Make possible to avoid aide installation

This patch adds variable `security_rhel7_enable_aide`. When it's False, all AIDE related tasks would be ommited. Change-Id: I64af348d9f49922ab51d8cd348d987df4263faa1
2021-01-26 17:32:39 +02:00 · 2021-01-26 17:32:39 +02:00 · 180fc448eb
commit 180fc448eb
parent c6703cd5e5
8 changed files with 30 additions and 5 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -69,6 +69,7 @@ security_set_maximum_password_lifetime: no                   # V-71931
 ## AIDE (aide)
 # Initialize the AIDE database immediately (may take time).
 security_rhel7_initialize_aide: no                           # V-71973
 security_rhel7_enable_aide: yes
 # The default Ubuntu configuration for AIDE will cause it to wander into some
 # terrible places on the system, such as /var/lib/lxc and images in /opt.
--- a/doc/source/rhel7/domains/aide.rst
+++ b/doc/source/rhel7/domains/aide.rst
@ -31,4 +31,10 @@ re-apply the role:
    a long time on some systems. During this time, the CPU and disks are **very
    busy**.
 To avoid installing and initializing AIDE, set the following Ansible variable:
 .. code-block:: yaml
    security_rhel7_enable_aide: false
 .. include:: auto_aide.rst
--- a/releasenotes/notes/enable_aide-d9783c50675cb80f.yaml
+++ b/releasenotes/notes/enable_aide-d9783c50675cb80f.yaml
@ -0,0 +1,5 @@
 ---
 features:
  - |
    Added variable ``security_rhel7_enable_aide`` that is designed to avoid
    installation and initialization of the aide related STIGs
--- a/tasks/rhel7stig/main.yml
+++ b/tasks/rhel7stig/main.yml
@ -81,6 +81,7 @@
 # Controls by Tag" section of the role documentation.
 - import_tasks: accounts.yml
 - import_tasks: aide.yml
  when: security_rhel7_enable_aide | bool
 - import_tasks: auditd.yml
 - import_tasks: auth.yml
 - import_tasks: file_perms.yml
--- a/vars/debian.yml
+++ b/vars/debian.yml
@ -55,14 +55,17 @@ stig_packages_rhel7:
  - packages:
      - auditd
      - audispd-plugins
      - aide
      - aide-common
      - libpwquality-common
      - openssh-client
      - openssh-server
      - screen
    state: "{{ security_package_state }}"
    enabled: True
  - packages:
      - aide
      - aide-common
    state: "{{ security_package_state }}"
    enabled: "{{ security_rhel7_enable_aide }}"
  - packages:
      - apparmor
      - apparmor-profiles
--- a/vars/redhat-7.yml
+++ b/vars/redhat-7.yml
@ -52,7 +52,6 @@ stig_packages_rhel7:
  - packages:
      - audispd-plugins
      - audit
      - aide
      - dracut-fips
      - dracut-fips-aesni
      - openssh-clients
@ -60,6 +59,10 @@ stig_packages_rhel7:
      - screen
    state: "{{ security_package_state }}"
    enabled: True
  - packages:
      - aide
    state: "{{ security_package_state }}"
    enabled: "{{ security_rhel7_enable_aide }}"
  - packages:
      - libselinux-python
      - policycoreutils-python
--- a/vars/redhat-8.yml
+++ b/vars/redhat-8.yml
@ -52,13 +52,16 @@ stig_packages_rhel7:
  - packages:
      - audispd-plugins
      - audit
      - aide
      - dracut-fips
      - dracut-fips-aesni
      - openssh-clients
      - openssh-server
    state: "{{ security_package_state }}"
    enabled: True
  - packages:
      - aide
    state: "{{ security_package_state }}"
    enabled: "{{ security_rhel7_enable_aide }}"
  - packages:
      - python3-libselinux
      - policycoreutils-python-utils
--- a/vars/suse.yml
+++ b/vars/suse.yml
@ -54,12 +54,15 @@ stig_packages_rhel7:
  - packages:
      - audit-audispd-plugins
      - audit
      - aide
      - dracut-fips
      - openssh
      - screen
    state: "{{ security_package_state }}"
    enabled: True
  - packages:
      - aide
    state: "{{ security_package_state }}"
    enabled: "{{ security_rhel7_enable_aide }}"
  - packages:
      - apparmor-parser
      - apparmor-profiles