V-386{67,70,95,96,98}, V-38700: Run AIDE via cron

Implements: blueprint security-hardening

Change-Id: I94c42f83c5ebeed2e08bd405c9864e2ab591059a

doc/source/developer-notes/V-38667.rst

@@ -0,0 +1,6 @@
+**Fixed by another STIG**
+
+The openstack-ansible project already installs and configures AppArmor, which
+is a Linux Security Module providing similar functionality to SELinux. In
+addition, AIDE is installed to monitor system files in the Ansible tasks for
+V-38429.

doc/source/developer-notes/V-38670.rst

@@ -0,0 +1,5 @@
+The AIDE package is already installed as part of the Ansible tasks to fix
+V-38429, but these Ansible tasks will verify that the cron job file is actually
+in place. Ubuntu will configure the cron job automatically as soon as the
+package is installed. If the cron job is missing, an error will be printed
+and the playbook will fail.

doc/source/developer-notes/V-38695.rst

@@ -0,0 +1 @@
+V-38670.rst

doc/source/developer-notes/V-38696.rst

@@ -0,0 +1 @@
+V-38670.rst

doc/source/developer-notes/V-38698.rst

@@ -0,0 +1 @@
+V-38670.rst

doc/source/developer-notes/V-38700.rst

@@ -0,0 +1 @@
+V-38670.rst

tasks/misc.yml

@@ -21,6 +21,23 @@
     - cat2
     - V-38489
 
+- name: Check for AIDE cron job (for V-38670)
+  stat:
+    path: /etc/cron.daily/aide
+  register: v38670_result
+  changed_when: False
+  tags:
+    - cat2
+    - V-38670
+
+- name: V-38670 - System must detect unauthorized changes to software and information
+  fail:
+    msg: "FAILED: AIDE cron job is missing"
+  when: v38670_result.stat.exists == False
+  tags:
+    - cat2
+    - V-38670
+
 - name: Search for .netrc files (for V-38619)
   shell: find /root /home -xdev -name .netrc | wc -l
   register: v38619_result