pupmod-simp-aide

Table of Contents

• Description
• Setup
  • What aide affects
  • Setup Requirements
• Usage
• Reference
• Limitations
• Development

Description

Sets up a functioning AIDE system.

Setup

What aide affects

Manages the following:

• aide package
• The following files and directories:
  • /etc/aide.conf
  • /etc/aide.conf.d/
  • /var/lib/aide/
  • /var/log/aide/

Setup Requirements

This module requires the following:

• puppetlabs-stdlib
• simp-auditd
• simp-logrotate
• simp-rsyslog
• simp-simplib

Usage

class { 'aide': }

Reference

See REFERENCE.md for the full module reference.

Limitations

SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.

Development

Please read our Contribution Guide.

If you find any issues, they can be submitted to our JIRA.

Reference

Table of Contents

Classes

• aide: Sets up a functioning AIDE system. Many parameters were plucked directly from the aide.conf(5) man page.
• aide::default_rules: A helper class to keep the main AIDE class relatively readable.
• aide::logrotate: A class that sets up the logrotate state for aide.
• aide::set_schedule: Sets a schedule for AIDE to run a check on your system
• aide::syslog: Persist aide syslog log messages, including report output, to a local file.

Defined types

• aide::rule: This define adds rules to the AIDE configuration. Rules are added to /etc/aide.conf.d unless otherwise specified.

Data types

• Aide::Rotateperiod: The AIDE rotation period
• Aide::SyslogFacility: The AIDE syslog facility

Classes

aide

Sets up a functioning AIDE system.

Many parameters were plucked directly from the aide.conf(5) man page.

Parameters

The following parameters are available in the aide class:

• dbdir
• logdir
• database_name
• database_out_name
• gzip_dbout
• verbose
• report_urls
• aliases
• ruledir
• rules
• enable
• minute
• hour
• monthday
• month
• weekday
• cron_method
• systemd_calendar
• cron_command
• default_rules
• logrotate
• rotate_period
• rotate_number
• syslog
• syslog_facility
• auditd
• aide_init_timeout
• package_ensure

dbdir

Data type: Stdlib::Absolutepath

The AIDE database directory, DBDIR.

Default value: '/var/lib/aide'

logdir

Data type: Stdlib::Absolutepath

The AIDE log directory, LOGDIR.

Default value: '/var/log/aide'

database_name

Data type: String

The name of the database file within DBDIR.

Default value: 'aide.db.gz'

database_out_name

Data type: String

The name of the database out file within DBDIR.

Default value: 'aide.db.new.gz'

gzip_dbout

Data type: Variant[Enum['yes','no'],Boolean]

Whether to compress the output database.

Default value: 'yes'

verbose

Data type:

Variant[
    Integer[0, 255],
    Pattern[/\A(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\z/]
  ]

The verbosity of the output messages.

Default value: 5

report_urls

Data type: Array[String]

An array of report URLs. A syslog report URL will be automatically added to this list when syslog is set to true.

Default value: [ 'file:@@{LOGDIR}/aide.report']

aliases

Data type: Array[String]

A set of common aliases that may be used within the AIDE configuration file. It is not recommended that these be changed.

ruledir

Data type: Stdlib::Absolutepath

The directory to include for all additional rules.

Default value: '/etc/aide.conf.d'

rules

Data type: Variant[Hash,Array[String]]

A hash of aide::rule resources to create. In previous versions, this parameter was used to specify an array of rule files to include. This is now automatic. Passing an array to this parameter is deprecated, does nothing, and may be removed completely in a future release of this module.

Default value: {}

enable

Data type: Boolean

Whether or not to enable AIDE to run on a periodic schedule. Enabling this meets CCE-27222-9.

This is 'false' by default since AIDE is quite stressful on the system and should be enabled after a good understanding of the performance impact.

Default value: false

minute

Data type: Simplib::Cron::Minute

minute cron parameter for when the AIDE check is run

Default value: fqdn_rand(59)

hour

Data type: Simplib::Cron::Hour

hour cron parameter for when the AIDE check is run

Default value: 4

monthday

Data type: Simplib::Cron::Monthday

monthday cron parameter for when the AIDE check is run

Default value: '*'

month

Data type: Simplib::Cron::Month

month cron parameter for when the AIDE check is run

Default value: '*'

weekday

Data type: Simplib::Cron::Weekday

weekday cron parameter for when the AIDE check is run

Default value: 0

cron_method

Data type: Enum['root', 'etc', 'systemd']

Set to the preferred method for scheduling the job

• systemd => systemd timer (default)

• root => root's crontab (legacy)

• etc => /etc/crontab (scanner compat)

• Methods that are not selected will be disabled

Default value: 'systemd'

systemd_calendar

Data type: Optional[String[1]]

An exact systemd calendar string

• Overrides all other scheduling parameters
• Will not be validated

Default value: undef

cron_command

Data type: String[1]

command cron parameter for when AIDE check is run

Default value: '/bin/nice -n 19 /usr/sbin/aide --check'

default_rules

Data type: Variant[Array[String[1]],String]

A set of default rules to include. If this is set, the internal defaults will be overridden.

logrotate

Data type: Boolean

Whether to use logrotate. If set to 'true', Hiera can be used to set the variables in aide::logrotate

Default value: simplib::lookup('simp_options::logrotate', { 'default_value' => false})

rotate_period

Data type: Aide::Rotateperiod

The logrotate period at which to rotate the logs.

Default value: 'weekly'

rotate_number

Data type: Integer

The number of log files to preserve on the system.

Default value: 4

syslog

Data type: Boolean

Whether to send the AIDE output to syslog, in addition to the local report file. Use Hiera to set the parameters on aide::syslog appropriately if you don't care for the defaults.

Default value: simplib::lookup('simp_options::syslog', { 'default_value' => false })

syslog_facility

Data type: Aide::SyslogFacility

The syslog facility to use for the AIDE output syslog messages.

Default value: 'LOG_LOCAL6'

auditd

Data type: Boolean

Whether to add rules for changes to the aide configuration.

Default value: simplib::lookup('simp_options::auditd', { 'default_value' => false })

aide_init_timeout

Data type: Integer

Maximum time to wait in seconds for AIDE database initialization

Default value: $facts['processors']['count'] ? { 1 => 1200, default => 300

package_ensure

Data type: String

The ensure status of packages to be managed

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

aide::default_rules

A helper class to keep the main AIDE class relatively readable.

Parameters

The following parameters are available in the aide::default_rules class:

• default_rules
• ruledir

default_rules

Data type: Variant[Array[String[1]],String]

A set of default rules to include. If this is set, the internal defaults will be overridden.

Default value: $aide::default_rules

ruledir

Data type: Stdlib::Absolutepath

The directory in which the default rules file will be written.

Default value: $aide::ruledir

aide::logrotate

A class that sets up the logrotate state for aide.

Parameters

The following parameters are available in the aide::logrotate class:

• logdir
• rotate_period
• rotate_number

logdir

Data type: Stdlib::Absolutepath

Directory containing the logs to be rotated. The logs in that directory are assumed to end with '.log'.

Default value: $::aide::logdir

rotate_period

Data type: Aide::Rotateperiod

The logrotate period at which to rotate the logs.

Default value: $::aide::rotate_period

rotate_number

Data type: Integer

The number of log files to preserve on the system.

Default value: $::aide::rotate_number

aide::set_schedule

Sets a schedule for AIDE to run a check on your system

Parameters

The following parameters are available in the aide::set_schedule class:

• method
• systemd_calendar
• minute
• hour
• monthday
• month
• weekday
• command

method

Data type: Enum['root', 'etc', 'systemd']

How you wish to schedule the run

Default value: pick(getvar('aide::cron_method'), 'systemd')

systemd_calendar

Data type: Optional[String[1]]

If $method is systemd, set this exact calendar string

This is not verified, use systemd-analyze calendar on a modern system to ensure that you have a valid string

