---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Verify that AIDE configuration directory exists
  stat:
    path: /etc/aide/aide.conf.d
  register: aide_conf
  check_mode: no
  tags:
    - always

- name: V-38489 - Exclude certain directories from AIDE
  template:
    src: ZZ_aide_exclusions.j2
    dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions
  when: aide_conf.stat.exists | bool
  tags:
    - aide
    - cat2
    - V-38489

- name: Check to see if AIDE database is already in place
  stat:
    path: "{{ aide_database_file }}"
  register: aide_database
  check_mode: no
  tags:
    - always

- name: V-38489 - Initialize AIDE (this will take a few minutes)
  command: "aideinit"
  changed_when: false
  register: aide_init
  when:
    - aide_conf.stat.exists | bool
    - not aide_database.stat.exists | bool
    - security_initialize_aide | bool
  tags:
    - aide
    - cat2
    - V-38489

# NOTE(mhayden): This is only needed for CentOS 7 and RHEL 7 since Ubuntu
# copies the new AIDE database into place automatically with its AIDE wrapper
# script.
- name: V-38489 - Move AIDE database into place
  command: "mv /var/lib/aide/aide.db.new.gz {{ aide_database_file }}"
  changed_when: false
  when:
    - aide_init | changed
    - ansible_os_family | lower == 'redhat'
  tags:
    - aide
    - cat2
    - V-38489

# NOTE(mhayden): This is only needed for CentOS 7 and RHEL 7 since the AIDE
# package doesn't come with a cron job file. Ubuntu packages a cron job for
# AIDE checks already.
- name: Create AIDE cron job (for V-38670)
  cron:
    name: aide
    cron_file: aide
    user: root
    special_time: daily
    job: "aide --check"
  when:
    - ansible_os_family | lower == 'redhat'
  tags:
    - aide
    - cat2
    - V-38670

- name: Check for AIDE cron job (for V-38670)
  stat:
    path: "{{ aide_cron_job_path }}"
  register: v38670_result
  changed_when: False
  tags:
    - aide
    - cat2
    - V-38670