu.yml

@@ -100,6 +100,8 @@ stig_packages:
 # RHEL 7 STIG: Packages to add/remove
 stig_packages_rhel7:
   - packages:
+      - aide
+      - aide-common
       - libpwquality-common
       - openssh-client
       - openssh-server