diff --git a/defaults/main.yml b/defaults/main.yml index bc584047..a045211b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -31,9 +31,9 @@ cache_timeout: 600 # The following three default exclusions are highly recommended for AIDE to # work properly, but additional exclusions can be added to this list if needed. aide_exclude_dirs: - - /var/lib/lxc - /openstack - /opt + - /var # # By default, the AIDE database won't be initialized immediately since it can # consume plenty of CPU and I/O resources while it runs. To initialize the diff --git a/handlers/main.yml b/handlers/main.yml index 9ab6cac7..d0d4ab65 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -59,11 +59,5 @@ command: augenrules --load notify: restart auditd -# This will take a while to complete the first run, so we will fork it into -# the background so it doesn't hold up the whole playbook. -- name: initialize AIDE - shell: "aideinit -b" - when: initialize_aide | bool - - name: rehash aliases command: newaliases diff --git a/releasenotes/notes/aide-initialization-fix-16ab0223747d7719.yaml b/releasenotes/notes/aide-initialization-fix-16ab0223747d7719.yaml new file mode 100644 index 00000000..a478572c --- /dev/null +++ b/releasenotes/notes/aide-initialization-fix-16ab0223747d7719.yaml @@ -0,0 +1,17 @@ +--- +features: + - | + AIDE is configured to skip the entire ``/var`` directory when it does the + database initialization and when it performs checks. This reduces disk + I/O and allows these jobs to complete faster. + + This also allows the initialization to become a blocking process and + Ansible will wait for the initialization to complete prior to running the + next task. +fixes: + - | + AIDE initialization is now always run on subsequent playbook runs when + ``initialize_aide`` is set to ``yes``. The initialization will + be skipped if AIDE isn't installed or if the AIDE database already exists. + + See `bug 1616281 `_ for more details. diff --git a/tasks/aide.yml b/tasks/aide.yml new file mode 100644 index 00000000..d2e4fffd --- /dev/null +++ b/tasks/aide.yml @@ -0,0 +1,86 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: V-38489 - Install AIDE (with apt) + apt: + name: "{{ item }}" + state: present + with_items: + - aide + - aide-common + when: ansible_pkg_mgr == 'apt' + tags: + - aide + - cat2 + - V-38489 + +- name: Verify that AIDE configuration directory exists + stat: + path: /etc/aide/aide.conf.d + register: aide_conf + always_run: true + tags: + - always + +- name: V-38489 - Exclude certain directories from AIDE + template: + src: ZZ_aide_exclusions.j2 + dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions + when: aide_conf.stat.exists | bool + tags: + - aide + - cat2 + - V-38489 + +- name: Check to see if AIDE database is already in place + stat: + path: /var/lib/aide/aide.db + register: aide_database + always_run: True + tags: + - always + +- name: V-38489 - Initialize AIDE (this will take a few minutes) + shell: "aideinit" + register: aide_init + when: + - aide_conf.stat.exists | bool + - not aide_database.stat.exists | bool + - initialize_aide | bool + tags: + - aide + - cat2 + - V-38489 + +- name: Check for AIDE cron job (for V-38670) + stat: + path: "/etc/cron.daily/aide" + register: v38670_result + changed_when: False + tags: + - aide + - cat2 + - V-38670 + +- name: V-38670 - System must detect unauthorized changes to software and information + fail: + msg: "FAILED: AIDE cron job is missing" + when: + - not check_mode + - v38670_result.stat.exists == False + tags: + - aide + - cat2 + - V-38670 diff --git a/tasks/main.yml b/tasks/main.yml index aa1c7402..6425b548 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -26,6 +26,7 @@ - always - include: apt.yml + - include: aide.yml - include: auditd.yml - include: auth.yml - include: boot.yml diff --git a/tasks/misc.yml b/tasks/misc.yml index 1d215883..62ae58dd 100644 --- a/tasks/misc.yml +++ b/tasks/misc.yml @@ -13,55 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: V-38489 - Install AIDE - apt: - name: "{{ item }}" - state: present - with_items: - - aide - - aide-common - tags: - - cat2 - - V-38489 - -- name: Verify that AIDE configuration directory exists - stat: - path: /etc/aide/aide.conf.d - register: aide_conf - always_run: true - tags: - - always - -- name: V-38489 - Exclude certain directories from AIDE and initialize DB - template: - src: ZZ_aide_exclusions.j2 - dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions - when: aide_conf.stat.exists | bool - notify: - - initialize AIDE - tags: - - cat2 - - V-38489 - -- name: Check for AIDE cron job (for V-38670) - stat: - path: /etc/cron.daily/aide - register: v38670_result - changed_when: False - tags: - - cat2 - - V-38670 - -- name: V-38670 - System must detect unauthorized changes to software and information - fail: - msg: "FAILED: AIDE cron job is missing" - when: - - not check_mode - - v38670_result.stat.exists == False - tags: - - cat2 - - V-38670 - - name: Search for .netrc files (for V-38619) shell: find /root /home -xdev -name .netrc | wc -l register: v38619_result