From ff2b9adcb546e73907f9ee0587051706e27d259b Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Fri, 20 Dec 2024 02:14:32 +0100 Subject: [PATCH 1/4] feat: Allow setup aide inside of cron job Signed-off-by: Radovan Sroka --- README.md | 27 +++++++++++++++++++++++++++ defaults/main.yml | 14 ++++++++++++++ examples/default.yml | 1 + tasks/main.yml | 14 ++++++++++++++ tests/tests_check_cron.yml | 21 +++++++++++++++++++++ 5 files changed, 77 insertions(+) create mode 100644 tests/tests_check_cron.yml diff --git a/README.md b/README.md index b1a4250..91b6ec2 100644 --- a/README.md +++ b/README.md @@ -85,6 +85,33 @@ Default: `false` Type: `bool` +### aide_cron_check + +Set up periodic cron check for aide + +Default: `false` + +Type: `bool` + +### aide_cron_interval + +Set check interval for cron + +``` yaml +# Example of job definition: +# .---------------- minute (0 - 59) +# | .------------- hour (0 - 23) +# | | .---------- day of month (1 - 31) +# | | | .------- month (1 - 12) OR jan,feb,mar,apr ... +# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat +# | | | | | +# * * * * * +``` + +Default: `0 12 * * *` + +Type: `string` + ## Example Playbook Including an example of how to use your role (for instance, with variables diff --git a/defaults/main.yml b/defaults/main.yml index f04914f..69a0f79 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,3 +20,17 @@ aide_check: false # Enable database update phase aide_update: false + +# Enable periodic check +aide_cron_check: false + +# Example of job definition: +# .---------------- minute (0 - 59) +# | .------------- hour (0 - 23) +# | | .---------- day of month (1 - 31) +# | | | .------- month (1 - 12) OR jan,feb,mar,apr ... +# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat +# | | | | | +# * * * * * +# Set cron check interval +aide_cron_interval: "0 12 * * *" diff --git a/examples/default.yml b/examples/default.yml index 8bcc5b2..663b482 100644 --- a/examples/default.yml +++ b/examples/default.yml @@ -10,5 +10,6 @@ aide_fetch_db: false aide_check: false aide_update: false + aide_cron_check: false ansible.builtin.include_role: name: linux-system-roles.aide diff --git a/tasks/main.yml b/tasks/main.yml index cc7484e..b8eaa7c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -104,3 +104,17 @@ ansible.builtin.file: path: "{{ __aide_db_new_name }}" state: absent + +- name: Update aide check cron configuration if necessary + ansible.builtin.lineinfile: + path: /etc/crontab + regexp: "^.* root /usr/sbin/aide --check" + line: "{{ aide_cron_interval }} root /usr/sbin/aide --check" + when: aide_cron_check | bool + +- name: Remove aide check cron configuration if necessary + ansible.builtin.lineinfile: + path: /etc/crontab + state: absent + regexp: "^.* root /usr/sbin/aide --check" + when: not aide_cron_check | bool diff --git a/tests/tests_check_cron.yml b/tests/tests_check_cron.yml new file mode 100644 index 0000000..28dd9bf --- /dev/null +++ b/tests/tests_check_cron.yml @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: MIT +--- +- name: Ensure that the cron is set up + hosts: all + gather_facts: false # test that role works in this case + roles: + - role: linux-system-roles.aide + vars: + aide_init: true + aide_cron_check: true + aide_cron_interval: "0 12 * * *" + tasks: + - name: Check file content + ansible.builtin.lineinfile: + path: /etc/crontab + regexp: "^0 12 \\* \\* \\* root /usr/bin/aide --check" + state: absent + check_mode: true + changed_when: false + vars: + __fingerprint: system_role:aide From a7839d1efd77dde5103d47d9f145e137b89e04c0 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Fri, 20 Dec 2024 02:57:07 +0100 Subject: [PATCH 2/4] Add crontabs package as a requirement Signed-off-by: Radovan Sroka --- vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index 37b2353..f934b78 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -6,7 +6,7 @@ # Examples of non-distribution specific (generic) internal variables: __aide_config: aide.conf -__aide_packages: ['aide'] +__aide_packages: ["aide", "crontabs"] __aide_services: [] __aide_db_name: /var/lib/aide/aide.db.gz __aide_db_new_name: /var/lib/aide/aide.db.new.gz From ec4b95bb0cde748616121d34f3e69257dcfc6faf Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Fri, 20 Dec 2024 16:13:00 +0100 Subject: [PATCH 3/4] Fix suggestions Signed-off-by: Radovan Sroka --- README.md | 5 +++-- defaults/main.yml | 2 +- examples/default.yml | 1 - tasks/main.yml | 8 ++++++-- tests/tests_check_cron.yml | 36 +++++++++++++++++++++++++++++++----- 5 files changed, 41 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 91b6ec2..14876bb 100644 --- a/README.md +++ b/README.md @@ -87,9 +87,10 @@ Type: `bool` ### aide_cron_check -Set up periodic cron check for aide +If set to `true`, configures periodic cron check for aide +If set to `false`, removes the periodic cron check -Default: `false` +Default: `null` Type: `bool` diff --git a/defaults/main.yml b/defaults/main.yml index 69a0f79..d2e909d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -22,7 +22,7 @@ aide_check: false aide_update: false # Enable periodic check -aide_cron_check: false +aide_cron_check: null # Example of job definition: # .---------------- minute (0 - 59) diff --git a/examples/default.yml b/examples/default.yml index 663b482..8bcc5b2 100644 --- a/examples/default.yml +++ b/examples/default.yml @@ -10,6 +10,5 @@ aide_fetch_db: false aide_check: false aide_update: false - aide_cron_check: false ansible.builtin.include_role: name: linux-system-roles.aide diff --git a/tasks/main.yml b/tasks/main.yml index b8eaa7c..58571c0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -110,11 +110,15 @@ path: /etc/crontab regexp: "^.* root /usr/sbin/aide --check" line: "{{ aide_cron_interval }} root /usr/sbin/aide --check" - when: aide_cron_check | bool + when: + - aide_cron_check is not none + - aide_cron_check | bool - name: Remove aide check cron configuration if necessary ansible.builtin.lineinfile: path: /etc/crontab state: absent regexp: "^.* root /usr/sbin/aide --check" - when: not aide_cron_check | bool + when: + - aide_cron_check is not none + - not aide_cron_check | bool diff --git a/tests/tests_check_cron.yml b/tests/tests_check_cron.yml index 28dd9bf..26cedec 100644 --- a/tests/tests_check_cron.yml +++ b/tests/tests_check_cron.yml @@ -2,7 +2,7 @@ --- - name: Ensure that the cron is set up hosts: all - gather_facts: false # test that role works in this case + gather_facts: false roles: - role: linux-system-roles.aide vars: @@ -10,12 +10,38 @@ aide_cron_check: true aide_cron_interval: "0 12 * * *" tasks: + - name: Print crontab 1 + ansible.builtin.shell: cat /etc/crontab + - name: Check file content ansible.builtin.lineinfile: path: /etc/crontab - regexp: "^0 12 \\* \\* \\* root /usr/bin/aide --check" - state: absent - check_mode: true - changed_when: false + regexp: "^.* root /usr/sbin/aide --check" + line: "0 12 * * * root /usr/sbin/aide --check" + state: present + register: result + failed_when: result.changed + vars: + __fingerprint: system_role:aide + +- name: Ensure that the cron is not set up + hosts: all + gather_facts: false + roles: + - role: linux-system-roles.aide + vars: + aide_cron_check: false + tasks: + - name: Print crontab 2 + ansible.builtin.shell: cat /etc/crontab + + - name: Check file content + ansible.builtin.lineinfile: + path: /etc/crontab + regexp: "^.* root /usr/sbin/aide --check" + line: "0 12 * * * root /usr/sbin/aide --check" + state: present + register: result + failed_when: not result.changed vars: __fingerprint: system_role:aide From 1764e7d54641bf553c7e991aea26f072290f272a Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Fri, 20 Dec 2024 16:19:25 +0100 Subject: [PATCH 4/4] Use command instead of shell Signed-off-by: Radovan Sroka --- tasks/main.yml | 2 +- tests/tests_check_cron.yml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 58571c0..2f70c7a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -26,7 +26,7 @@ when: aide_db_template is not none # - name: Print Header -# ansible.builtin.shell: head /etc/aide.conf || true +# ansible.builtin.command: head /etc/aide.conf || true - name: Initialize AIDE database when: aide_init | bool diff --git a/tests/tests_check_cron.yml b/tests/tests_check_cron.yml index 26cedec..a62d332 100644 --- a/tests/tests_check_cron.yml +++ b/tests/tests_check_cron.yml @@ -10,8 +10,8 @@ aide_cron_check: true aide_cron_interval: "0 12 * * *" tasks: - - name: Print crontab 1 - ansible.builtin.shell: cat /etc/crontab + # - name: Print crontab 1 + # ansible.builtin.command: cat /etc/crontab - name: Check file content ansible.builtin.lineinfile: @@ -32,8 +32,8 @@ vars: aide_cron_check: false tasks: - - name: Print crontab 2 - ansible.builtin.shell: cat /etc/crontab +# - name: Print crontab 2 +# ansible.builtin.command: cat /etc/crontab - name: Check file content ansible.builtin.lineinfile: