{"id":167,"sha1":"c07c60398bf3667f06ca2407750eeb4310e7bf97","playbook":{"id":2,"items":{"plays":18,"tasks":603,"results":2357,"hosts":15,"files":157,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":4,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-hosts.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-14T10:04:43.190296Z","ended":"2025-12-14T10:14:53.851603Z","duration":"00:10:10.661307","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.13.5","server_version":"1.7.4","status":"completed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-hosts.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2016, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n- name: Verify that AIDE configuration directory exists\n  ansible.builtin.stat:\n    path: \"{{ item }}\"\n  register: aide_conf\n  check_mode: false\n  with_items:\n    - /etc/aide/aide.conf.d\n    - /etc/aide.conf\n  tags:\n    - always\n\n- name: Exclude certain directories from AIDE\n  ansible.builtin.template:\n    src: ZZ_aide_exclusions.j2\n    dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions\n    mode: \"0644\"\n  when: aide_conf.results[0].stat.exists | bool\n  tags:\n    - medium\n    - aide\n    - V-71973\n\n# NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration\n# that meets the requirements of V-72069 and V-72071. That config\n# is borrowed for Ubuntu 16.04 here.\n- name: Configure AIDE to verify additional properties (Ubuntu)\n  ansible.builtin.blockinfile:\n    dest: \"/etc/aide/aide.conf\"\n    insertbefore: EOF\n    marker: \"# {mark} MANAGED BY ANSIBLE-HARDENING\"\n    block: |\n      # Rules borrowed from CentOS/RHEL AIDE configuration\n      # (SELinux was removed for Ubuntu compatibility.)\n      FIPSR = p+i+n+u+g+s+m+c+acl+xattrs+sha256\n      NORMAL = FIPSR+sha512\n\n      # The following two lines apply the NORMAL rule (above this line) to the\n      # /bin and /sbin directories to meet the requirements of two STIG controls:\n      #\n      #   V-72069 - Verify ACLs\n      #   V-72071 - Verify extended attributes\n      #\n      /bin    NORMAL\n      /sbin   NORMAL\n  when:\n    - aide_conf.results[0].stat.exists | bool\n    - ansible_facts['os_family'] | lower == 'debian'\n  tags:\n    - low\n    - aide\n    - V-72069\n    - V-72071\n    - V-72073\n\n- name: Check to see if AIDE database is already in place\n  ansible.builtin.stat:\n    path: \"{{ aide_database_file }}\"\n  register: aide_database\n  check_mode: false\n  tags:\n    - always\n\n- name: Initialize AIDE (this will take a few minutes)\n  # NOTE(hwoarang): aideinit is an Ubuntu wrapper. An alternative\n  # would be to use aideinit || aide -i but that will possibly mask\n  # genuine aideinit failures.\n  ansible.builtin.shell: \"if test -x /usr/sbin/aideinit; then aideinit; else aide -i; fi\"\n  changed_when: false\n  register: aide_init\n  when:\n    - aide_conf.results[0].stat.exists | bool or aide_conf.results[1].stat.exists | bool\n    - not aide_database.stat.exists | bool\n    - security_rhel7_initialize_aide | bool\n  tags:\n    - medium\n    - aide\n    - V-71973\n","created":"2025-12-14T10:14:18.832585Z","updated":"2025-12-14T10:14:18.832597Z","path":"/home/zuul/src/opendev.org/openstack/ansible-hardening/tasks/rhel7stig/aide.yml"}