From 1819c4241a6b12de4119d1f5ec1b75451f64789c Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Tue, 16 May 2017 10:32:13 -0500
Subject: [PATCH] Configure AIDE before initial run

This patch ensures that AIDE is fully configured before the first
database initialization process begins.

Closes-Bug: 1686110
Change-Id: I209b88afb305828fa6e46de255ef11f5a6645427
---
 files/aide_extra.conf    | 14 ------------
 tasks/rhel7stig/aide.yml | 49 +++++++++++++++++++++++++---------------
 2 files changed, 31 insertions(+), 32 deletions(-)
 delete mode 100644 files/aide_extra.conf

diff --git a/files/aide_extra.conf b/files/aide_extra.conf
deleted file mode 100644
index 5c8586f9..00000000
--- a/files/aide_extra.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# Rules borrowed from CentOS/RHEL AIDE configuration
-# (SELinux was removed for Ubuntu compatibility.)
-FIPSR = p+i+n+u+g+s+m+c+acl+xattrs+sha256
-NORMAL = FIPSR+sha512
-
-# The following two lines apply the NORMAL rule (above this line) to the
-# /bin and /sbin directories to meet the requirements of two STIG controls:
-#
-#   RHEL-07-021600 - Verify ACLs
-#   RHEL-07-021610 - Verify extended attributes
-#
-/bin    NORMAL
-/sbin   NORMAL
-
diff --git a/tasks/rhel7stig/aide.yml b/tasks/rhel7stig/aide.yml
index 0c4110d6..a84bdc2d 100644
--- a/tasks/rhel7stig/aide.yml
+++ b/tasks/rhel7stig/aide.yml
@@ -31,6 +31,37 @@
     - aide
     - V-71973
 
+# NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration
+# that meets the requirements of V-72069 and V-72071. That config
+# is borrowed for Ubuntu 16.04 here.
+- name: Configure AIDE to verify additional properties
+  blockinfile:
+    dest: "{{ aide_conf }}"
+    insertbefore: EOF
+    marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
+    block: |
+      # Rules borrowed from CentOS/RHEL AIDE configuration
+      # (SELinux was removed for Ubuntu compatibility.)
+      FIPSR = p+i+n+u+g+s+m+c+acl+xattrs+sha256
+      NORMAL = FIPSR+sha512
+
+      # The following two lines apply the NORMAL rule (above this line) to the
+      # /bin and /sbin directories to meet the requirements of two STIG controls:
+      #
+      #   RHEL-07-021600 - Verify ACLs
+      #   RHEL-07-021610 - Verify extended attributes
+      #
+      /bin    NORMAL
+      /sbin   NORMAL
+  when:
+    - ansible_os_family | lower == 'ubuntu'
+  tags:
+    - low
+    - aide
+    - V-72069
+    - V-72071
+    - V-72073
+
 - name: Check to see if AIDE database is already in place
   stat:
     path: "{{ aide_database_file }}"
@@ -82,21 +113,3 @@
     - medium
     - aide
     - V-71975
-
-# NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration
-# that meets the requirements of V-72069 and V-72071. That config
-# is borrowed for Ubuntu 16.04 here.
-- name: Configure AIDE to verify additional properties
-  blockinfile:
-    dest: "{{ aide_conf }}"
-    insertbefore: EOF
-    marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
-    block: "{{ lookup('file', 'aide_extra.conf') }}"
-  when:
-    - ansible_os_family | lower == 'ubuntu'
-  tags:
-    - low
-    - aide
-    - V-72069
-    - V-72071
-    - V-72073