Make possible to avoid aide installation

This patch adds variable `security_rhel7_enable_aide`. When it's False,
all AIDE related tasks would be ommited.

Change-Id: I64af348d9f49922ab51d8cd348d987df4263faa1

defaults/main.yml

@@ -69,6 +69,7 @@ security_set_maximum_password_lifetime: no                   # V-71931
 ## AIDE (aide)
 # Initialize the AIDE database immediately (may take time).
 security_rhel7_initialize_aide: no                           # V-71973
+security_rhel7_enable_aide: yes
 
 # The default Ubuntu configuration for AIDE will cause it to wander into some
 # terrible places on the system, such as /var/lib/lxc and images in /opt.

doc/source/rhel7/domains/aide.rst

@@ -31,4 +31,10 @@ re-apply the role:
     a long time on some systems. During this time, the CPU and disks are **very
     busy**.
 
+To avoid installing and initializing AIDE, set the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_enable_aide: false
+
 .. include:: auto_aide.rst

releasenotes/notes/enable_aide-d9783c50675cb80f.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Added variable ``security_rhel7_enable_aide`` that is designed to avoid
+    installation and initialization of the aide related STIGs

tasks/rhel7stig/main.yml

@@ -81,6 +81,7 @@
 # Controls by Tag" section of the role documentation.
 - import_tasks: accounts.yml
 - import_tasks: aide.yml
+  when: security_rhel7_enable_aide | bool
 - import_tasks: auditd.yml
 - import_tasks: auth.yml
 - import_tasks: file_perms.yml

vars/debian.yml

@@ -55,14 +55,17 @@ stig_packages_rhel7:
   - packages:
       - auditd
       - audispd-plugins
-      - aide
-      - aide-common
       - libpwquality-common
       - openssh-client
       - openssh-server
       - screen
     state: "{{ security_package_state }}"
     enabled: True
+  - packages:
+      - aide
+      - aide-common
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_rhel7_enable_aide }}"
   - packages:
       - apparmor
       - apparmor-profiles

vars/redhat-7.yml

@@ -52,7 +52,6 @@ stig_packages_rhel7:
   - packages:
       - audispd-plugins
       - audit
-      - aide
       - dracut-fips
       - dracut-fips-aesni
       - openssh-clients
@@ -60,6 +59,10 @@ stig_packages_rhel7:
       - screen
     state: "{{ security_package_state }}"
     enabled: True
+  - packages:
+      - aide
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_rhel7_enable_aide }}"
   - packages:
       - libselinux-python
       - policycoreutils-python

vars/redhat-8.yml

@@ -52,13 +52,16 @@ stig_packages_rhel7:
   - packages:
       - audispd-plugins
       - audit
-      - aide
       - dracut-fips
       - dracut-fips-aesni
       - openssh-clients
       - openssh-server
     state: "{{ security_package_state }}"
     enabled: True
+  - packages:
+      - aide
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_rhel7_enable_aide }}"
   - packages:
       - python3-libselinux
       - policycoreutils-python-utils

vars/suse.yml

@@ -54,12 +54,15 @@ stig_packages_rhel7:
   - packages:
       - audit-audispd-plugins
       - audit
-      - aide
       - dracut-fips
       - openssh
       - screen
     state: "{{ security_package_state }}"
     enabled: True
+  - packages:
+      - aide
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_rhel7_enable_aide }}"
   - packages:
       - apparmor-parser
       - apparmor-profiles