-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathaide.yml
131 lines (128 loc) · 3.83 KB
/
aide.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
---
- name: Setup AIDE
tags:
- aide
- debian
when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
become: true
block:
- name: Install AIDE package
ansible.builtin.apt:
name: ['aide', 's-nail']
update_cache: true
tags:
- packages
- name: Configure AIDE
ansible.builtin.replace:
path: /etc/aide/aide.conf
regexp: '^({{ item.key }}\s+=\s+).*$'
replace: '\g<1>{{ item.value }}'
with_dict:
Checksums: sha256
tags: configuration
notify: "Create aide.db"
- name: Configure AIDE (/etc/default/aide)
ansible.builtin.replace:
path: /etc/default/aide
regexp: '^({{ item.key }}=).*$'
replace: '\g<1>{{ item.value }}'
with_dict:
COPYNEWDB: ifnochange
tags: configuration
notify: "Create aide.db"
- name: Exclude /net
ansible.builtin.copy:
content: "!/net$\n"
dest: /etc/aide/aide.conf.d/70_hardensh_net
owner: root
group: root
mode: '0644'
force: false
tags: configuration
notify: "Create aide.db"
- name: Exclude /media
ansible.builtin.copy:
content: "!/media$\n"
dest: /etc/aide/aide.conf.d/70_hardensh_media
owner: root
group: root
mode: '0644'
force: false
tags: configuration
notify: "Create aide.db"
- name: Create /etc/aide/aide.conf.d/70_hardensh_misc
ansible.builtin.copy:
src: "{{ playbook_dir }}/newconfs/aide-debian.conf.new"
dest: /etc/aide/aide.conf.d/70_hardensh_misc
owner: root
group: root
mode: '0600'
tags: configuration
notify: "Create aide.db"
- name: Fix /var/log/exim4/(main|reject)log rule
ansible.builtin.replace:
path: /etc/aide/aide.conf.d/31_aide_exim4_logs
regexp: '^(/var/log/exim4/@@{EXIM4_LOGS}log\$ f )Log$'
replace: '\g<1>FreqRotLog'
tags: configuration
notify: "Create aide.db"
- name: Fix /var/tmp rule
ansible.builtin.replace:
path: /etc/aide/aide.conf.d/70_aide_var
regexp: '^(/var/tmp\$ d )VarDir-n$'
replace: '\g<1>VarDirInode-n'
tags: configuration
notify: "Create aide.db"
# TODO
- name: AIDE for Slackware
tags:
- aide
- slackware
when: ansible_distribution == "Slackware"
become: true
block:
- name: Copy aide.conf
tags: configuration
ansible.builtin.copy:
src: "{{ playbook_dir }}/newconfs/aide.conf.new"
dest: /etc/aide.conf
owner: root
group: root
mode: '0600'
backup: true
notify: "Create aide.db (Slackware)"
- name: mkdir /var/lib/aide
ansible.builtin.file:
path: /var/lib/aide
state: directory
owner: root
group: root
mode: '0700'
- name: Check aide.conf
become: true
ansible.builtin.command: /usr/bin/aide --config-check --config={{ aide_conf }}
register: result
changed_when: result.rc != 0
tags:
- check
- aide
when: >
ansible_distribution == "Debian" or
ansible_distribution == "Kali" or
ansible_distribution == "Slackware"
- name: Print Lynis score for file integrity
become: true
tags: aide
when: run_lynis_after_hardening
block:
- name: Run Lynis test group file integrity
ansible.builtin.command: lynis audit system -q --skip-plugins --tests-from-group file_integrity # noqa no-changed-when
tags: check
- name: slurp /var/log/lynis.log
ansible.builtin.slurp:
src: /var/log/lynis.log
no_log: true
register: lynis_log
- name: Print Lynis score for file integrity
ansible.builtin.debug:
msg: "{{ lynis_log['content'] | b64decode | regex_search('Hardening index : \\[([0-9]+)\\]', '\\1', multiline=True) }}"