Default value: getvar('aide::systemd_calendar')

minute

Data type: Simplib::Cron::Minute

minute cron parameter

Default value: pick(getvar('aide::minute'), fqdn_rand(59))

hour

Data type: Simplib::Cron::Hour

hour cron parameter

Default value: pick(getvar('aide::hour'), 4)

monthday

Data type: Simplib::Cron::Monthday

monthday cron parameter

Default value: pick(getvar('aide::monthday'), '*')

month

Data type: Simplib::Cron::Month

month cron parameter

Default value: pick(getvar('aide::month'), '*')

weekday

Data type: Simplib::Cron::Weekday

weekday cron parameter

Default value: pick(getvar('aide::weekday'), 0)

command

Data type: String

command cron parameter

Default value: pick(getvar('aide::cron_command'), '/bin/nice -n 19 /usr/sbin/aide --check')

aide::syslog

Persist aide syslog log messages, including report output, to a local file.

Parameters

The following parameters are available in the aide::syslog class:

• logdir

logdir

Data type: Stdlib::Absolutepath

The AIDE log directory.

Default value: $::aide::logdir

Defined types

aide::rule

This define adds rules to the AIDE configuration. Rules are added to /etc/aide.conf.d unless otherwise specified.

Examples

Rule to ignore changes to /tmp

aide::rule { 'tmp':
  rules => '!/tmp'
}

Parameters

The following parameters are available in the aide::rule defined type:

• name
• rules
• ruledir
• order

name

rules

Data type: String

The actual string that should be written into the rules file. Leading spaces are stripped so that you can format your manifest in a more readable fashion.

ruledir

Data type: Stdlib::Absolutepath

The directory within which all additional rules should be written. This MUST be the same value as that entered in aide::conf if you want the system to work properly. Default: '/etc/aide.conf.d'

Default value: '/etc/aide.conf.d'

order

Data type: String

Order of aide rules can be significant. This parameter can be used to control the order of included rule files.

Default value: '999'

Data types

Aide::Rotateperiod

The AIDE rotation period

Alias of Enum['daily', 'weekly', 'monthly', 'yearly']

Aide::SyslogFacility

The AIDE syslog facility

Alias of Enum['LOG_KERN', 'LOG_USER', 'LOG_MAIL', 'LOG_DAEMON', 'LOG_AUTH', 'LOG_SYSLOG', 'LOG_LPR', 'LOG_NEWS', 'LOG_UUCP', 'LOG_CRON', 'LOG_LOCAL0', 'LOG_LOCAL1', 'LOG_LOCAL2', 'LOG_LOCAL3', 'LOG_LOCAL4', 'LOG_LOCAL5', 'LOG_LOCAL6', 'LOG_LOCAL7']

• Fri Sep 13 2024 Steven Pritchard steve@sicura.us - 6.12.0

• [puppetsync] Update module dependencies to support simp-iptables 7.x

• Wed Jan 17 2024 Richard Gardner rick@sicura.us - 6.11.1

• Updated hiera.yaml facts to support puppet 8

• Mon Oct 23 2023 Steven Pritchard steve@sicura.us - 6.11.0

• [puppetsync] Add EL9 support

• Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 6.10.0

• [puppetsync] Updates for Puppet 8
  • These updates may include the following:
    • Update Gemfile
    • Add support for Puppet 8
    • Drop support for Puppet 6
    • Update module dependencies

• Thu Aug 31 2023 Steven Pritchard steve@sicura.us - 6.9.0

• Add AlmaLinux 8 support

• Fri Jul 28 2023 Trey Dockendorf tdockendorf@box.com - 6.8.0

• Support stdlib 9.x

• Mon Jul 24 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 6.7.0

• Add RockyLinux 8 support

• Fri Jun 03 2022 Chris Tessmer chris.tessmer@onyxpoint.com - 6.6.0

• Update from camptocamp/systemd to puppet/systemd

• Mon Jun 14 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.5.0

• Removed support for Puppet 5
• Ensured support for Puppet 7 in requirements and stdlib

