feat: Import code for role

Signed-off-by: Radovan Sroka <[email protected]>

README.md

@@ -1,102 +1,93 @@
-# Role Name
+# AIDE
 
 [![ansible-lint.yml](https://github.com/linux-system-roles/aide/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/aide/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/ansible-test.yml) [![markdownlint.yml](https://github.com/linux-system-roles/aide/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/markdownlint.yml) [![shellcheck.yml](https://github.com/linux-system-roles/aide/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/aide/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/aide/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/aide/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/woke.yml)
 
-Ansible role for managing Advanced Intrusion Detection Environment (AIDE).
+This is an ansible role that installs and configures the [Advanced Intrusion Detection Environment (AIDE)](https://aide.github.io). For Day 2 tasks it can run integrity checks and update the AIDE database.
 
-## Requirements
+_Notice:_ This is a very early stage of a work in progress. Please use with
+extreme caution as it might break your system.
 
-Any prerequisites that may not be covered by Ansible itself or the role should
-be mentioned here.  This includes platform dependencies not managed by the
-role, hardware requirements, external collections, etc.  There should be a
-distinction between *control node* requirements (like collections) and
-*managed node* requirements (like special hardware, platform provisioning).
+## What does this role do for you?
 
-### Collection requirements
+* It ensures that the `aide` package is installed on the remote nodes
+* As an optional task it can generate the `/etc/aide.conf` file and template it out to the remote nodes
+* It initializes the AIDE database
+* The AIDE databases from the remote nodes are stored in a central directory on the controller node
+* It runs AIDE integrity checks on the remote nodes
+* It updates the AIDE databases and stores them on the controller node
 
-For instance, if the role depends on some collections and has a
-`meta/collection-requirements.yml` file for installing those dependencies, and
-in order to manage `rpm-ostree` systems, it should be mentioned here that the
- user should run
+## How does the role do that?
 
-```bash
-ansible-galaxy collection install -vv -r meta/collection-requirements.yml
-```
+* The role is controlled by using [Ansible Tags](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_tags.html)
+* If you run the playbook without specifying any tag the role will change nothing on your remote nodes
+* To execute some supported use cases you need to explicitly specify one or more of the following tags
 
-on the *control node* before using the role.
+### Available tags to control and use the role
 
-## Role Variables
+* __install__ - With this tag the role ensures that the `aide` package is installed on the remote nodes
+* __generate_config__ - Generates the file `/etc/aide.conf` using `templates/aide.conf.j2`; the template needs to be adjusted to fit your requirements; if you do not use this tag the default configuration file shipped with the `aide` package will be used
+* __init__ - Initializes the AIDE database and fetches it from the remote nodes to store it on the controller node
+* __check__ - Runs an integrity check on the remote nodes
+* __update__ - Updates the AIDE database and stores it on the controller node
 
-A description of all input variables (i.e. variables that are defined in
-`defaults/main.yml`) for the role should go here as these form an API of the
-role.  Each variable should have its own section e.g.
+## What does this role not do for you?
 
-### aide_foo
+* It does not explain how to create a good AIDE configuration that suits your requirements; that task remains for you to accomplish
 
-This variable is required.  It is a string that lists the foo of the role.
-There is no default value.
+## Requirements
+
+This role has no special requirements as it uses `ansible.builtin` modules
+only.
+
+## Role Variables
 
-### aide_bar
+### aide_db_fetch_dir
 
-This variable is optional.  It is a boolean that tells the role to disable bar.
-The default value is `true`.
+This variable takes a string to specify the directory on the Ansible Control
+Node (ACN) where the role will store the AIDE database fetched from the remote
+nodes. The default value is `files` which is expected to be a directory in the
+same directory as the playbook.
 
-Variables that are not intended as input, like variables defined in
-`vars/main.yml`, variables that are read from other roles and/or the global
-scope (ie. hostvars, group vars, etc.) can be also mentioned here but keep in
-mind that as these are probably not part of the role API they may change during
-the lifetime.
+In case you like to store the fetched AIDE database files somewhere else you
+need to specify a different path here.
 
