feat: Allow setup aide inside of cron job

README.md

@@ -85,6 +85,33 @@ Default: `false`
 
 Type: `bool`
 
+### aide_cron_check
+
+Set up periodic cron check for aide
+
+Default: `false`
+
+Type: `bool`
+
+### aide_cron_interval
+
+Set check interval for cron
+
+``` yaml
+# Example of job definition:
+# .---------------- minute (0 - 59)
+# |  .------------- hour (0 - 23)
+# |  |  .---------- day of month (1 - 31)
+# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
+# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
+# |  |  |  |  |
+# *  *  *  *  *
+```
+
+Default: `0 12 * * *`
+
+Type: `string`
+
 ## Example Playbook
 
 Including an example of how to use your role (for instance, with variables

defaults/main.yml

@@ -20,3 +20,17 @@ aide_check: false
 
 # Enable database update phase
 aide_update: false
+
+# Enable periodic check
+aide_cron_check: false
+
+# Example of job definition:
+# .---------------- minute (0 - 59)
+# |  .------------- hour (0 - 23)
+# |  |  .---------- day of month (1 - 31)
+# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
+# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
+# |  |  |  |  |
+# *  *  *  *  *
+# Set cron check interval
+aide_cron_interval: "0 12 * * *"

examples/default.yml

@@ -10,5 +10,6 @@
         aide_fetch_db: false
         aide_check: false
         aide_update: false
+        aide_cron_check: false
       ansible.builtin.include_role:
         name: linux-system-roles.aide

tasks/main.yml

@@ -104,3 +104,17 @@
       ansible.builtin.file:
         path: "{{ __aide_db_new_name }}"
         state: absent
+
+- name: Update aide check cron configuration if necessary
+  ansible.builtin.lineinfile:
+    path: /etc/crontab
+    regexp: "^.* root /usr/sbin/aide --check"
+    line: "{{ aide_cron_interval }} root /usr/sbin/aide --check"
+  when: aide_cron_check | bool
+
+- name: Remove aide check cron configuration if necessary
+  ansible.builtin.lineinfile:
+    path: /etc/crontab
+    state: absent
+    regexp: "^.* root /usr/sbin/aide --check"
+  when: not aide_cron_check | bool

tests/tests_check_cron.yml

@@ -0,0 +1,21 @@
+# SPDX-License-Identifier: MIT
+---
+- name: Ensure that the cron is set up
+  hosts: all
+  gather_facts: false  # test that role works in this case
+  roles:
+    - role: linux-system-roles.aide
+      vars:
+        aide_init: true
+        aide_cron_check: true
+        aide_cron_interval: "0 12 * * *"
+  tasks:
+    - name: Check file content
+      ansible.builtin.lineinfile:
+        path: /etc/crontab
+        regexp: "^0 12 \\* \\* \\* root /usr/bin/aide --check"
+        state: absent
+      check_mode: true
+      changed_when: false
+      vars:
+        __fingerprint: system_role:aide

vars/main.yml

@@ -6,7 +6,7 @@
 
 # Examples of non-distribution specific (generic) internal variables:
 __aide_config: aide.conf
-__aide_packages: ['aide']
+__aide_packages: ["aide", "crontabs"]
 __aide_services: []
 __aide_db_name: /var/lib/aide/aide.db.gz
 __aide_db_new_name: /var/lib/aide/aide.db.new.gz