• Thu Jun 10 2021 Trevor Vaughan tvaughan@onyxpoint.com - 6.5.0

• Changed
  • Default to systemd for scheduling
  • Use --check instead of -C by default to match what most scanners expect
  • Randomize the minute field so that I/O load is reduced on hosting platforms
• Added
  • Puppet 7 support
  • Allow users to choose between the following options:
    • systemd => Default - Use systemd timers
    • root => Legacy - Update root's crontab
    • etc => Scanner Compat - Update /etc/crontab using Augeas
  • When one method is chosen, the others will be disabled
• Removed
  • Puppet 5 support

• Wed Feb 03 2021 Liz Nemsick lnemsick.simp@gmail.com - 6.4.3

• Expanded simp/rsyslog dependendency range to < 9.0.0.

• Thu Dec 17 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 6.4.3

• Removed EL6 support

• Wed Apr 29 2020 Trevor Vaughan tvaughan@onyxpoint.com 6.4.2-0

• Update the EL8 ciphers to be safe on FIPS systems by default
  • Do not use the built-in aliases
• Remove overrides for aide::aliases on EL8 since it works properly in FIPS mode

• Wed Feb 12 2020 Alexander Fisher alex@linfratech.co.uk 6.4.1-0

• Fix badge URLs in README

• Thu Jan 23 2020 Alexander Fisher alex@linfratech.co.uk 6.4.0-0

• Automatically add @@include lines to aide.conf Previously, when declaring aide::rule resources, it was also necessary to add the rule name to the $aide::rules array. By switching to using concat this is no longer necessary. Instead the rules parameter is repurposed to accept a hash of aide::rule resources.

• Wed Dec 11 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.4.0-0

• Add EL8 support
• Move the default rules to data in modules
• Make simp-logrotate, simp-syslog, and simp-auditd optional dependencies

• Wed Aug 14 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.3.1-0

• With contributions from ischmidt1235 on GitHub
• Add InSpec compliance tests
• Fix bug in Compliance Engine data
• Add SCAP compliance tests

• Thu Jun 06 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 6.3.0-0

• Add v2 compliance_markup data
• Drop support for Puppet 4
• Add support for Puppet 6
• Add support for puppetlabs-stdlib 6

• Tue Mar 19 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.2.2-0

• Replace use of simplib's deprecated Puppet 3 validate_between with Simplib::Cron::* types. This change allows more flexibility in cron scheduling.

• Thu Mar 07 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.2.1-0

• Update the upper bound of stdlib to < 6.0.0
• Update a URL in the README.md

• Mon Oct 29 2018 Jeanne Greoulich jeanne.greulich@onyxpoint.com - 6.2.0-0

• Update badges in README.md
• Static asset update for puppet 5

• Thu Oct 11 2018 Nick Miller nick.miller@onyxpoint.com - 6.2.0-0

• Added $package_ensure parameter
  • Changed the package from 'latest' to 'installed'
  • It will also respect simp_options::package_ensure

• Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.2.0-0

• Update Hiera 4 to Hiera 5

• Fri Jul 13 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.4-0

• Tested against Puppet 5 and Oracle Linux

• Thu Jul 12 2018 Trey Dockendorf tdockendorf@osc.edu - 6.1.3-0

• Add aide::cron_command to allow user modification.
• Ensure that the package is explicitly installed before any dependent resources.

• Tue Jun 26 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.1.3-0

• Update version range of auditd dependency in metadata.json

• Thu Nov 30 2017 Steven Pritchard steven.pritchard@onyxpoint.com - 6.1.2-0

• Update README.md from puppet strings

• Thu Oct 26 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.1.1-0

• Retain output database upon AIDE database update for SCAP Security Guide OVAL check xccdf_org.ssgproject.content_rule_aide_build_database

• Tue Sep 05 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.1.0-0

• Fixed bug whereby aide reports/errors were not being sent to syslog. AIDE can now be configured to report to syslog, itself.
• Use FIPS-appropriate hash algorithms when in FIPS mode
• No longer hide AIDE initialization failures (which are primarily configuration errors) when a manifest with the aide class is applied.
• Improved acceptance tests.
• Commented out SUSE acceptance test node, as the node configuration is broken.