 Example of setting the variables:
 
 ```yaml
-aide_foo: "oof"
-aide_bar: false
+aide_db_fetch_dir: files
 ```
 
-## Variables Exported by the Role
-
-This section is optional.  Some roles may export variables for playbooks to
-use later.  These are analogous to "return values" in Ansible modules.  For
-example, if a role performs some action that will require a system reboot, but
-the user wants to defer the reboot, the role might set a variable like
-`aide_reboot_needed: true` that the playbook can use to reboot at a more
-convenient time.
-
-Example:
-
-### aide_reboot_needed
-
-Default `false` - if `true`, this means a reboot is needed to apply the changes
-made by the role
-
 ## Example Playbook
 
 Including an example of how to use your role (for instance, with variables
 passed in as parameters) is always nice for users too:
 
 ```yaml
-- name: Manage the aide subsystem
-  hosts: all
-  vars:
-    aide_foo: "foo foo!"
-    aide_bar: false
-  roles:
-    - linux-system-roles.aide
+# SPDX-License-Identifier: MIT
+---
+- name: Example aide role invocation
+  hosts: targets
+  tasks:
+    - name: Include role aide
+      tags:
+        - install
+        - generate_config
+        - init
+        - check
+        - update
+      vars:
+        aide_db_fetch_dir: files
+      ansible.builtin.include_role:
+        name: aide
 ```
 
-More examples can be provided in the [`examples/`](examples) directory. These
-can be useful, especially for documentation.
-
-## rpm-ostree
-
-See README-ostree.md
+More examples can be found in the [`examples/`](examples) directory.
 
 ## License
 
-Whenever possible, please prefer MIT.
+MIT.
 
 ## Author Information
 
-An optional section for the role authors to include contact information, or a
-website (HTML is not allowed).
+* Radovan Sroka
+* Joerg Kastning

ansible_pytest_extra_requirements.txt

@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: MIT
+
+# ansible and dependencies for all supported platforms
+ansible ; python_version > "2.6"
+idna<2.8 ; python_version < "2.7"
+PyYAML<5.1 ; python_version < "2.7"

contributing.md

@@ -1,4 +1,4 @@
-# Contributing to the aide Linux System Role
+# Contributing to the Aide Linux System Role
 
 ## Where to start
 

defaults/main.yml

@@ -4,5 +4,4 @@
 # This file also serves as a documentation for such a variables.
 
 # Examples of role input variables:
-aide_foo: foo
-aide_bar: true
+aide_db_fetch_dir: files

examples/simple.yml

@@ -1,9 +1,16 @@
 # SPDX-License-Identifier: MIT
 ---
 - name: Example aide role invocation
-  hosts: all
-  vars:
-    aide_foo: example variable value
-    aide_bar: false
-  roles:
-    - linux-system-roles.aide
+  hosts: targets
+  tasks:
+    - name: Include role aide
+      tags:
+        - install
+        - generate_config
+        - init
+        - check
+        - update
+      vars:
+        aide_db_fetch_dir: files
+      ansible.builtin.include_role:
+        name: linux-system-roles.aide

meta/main.yml

@@ -1,20 +1,68 @@
 # SPDX-License-Identifier: MIT
 ---
 galaxy_info:
-  author: John Doe <[email protected]>
-  description: Basic template for Linux system roles
-  company: John Doe, Inc.
+  # Replace with role's author name:
+  author: Joerg Kastning <[email protected]>
+  # Replace with the real description of what is role's purpose:
+  description: Install, configure and operate AIDE
+  # Replace with the company the role's author is member of:
+  company: Red Hat
+
+  # If the issue tracker for your role is not on github, uncomment the next
+  # line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Some suggested licenses:
+  # - BSD (default)
+  # - MIT
+  # - GPLv2
+  # - GPLv3
+  # - Apache
+  # - CC-BY
   license: MIT
+
   min_ansible_version: "2.9"
+
+  # Optionally specify the branch Galaxy will use when accessing the GitHub
+  # repo for this role. During role install, if no tags are available, Galaxy
+  # will use this branch. During import Galaxy will access files on this
+  # branch. If Travis integration is configured, only notifications for this
+  # branch will be accepted. Otherwise, in all cases, the repo's default branch
+  # (usually main) will be used.
+  # github_branch:
+
+  #
+  # platforms is a list of platforms, and each platform has a name and a list
+  # of versions.
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - "25"
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - "1.0"
+  #   - "7"
+  #   - "99.99"
   platforms:
+    # Replace the below with your platform list:
     - name: Fedora
       versions:
         - all
     - name: EL
       versions:
-        - "9"
-  galaxy_tags:
-    - el9
-    - el10
-    - fedora
+        - all
+
+  galaxy_tags: []
+  # List tags for your role here, one per line. A tag is a keyword that
+  # describes and categorizes the role. Users find roles by searching for tags.
+  # Be sure to remove the '[]' above, if you add tags to this list.
+  #
+  # NOTE: A tag is limited to a single word comprised of alphanumeric
+  #       characters. Maximum 20 tags per role.
+
 dependencies: []
+# List your role dependencies here, one per line. Be sure to remove the '[]'
+# above, if you add dependencies to this list.

