From 7db180f80184260aebac5c4df06c31930086b751 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Tue, 16 May 2017 10:32:13 -0500
Subject: [PATCH] Configure AIDE before initial run

This patch ensures that AIDE is fully configured before the first
database initialization process begins.

Manual backport of I209b88afb305828fa6e46de255ef11f5a6645427 was
required due to the STIG renaming done in Pike.

Change-Id: I41c65e16b61721fecb2aac2251126ce21d7a4353
Closes-Bug: 1686110
---
 files/aide_extra.conf    | 14 ------------
 tasks/rhel7stig/aide.yml | 49 +++++++++++++++++++++++++---------------
 2 files changed, 31 insertions(+), 32 deletions(-)
 delete mode 100644 files/aide_extra.conf

diff --git a/files/aide_extra.conf b/files/aide_extra.conf
deleted file mode 100644
index 5c8586f9..00000000
--- a/files/aide_extra.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# Rules borrowed from CentOS/RHEL AIDE configuration
-# (SELinux was removed for Ubuntu compatibility.)
-FIPSR = p+i+n+u+g+s+m+c+acl+xattrs+sha256
-NORMAL = FIPSR+sha512
-
-# The following two lines apply the NORMAL rule (above this line) to the
-# /bin and /sbin directories to meet the requirements of two STIG controls:
-#
-#   RHEL-07-021600 - Verify ACLs
-#   RHEL-07-021610 - Verify extended attributes
-#
-/bin    NORMAL
-/sbin   NORMAL
-
diff --git a/tasks/rhel7stig/aide.yml b/tasks/rhel7stig/aide.yml
index 6afceca7..188eae4c 100644
--- a/tasks/rhel7stig/aide.yml
+++ b/tasks/rhel7stig/aide.yml
@@ -31,6 +31,37 @@
     - aide
     - RHEL-07-020130
 
+# NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration
+# that meets the requirements of V-72069 and V-72071. That config
+# is borrowed for Ubuntu 16.04 here.
+- name: Configure AIDE to verify additional properties
+  blockinfile:
+    dest: "{{ aide_conf }}"
+    insertbefore: EOF
+    marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
+    block: |
+      # Rules borrowed from CentOS/RHEL AIDE configuration
+      # (SELinux was removed for Ubuntu compatibility.)
+      FIPSR = p+i+n+u+g+s+m+c+acl+xattrs+sha256
+      NORMAL = FIPSR+sha512
+
+      # The following two lines apply the NORMAL rule (above this line) to the
+      # /bin and /sbin directories to meet the requirements of two STIG controls:
+      #
+      #   RHEL-07-021600 - Verify ACLs
+      #   RHEL-07-021610 - Verify extended attributes
+      #
+      /bin    NORMAL
+      /sbin   NORMAL
+  when:
+    - ansible_os_family | lower == 'ubuntu'
+  tags:
+    - low
+    - aide
+    - RHEL-07-021600
+    - RHEL-07-021610
+    - RHEL-07-021620
+
 - name: Check to see if AIDE database is already in place
   stat:
     path: "{{ aide_database_file }}"
@@ -82,21 +113,3 @@
     - medium
     - aide
     - RHEL-07-020140
-
-# NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration
-# that meets the requirements of RHEL-07-021600 and RHEL-07-021610. That config
-# is borrowed for Ubuntu 16.04 here.
-- name: Configure AIDE to verify additional properties
-  blockinfile:
-    dest: "{{ aide_conf }}"
-    insertbefore: EOF
-    marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
-    block: "{{ lookup('file', 'aide_extra.conf') }}"
-  when:
-    - ansible_os_family | lower == 'ubuntu'
-  tags:
-    - low
-    - aide
-    - RHEL-07-021600
-    - RHEL-07-021610
-    - RHEL-07-021620