• Wed Apr 19 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.1-0

• Updated logrotate to use new lastaction API
• Confine puppet version in metadata.json

• Wed Jan 25 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0

• Updated calls to aide::rule and auditd::rule

• Tue Dec 13 2016 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0

• Strong typed the module.

• Wed Dec 07 2016 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0

• Updated catalysts to take defaults from simp_options

• Wed Nov 23 2016 Jeanne Greulich jgreulich@onypoint.com - 5.0.0-2016

• Bump major version for SIMP 6

• Fri Nov 18 2016 Chris Tessmer chris.tessmer@onypoint.com - 4.1.3-0

• Removed compliance map dependency

• Tue May 17 2016 Chris Tessmer chris.tessmer@onypoint.com - 4.1.1-0

• Sanitize code for STRICT_VARIABLES=yes

• Thu Mar 10 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-10

• Updated for Puppet 4 compatibility

• Wed Feb 10 2016 Ralph Wright ralph.wright@onypoint.com - 4.1.0-9

• Added compliance function support

• Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-8

• migration to simplib and simpcat (lib/ only)

• Fri Jul 31 2015 Kendall Moore kmoore@keywcorp.com - 4.1.0-7

• Updated logging configuration to work with new rsyslog module.

• Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6

• Changed calls directly to /etc/init.d/rsyslog to '/sbin/service rsyslog' so that both RHEL6 and RHEL7 are properly supported.
• Migrated to the new 'simp' environment.

• Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-5

• Changed puppet-server requirement to puppet

• Tue Jul 08 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-4

• Modified the grub regex to work with grub2.

• Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-3

• Removed MD5 file checksums for FIPS compliance.

• Mon Apr 07 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-2

• Added validation for instance variables.
• Added spec tests.

• Sat Feb 15 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-1

• Converted all boolean strings to native booleans.

• Fri Nov 08 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0

• Rearchitected the entire module to eliminate all singleton defines and work better with a Hiera-based architecture.

• Thu Oct 03 2013 - Nick Markowski nmarkowski@keywcorp.com - 4.0.0-8

• Updated template to reference instance variables with @

• Tue Jan 8 2013 Maintenance 4.0.0-7

• Created a test to install the aide module and make sure that a modified file will be detected.

• Thu Dec 13 2012 Maintenance 4.0.0-6

• Updated to require pupmod-common >= 2.1.1-2 so that upgrading an old system works properly.

• Tue Sep 18 2012 Maintenance 4.0.0-5

• Updated all references of /etc/modprobe.conf to /etc/modprobe.d/00_simp_blacklist.conf as modprobe.conf is now deprecated.

• Wed Apr 11 2012 Maintenance 4.0.0-4

• Moved mit-tests to /usr/share/simp...
• Updated pp files to better meet Puppet's recommended style guide.

• Fri Mar 02 2012 Maintenance 4.0.0-3

• Improved test stubs.

• Tue Jan 31 2012 Maintenance 4.0.0-2

• Added test stubs.

• Mon Dec 26 2011 Maintenance 4.0.0-1

• Updated to build without building the filelist separately.

• Mon Nov 07 2011 Maintenance 4.0.0-0

• Fixed call to rsyslog restart for RHEL6.

• Fri Nov 04 2011 Maintenance 2.0.0-2

• Fixed a bug in the logrotate call for aide.

• Fri Jul 15 2011 Maintenance 2.0.0-1

• Updated to use logrotate by default for AIDE log files.

• Tue Jan 11 2011 Maintenance 2.0.0-0

• Refactored for SIMP-2.0.0-alpha release

• Tue Oct 26 2010 Maintenance - 1-2

• Converting all spec files to check for directories prior to copy.

• Wed Jul 21 2010 Maintenance 1.0-1

• More refactoring.
• Updates to increase configurability.

• Wed May 19 2010 Maintenance 1.0-0

• Code refactor.