From ff2b9adcb546e73907f9ee0587051706e27d259b Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Fri, 20 Dec 2024 02:14:32 +0100 Subject: [PATCH] feat: Allow setup aide inside of cron job Signed-off-by: Radovan Sroka --- README.md | 27 +++++++++++++++++++++++++++ defaults/main.yml | 14 ++++++++++++++ examples/default.yml | 1 + tasks/main.yml | 14 ++++++++++++++ tests/tests_check_cron.yml | 21 +++++++++++++++++++++ 5 files changed, 77 insertions(+) create mode 100644 tests/tests_check_cron.yml diff --git a/README.md b/README.md index b1a4250..91b6ec2 100644 --- a/README.md +++ b/README.md @@ -85,6 +85,33 @@ Default: `false` Type: `bool` +### aide_cron_check + +Set up periodic cron check for aide + +Default: `false` + +Type: `bool` + +### aide_cron_interval + +Set check interval for cron + +``` yaml +# Example of job definition: +# .---------------- minute (0 - 59) +# | .------------- hour (0 - 23) +# | | .---------- day of month (1 - 31) +# | | | .------- month (1 - 12) OR jan,feb,mar,apr ... +# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat +# | | | | | +# * * * * * +``` + +Default: `0 12 * * *` + +Type: `string` + ## Example Playbook Including an example of how to use your role (for instance, with variables diff --git a/defaults/main.yml b/defaults/main.yml index f04914f..69a0f79 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,3 +20,17 @@ aide_check: false # Enable database update phase aide_update: false + +# Enable periodic check +aide_cron_check: false + +# Example of job definition: +# .---------------- minute (0 - 59) +# | .------------- hour (0 - 23) +# | | .---------- day of month (1 - 31) +# | | | .------- month (1 - 12) OR jan,feb,mar,apr ... +# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat +# | | | | | +# * * * * * +# Set cron check interval +aide_cron_interval: "0 12 * * *" diff --git a/examples/default.yml b/examples/default.yml index 8bcc5b2..663b482 100644 --- a/examples/default.yml +++ b/examples/default.yml @@ -10,5 +10,6 @@ aide_fetch_db: false aide_check: false aide_update: false + aide_cron_check: false ansible.builtin.include_role: name: linux-system-roles.aide diff --git a/tasks/main.yml b/tasks/main.yml index cc7484e..b8eaa7c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -104,3 +104,17 @@ ansible.builtin.file: path: "{{ __aide_db_new_name }}" state: absent + +- name: Update aide check cron configuration if necessary + ansible.builtin.lineinfile: + path: /etc/crontab + regexp: "^.* root /usr/sbin/aide --check" + line: "{{ aide_cron_interval }} root /usr/sbin/aide --check" + when: aide_cron_check | bool + +- name: Remove aide check cron configuration if necessary + ansible.builtin.lineinfile: + path: /etc/crontab + state: absent + regexp: "^.* root /usr/sbin/aide --check" + when: not aide_cron_check | bool diff --git a/tests/tests_check_cron.yml b/tests/tests_check_cron.yml new file mode 100644 index 0000000..28dd9bf --- /dev/null +++ b/tests/tests_check_cron.yml @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: MIT +--- +- name: Ensure that the cron is set up + hosts: all + gather_facts: false # test that role works in this case + roles: + - role: linux-system-roles.aide + vars: + aide_init: true + aide_cron_check: true + aide_cron_interval: "0 12 * * *" + tasks: + - name: Check file content + ansible.builtin.lineinfile: + path: /etc/crontab + regexp: "^0 12 \\* \\* \\* root /usr/bin/aide --check" + state: absent + check_mode: true + changed_when: false + vars: + __fingerprint: system_role:aide