diff --git a/README.md b/README.md index b1a4250..14876bb 100644 --- a/README.md +++ b/README.md @@ -85,6 +85,34 @@ Default: `false` Type: `bool` +### aide_cron_check + +If set to `true`, configures periodic cron check for aide +If set to `false`, removes the periodic cron check + +Default: `null` + +Type: `bool` + +### aide_cron_interval + +Set check interval for cron + +``` yaml +# Example of job definition: +# .---------------- minute (0 - 59) +# | .------------- hour (0 - 23) +# | | .---------- day of month (1 - 31) +# | | | .------- month (1 - 12) OR jan,feb,mar,apr ... +# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat +# | | | | | +# * * * * * +``` + +Default: `0 12 * * *` + +Type: `string` + ## Example Playbook Including an example of how to use your role (for instance, with variables diff --git a/defaults/main.yml b/defaults/main.yml index f04914f..d2e909d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,3 +20,17 @@ aide_check: false # Enable database update phase aide_update: false + +# Enable periodic check +aide_cron_check: null + +# Example of job definition: +# .---------------- minute (0 - 59) +# | .------------- hour (0 - 23) +# | | .---------- day of month (1 - 31) +# | | | .------- month (1 - 12) OR jan,feb,mar,apr ... +# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat +# | | | | | +# * * * * * +# Set cron check interval +aide_cron_interval: "0 12 * * *" diff --git a/tasks/main.yml b/tasks/main.yml index cc7484e..2f70c7a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -26,7 +26,7 @@ when: aide_db_template is not none # - name: Print Header -# ansible.builtin.shell: head /etc/aide.conf || true +# ansible.builtin.command: head /etc/aide.conf || true - name: Initialize AIDE database when: aide_init | bool @@ -104,3 +104,21 @@ ansible.builtin.file: path: "{{ __aide_db_new_name }}" state: absent + +- name: Update aide check cron configuration if necessary + ansible.builtin.lineinfile: + path: /etc/crontab + regexp: "^.* root /usr/sbin/aide --check" + line: "{{ aide_cron_interval }} root /usr/sbin/aide --check" + when: + - aide_cron_check is not none + - aide_cron_check | bool + +- name: Remove aide check cron configuration if necessary + ansible.builtin.lineinfile: + path: /etc/crontab + state: absent + regexp: "^.* root /usr/sbin/aide --check" + when: + - aide_cron_check is not none + - not aide_cron_check | bool diff --git a/tests/tests_check_cron.yml b/tests/tests_check_cron.yml new file mode 100644 index 0000000..a62d332 --- /dev/null +++ b/tests/tests_check_cron.yml @@ -0,0 +1,47 @@ +# SPDX-License-Identifier: MIT +--- +- name: Ensure that the cron is set up + hosts: all + gather_facts: false + roles: + - role: linux-system-roles.aide + vars: + aide_init: true + aide_cron_check: true + aide_cron_interval: "0 12 * * *" + tasks: + # - name: Print crontab 1 + # ansible.builtin.command: cat /etc/crontab + + - name: Check file content + ansible.builtin.lineinfile: + path: /etc/crontab + regexp: "^.* root /usr/sbin/aide --check" + line: "0 12 * * * root /usr/sbin/aide --check" + state: present + register: result + failed_when: result.changed + vars: + __fingerprint: system_role:aide + +- name: Ensure that the cron is not set up + hosts: all + gather_facts: false + roles: + - role: linux-system-roles.aide + vars: + aide_cron_check: false + tasks: +# - name: Print crontab 2 +# ansible.builtin.command: cat /etc/crontab + + - name: Check file content + ansible.builtin.lineinfile: + path: /etc/crontab + regexp: "^.* root /usr/sbin/aide --check" + line: "0 12 * * * root /usr/sbin/aide --check" + state: present + register: result + failed_when: not result.changed + vars: + __fingerprint: system_role:aide diff --git a/vars/main.yml b/vars/main.yml index 37b2353..f934b78 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -6,7 +6,7 @@ # Examples of non-distribution specific (generic) internal variables: __aide_config: aide.conf -__aide_packages: ['aide'] +__aide_packages: ["aide", "crontabs"] __aide_services: [] __aide_db_name: /var/lib/aide/aide.db.gz __aide_db_new_name: /var/lib/aide/aide.db.new.gz