Add AIDE check to CIS playbook

stackhpc-ci · stackhpc-ci · commit 9dadc7f5a62a · 2025-10-23T12:27:59.000+01:00
Added a new play to the CIS playbook to ensure existing AIDE
installations are cleaned before applying CIS hardening for the first
time on Ubuntu Noble. Existing installations can become corrupted during
Jammy-Noble Upgrades
diff --git a/etc/kayobe/ansible/maintenance/cis.yml b/etc/kayobe/ansible/maintenance/cis.yml
@@ -1,5 +1,51 @@
 ---
-- name: Security hardening
+- name: CIS - Ensure existing AIDE installation is cleaned
+  hosts: cis-hardening
+  become: true
+  tags:
+    - cis
+  gather_facts: true
+  tasks:
+    - name: Gather package facts
+      ansible.builtin.package_facts:
+        manager: auto
+
+    - name: Check if AIDE cleanup has already run
+      ansible.builtin.stat:
+        path: /opt/kayobe/aide/aide_cleanup_complete.flag
+      register: aide_cleanup_flag
+
+    - name: Cleanup existing AIDE config
+      when:
+        - "'aide' in ansible_facts.packages"
+        - not aide_cleanup_flag.stat.exists
+        - ansible_facts.distribution == 'Ubuntu'
+      block:
+        - name: Ensure AIDE packages is removed
+          ansible.builtin.apt:
+            name:
+              - aide
+              - aide-common
+            state: absent
+            purge: true
+
+        - name: Ensure flag directory exists
+          ansible.builtin.file:
+            path: /opt/kayobe/aide
+            state: directory
+            mode: '0755'
+            owner: stack
+            group: stack
+
+        - name: Create flag file to prevent re-running cleanup
+          ansible.builtin.file:
+            path: /opt/kayobe/aide/aide_cleanup_complete.flag
+            state: touch
+            mode: '0644'
+            owner: stack
+            group: stack
+
+- name: CIS - General Prerequisites
   hosts: cis-hardening
   become: true
   tags:
@@ -31,6 +77,12 @@
         - "{{ kayobe_ansible_user }}"
         - "{{ kolla_ansible_user }}"
 
+- name: Security hardening
+  hosts: cis-hardening
+  become: true
+  tags:
+    - cis
+  tasks:
     - name: Run CIS hardening role (RHEL 9)
       ansible.builtin.include_role:
         name: ansible-lockdown.rhel9_cis
diff --git a/etc/kayobe/inventory/group_vars/cis-hardening/cis b/etc/kayobe/inventory/group_vars/cis-hardening/cis
@@ -98,6 +98,9 @@ ubtu24cis_syslog_service: journald
 # Allow rsync server
 ubtu24cis_rsync_server: true
 
+# AIDE is very slow to init, especially on an AIO in CI
+ubtu24cis_aide_init_async: 1800
+
 # Do not change Chrony Time servers
 ubtu24cis_rule_2_3_3_1: false
 ubtu24cis_rule_2_3_3_2: false
@@ -152,8 +155,6 @@ ubtu24cis_ownership_adjust: false
 ubtu24cis_no_world_write_adjust: false
 ubtu24cis_suid_sgid_adjust: false
 
-# Prevent hardening from recursivley changing permissions on log files
-
 # Configure log rotation to prevent audit logs from filling the disk
 ubtu24cis_auditd:
   action_mail_acct: root
