---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Verify that AIDE configuration directory exists
  stat:
    path: /etc/aide/aide.conf.d
  register: aide_conf
  check_mode: no
  tags:
    - always

- name: Exclude certain directories from AIDE
  template:
    src: ZZ_aide_exclusions.j2
    dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions
  when: aide_conf.stat.exists | bool
  tags:
    - medium
    - aide
    - V-71973

- name: Check to see if AIDE database is already in place
  stat:
    path: "{{ aide_database_file }}"
  register: aide_database
  check_mode: no
  tags:
    - always

- name: Initialize AIDE (this will take a few minutes)
  command: "aideinit"
  changed_when: false
  register: aide_init
  when:
    - aide_conf.stat.exists | bool
    - not aide_database.stat.exists | bool
    - security_rhel7_initialize_aide | bool
  tags:
    - medium
    - aide
    - V-71973

# NOTE(mhayden): This is only needed for CentOS 7 and RHEL 7 since Ubuntu
# copies the new AIDE database into place automatically with its AIDE wrapper
# script.
- name: Move AIDE database into place
  command: "mv /var/lib/aide/aide.db.new.gz {{ aide_database_file }}"
  changed_when: false
  when:
    - aide_init | changed
    - ansible_os_family | lower == 'redhat'
  tags:
    - medium
    - aide
    - V-71973

# NOTE(mhayden): This is only needed for CentOS 7 and RHEL 7 since the AIDE
# package doesn't come with a cron job file. Ubuntu packages a cron job for
# AIDE checks already.
- name: Create AIDE cron job
  cron:
    name: aide
    cron_file: aide
    user: root
    special_time: daily
    job: "aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root"
  when:
    - ansible_os_family | lower == 'redhat'
  tags:
    - medium
    - aide
    - V-71975

# NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration
# that meets the requirements of V-72069 and V-72071. That config
# is borrowed for Ubuntu 16.04 here.
- name: Configure AIDE to verify additional properties
  blockinfile:
    dest: "{{ aide_conf }}"
    insertbefore: EOF
    marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
    block: "{{ lookup('file', 'aide_extra.conf') }}"
  when:
    - ansible_os_family | lower == 'ubuntu'
  tags:
    - low
    - aide
    - V-72069
    - V-72071
    - V-72073