pylint_extra_requirements.txt

@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: MIT
+
+# Write extra requirements for running pylint here:

pytest_extra_requirements.txt

@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: MIT
+
+# Write extra requirements for running pytest here:
+# If you need ansible then uncomment the following line:
+-ransible_pytest_extra_requirements.txt
+# If you need mock then uncomment the following line:
+mock ; python_version < "3.0"

tasks/main.yml

@@ -5,23 +5,93 @@
 
 # Examples of some tasks:
 - name: Ensure required packages are installed
-  package:
+  ansible.builtin.package:
     name: "{{ __aide_packages }}"
     state: present
     use: "{{ (__aide_is_ostree | d(false)) |
              ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
+  tags:
+    - never
+    - install
 
 - name: Ensure required services are enabled and started
-  service:
+  ansible.builtin.service:
     name: "{{ item }}"
     state: started
     enabled: true
   loop: "{{ __aide_services }}"
+  tags:
+    - never
 
-- name: Generate /etc/{{ __aide_foo_config }}
-  template:
-    src: "{{ __aide_foo_config }}.j2"
-    dest: /etc/{{ __aide_foo_config }}
+- name: Generate "/etc/{{ __aide_config }}"
+  ansible.builtin.template:
+    src: "{{ __aide_config }}.j2"
+    dest: "/etc/{{ __aide_config }}"
     backup: true
     mode: "0400"
-  notify: Handler for aide to restart services
+  tags:
+    - never
+    - generate_config
+
+- name: Initialize AIDE database and fetch it
+  become: true
+  tags:
+    - never
+    - init
+  block:
+    - name: Initialize AIDE database
+      ansible.builtin.command:
+        cmd: aide --init
+
+    - name: Fetch AIDE database
+      ansible.builtin.fetch:
+        src: "{{ __aide_db_new_name }}"
+        dest: "{{ aide_db_fetch_dir }}"
+
+    - name: Remove remote AIDE database file
+      ansible.builtin.file:
+        path: "{{ __aide_db_new_name }}"
+        state: absent
+
+- name: Check AIDE integrity
+  become: true
+  tags:
+    - never
+    - check
+  block:
+    - name: Copy AIDE reference database to remote
+      ansible.builtin.copy:
+        src:
+          "{{ aide_db_fetch_dir }}/{{ inventory_hostname }}/var/lib/aide/\
+          aide.db.new.gz"
+        dest: "{{ __aide_db_name }}"
+        owner: root
+        group: root
+        mode: "0440"
+
+    - name: Check against AIDE reference database
+      ansible.builtin.command:
+        cmd: aide --check
+      changed_when: false
+
+- name: Update AIDE database and fetch it
+  become: true
+  tags:
+    - never
+    - update
+  block:
+    - name: Update AIDE database
+      ansible.builtin.command:
+        cmd: aide --update
+      register: __aide_update_result
+      failed_when: __aide_update_result.rc > 7
+
+    - name: Fetch AIDE database
+      ansible.builtin.fetch:
+        src: "{{ __aide_db_new_name }}"
+        dest: "{{ aide_db_fetch_dir }}"
+
+    - name: Remove remote AIDE database file
+      ansible.builtin.file:
+        path: "{{ __aide_db_new_name }}"
+        state: absent