Puppet Class: aide

Defined in:
manifests/init.pp

Overview

Sets up a functioning AIDE system.

Many parameters were plucked directly from the aide.conf(5) man page.

Parameters:

  • dbdir (Stdlib::Absolutepath) (defaults to: '/var/lib/aide')

    The AIDE database directory, DBDIR.

  • logdir (Stdlib::Absolutepath) (defaults to: '/var/log/aide')

    The AIDE log directory, LOGDIR.

  • database_name (String) (defaults to: 'aide.db.gz')

    The name of the database file within DBDIR.

  • database_out_name (String) (defaults to: 'aide.db.new.gz')

    The name of the database out file within DBDIR.

  • gzip_dbout (Variant[Enum['yes','no'],Boolean]) (defaults to: 'yes')

    Whether to compress the output database.

  • verbose (Stdlib::Compat::Integer) (defaults to: '5')

    The verbosity of the output messages.

  • report_urls (Array[String]) (defaults to: [ 'file:@@{LOGDIR}/aide.report'])

    An array of report URLs. A syslog report URL will be automatically added to this list when “syslog“ is set to “true“.

  • aliases (Array[String])

    A set of common aliases that may be used within the AIDE configuration file. It is not recommended that these be changed.

  • ruledir (Stdlib::Absolutepath) (defaults to: '/etc/aide.conf.d')

    The directory to include for all additional rules.

  • rules (Variant[Hash,Array[String]]) (defaults to: {})

    A hash of ‘aide::rule` resources to create. In previous versions, this parameter was used to specify an array of rule files to include. This is now automatic. Passing an array to this parameter is deprecated, does nothing, and may be removed completely in a future release of this module.

  • enable (Boolean) (defaults to: false)

    Whether or not to enable AIDE to run on a periodic schedule. Enabling this meets CCE-27222-9.

    This is ‘false’ by default since AIDE is quite stressful on the system and should be enabled after a good understanding of the performance impact.

  • minute (Simplib::Cron::Minute) (defaults to: fqdn_rand(59))

    “minute“ cron parameter for when the AIDE check is run

  • hour (Simplib::Cron::Hour) (defaults to: 4)

    “hour“ cron parameter for when the AIDE check is run

  • monthday (Simplib::Cron::Monthday) (defaults to: '*')

    “monthday“ cron parameter for when the AIDE check is run

  • month (Simplib::Cron::Month) (defaults to: '*')

    “month“ cron parameter for when the AIDE check is run

  • weekday (Simplib::Cron::Weekday) (defaults to: 0)

    “weekday“ cron parameter for when the AIDE check is run

  • cron_method (Enum['root', 'etc', 'systemd']) (defaults to: 'systemd')

    Set to the preferred method for scheduling the job

    * systemd => systemd timer (default)
* root    => root's crontab (legacy)
* etc     => /etc/crontab (scanner compat)

* Methods that are not selected will be disabled
  • systemd_calendar (Optional[String[1]]) (defaults to: undef)

    An exact systemd calendar string

    • Overrides all other scheduling parameters

    • Will not be validated

  • cron_command (String[1]) (defaults to: '/bin/nice -n 19 /usr/sbin/aide --check')

    “command“ cron parameter for when AIDE check is run

  • default_rules (Variant[Array[String[1]],String])

    A set of default rules to include. If this is set, the internal defaults will be overridden.

  • logrotate (Boolean) (defaults to: simplib::lookup('simp_options::logrotate', { 'default_value' => false}))

    Whether to use logrotate. If set to ‘true’, Hiera can be used to set the variables in aide::logrotate

  • rotate_period (Aide::Rotateperiod) (defaults to: 'weekly')

    The logrotate period at which to rotate the logs.

  • rotate_number (Integer) (defaults to: 4)

    The number of log files to preserve on the system.

  • syslog (Boolean) (defaults to: simplib::lookup('simp_options::syslog', { 'default_value' => false }))

    Whether to send the AIDE output to syslog, in addition to the local report file. Use Hiera to set the parameters on aide::syslog appropriately if you don’t care for the defaults.

  • syslog_facility (Aide::SyslogFacility) (defaults to: 'LOG_LOCAL6')

    The syslog facility to use for the AIDE output syslog messages.

  • auditd (Boolean) (defaults to: simplib::lookup('simp_options::auditd', { 'default_value' => false }))

    Whether to add rules for changes to the aide configuration.

  • aide_init_timeout (Integer) (defaults to: $facts['processors']['count'] ? { 1 => 1200, default => 300)

    Maximum time to wait in seconds for AIDE database initialization

  • package_ensure (String) (defaults to: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }))

    The ensure status of packages to be managed

Author:



