feat(cis): add selectable profile and per-rule hardening toggles

roles/cis/tasks/aide.yml

@@ -0,0 +1,42 @@
+---
+- name: Install AIDE
+  when: cis_effective_rules.aide | default(false)
+  # Debian's aideinit lives in aide-common (only Recommended, so absent under
+  # the installer's --no-install-recommends); pull it explicitly.
+  ansible.builtin.command: "{{ cis_pkg_install }} {{ 'aide aide-common' if is_debian | bool else 'aide' }}"
+  register: cis_aide_install
+  changed_when: cis_aide_install.rc == 0
+
+- name: Initialize the AIDE database
+  when: cis_effective_rules.aide | default(false)
+  # Absolute path: arch-chroot's PATH omits /usr/sbin, so bare aide/aideinit is rc127.
+  # Debian's aideinit assembles its split config; RHEL/Arch run --init on /etc/aide.conf.
+  ansible.builtin.command: "{{ chroot_command }} {{ '/usr/sbin/aideinit -y -f' if is_debian | bool else '/usr/sbin/aide --init' }}"
+  register: cis_aide_init
+  changed_when: cis_aide_init.rc == 0
+
+- name: Locate the freshly built AIDE database
+  when: cis_effective_rules.aide | default(false)
+  ansible.builtin.find:
+    paths: /mnt/var/lib/aide
+    patterns: "aide.db.new*"
+  register: cis_aide_newdb
+
+- name: Activate the AIDE database
+  when:
+    - cis_effective_rules.aide | default(false)
+    - cis_aide_newdb.files | length > 0
+  ansible.builtin.copy:
+    src: "{{ cis_aide_newdb.files[0].path }}"
+    dest: "{{ cis_aide_newdb.files[0].path | regex_replace('\\.new', '') }}"
+    remote_src: true
+    mode: "0600"
+
+- name: Schedule the daily AIDE integrity check
+  when: cis_effective_rules.aide | default(false)
+  ansible.builtin.copy:
+    dest: /mnt/etc/cron.d/cis-aide
+    mode: "0644"
+    content: |
+      PATH=/usr/sbin:/usr/bin:/sbin:/bin
+      {{ cis_cfg.aide_cron_minute }} {{ cis_cfg.aide_cron_hour }} * * * root aide --check