116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
 
# File 'manifests/init.pp', line 116

class aide (
  Array[String]                            $aliases,
  Variant[Array[String[1]],String]         $default_rules,
  Stdlib::Absolutepath                     $dbdir             = '/var/lib/aide',
  Stdlib::Absolutepath                     $logdir            = '/var/log/aide',
  String                                   $database_name     = 'aide.db.gz',
  String                                   $database_out_name = 'aide.db.new.gz',
  Variant[Enum['yes','no'],Boolean]        $gzip_dbout        = 'yes',
  Stdlib::Compat::Integer                  $verbose           = '5',
  Array[String]                            $report_urls       = [ 'file:@@{LOGDIR}/aide.report'],
  Stdlib::Absolutepath                     $ruledir           = '/etc/aide.conf.d',
  Variant[Hash,Array[String]]              $rules             = {},
  Boolean                                  $enable            = false,
  Simplib::Cron::Minute                    $minute            = fqdn_rand(59),
  Simplib::Cron::Hour                      $hour              = 4,
  Simplib::Cron::Monthday                  $monthday          = '*',
  Simplib::Cron::Month                     $month             = '*',
  Simplib::Cron::Weekday                   $weekday           = 0,
  Enum['root', 'etc', 'systemd']           $cron_method       = 'systemd',
  Optional[String[1]]                      $systemd_calendar  = undef,
  String[1]                                $cron_command      = '/bin/nice -n 19 /usr/sbin/aide --check',
  Boolean                                  $logrotate         = simplib::lookup('simp_options::logrotate', { 'default_value' => false}),
  Aide::Rotateperiod                       $rotate_period     = 'weekly',
  Integer                                  $rotate_number     = 4,
  Boolean                                  $syslog            = simplib::lookup('simp_options::syslog', { 'default_value' => false }),
  Aide::SyslogFacility                     $syslog_facility   = 'LOG_LOCAL6',
  Boolean                                  $auditd            = simplib::lookup('simp_options::auditd', { 'default_value' => false }),
  Integer                                  $aide_init_timeout = $facts['processors']['count'] ? { 1 => 1200, default => 300 },
  String                                   $package_ensure    = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }),
) {

  include 'aide::default_rules'

  if $rules =~ Hash {
    $rules.each |String $key, Hash $attrs| {
      aide::rule { $key:
        * => $attrs,
      }
    }
  } else {
    deprecation('aide_rules','Using an Array with $aide::rules is deprecated. The parameter is no longer used to specify rule files')
  }

  if $enable {
    include 'aide::set_schedule'
  }

  if $logrotate {
    include 'aide::logrotate'
  }

  if $syslog {
    include 'aide::syslog'
    $_report_urls = $report_urls << "syslog:${syslog_facility}"
  }
  else {
    $_report_urls = $report_urls
  }

  if $auditd {
    auditd::rule { 'aide':
      content => '-w /etc/aide.conf -p wa -k CFG_aide'
    }
  }

  # CCE-27024-9
  package { 'aide':
    ensure => $package_ensure
  }

  file { $ruledir:
    ensure  => 'directory',
    owner   => 'root',
    group   => 'root',
    mode    => '0700',
    purge   => true,
    recurse => true,
  }

  file { $dbdir:
    ensure => 'directory',
    owner  => 'root',
    group  => 'root',
    mode   => '0700',
  }

  file { $logdir:
    ensure => 'directory',
    owner  => 'root',
    group  => 'root',
    mode   => '0700',
  }

  concat { '/etc/aide.conf':
    ensure => 'present',
    owner  => 'root',
    group  => 'root',
    mode   => '0600',
    notify => Exec['update_aide_db'],
  }

  concat::fragment { 'aide.conf':
    target  => '/etc/aide.conf',
    order   => '001',
    content => epp(
      "${module_name}/aide.conf.epp",
      {
        'dbdir'             => $dbdir,
        'logdir'            => $logdir,
        'database_name'     => $database_name,
        'database_out_name' => $database_out_name,
        'gzip_dbout'        => $gzip_dbout,
        'verbose'           => $verbose,
        'report_urls'       => $_report_urls,
        'aliases'           => $aliases
      }
    )
  }

  $_update_aide_script = @("EOF")
    #!/bin/sh
    /usr/bin/killall -9 aide;
    wait;

    if [ -f ${dbdir}/${database_name} ]; then
      /bin/nice -n 19 /usr/sbin/aide -c /etc/aide.conf -u;
    else
      /bin/nice -n 19 /usr/sbin/aide -c /etc/aide.conf -i;
    fi

    wait;
    cp ${dbdir}/${database_out_name} ${dbdir}/${database_name}

    # Need to report aide initialize/update failure. Since aide
    # update returns non-zero error codes even upon success, (return
    # codes 0 - 7), an easy way to determine an aide failure for
    # either initialization or update is to detect a copy failure. The
    # database out will not be created if the initialize/update fails.
    exit $?
    | EOF

  # In update_aide, retain output database for the SCAP Security Guide
  # OVAL check xccdf_org.ssgproject.content_rule_aide_build_database
  file { '/usr/local/sbin/update_aide':
    ensure  => 'file',
    owner   => 'root',
    group   => 'root',
    mode    => '0700',
    content => $_update_aide_script
  }

  # This is used to automatically update the database when the user
  # changes AIDE configuration.
  exec { 'update_aide_db':
    command     => '/usr/local/sbin/update_aide',
    refreshonly => true,
    require     => [
      Package['aide'],
      File['/usr/local/sbin/update_aide'],
      File[$dbdir],
      File[$logdir]
    ],
    timeout     => $aide_init_timeout
  }

  # CCE-27135-3
  # This makes sure the database is initialized, even if no
  # AIDE configuration has changed.
  exec { 'verify_aide_db_presence':
    command => '/usr/local/sbin/update_aide',
    onlyif  => "/usr/bin/test ! -f ${dbdir}/${database_name}",
    require => [
      Package['aide'],
      File['/usr/local/sbin/update_aide'],
      Concat['/etc/aide.conf'],
      Class['aide::default_rules'],
      File[$dbdir],
      File[$logdir]
    ],
    timeout => $aide_init_timeout
  }
}