Ansible-Bootstrap/roles/cis/tasks/aide.yml

---
- name: Install AIDE
  when: cis_effective_rules.aide | default(false)
  # Debian's aideinit lives in aide-common (only Recommended, so absent under
  # the installer's --no-install-recommends); pull it explicitly.
  ansible.builtin.command: "{{ cis_pkg_install }} {{ 'aide aide-common' if is_debian | bool else 'aide' }}"
  register: cis_aide_install
  changed_when: cis_aide_install.rc == 0

- name: Initialize the AIDE database
  when: cis_effective_rules.aide | default(false)
  # Absolute path: arch-chroot's PATH omits /usr/sbin, so bare aide/aideinit is rc127.
  # Debian's aideinit assembles its split config; RHEL/Arch run --init on /etc/aide.conf.
  ansible.builtin.command: "{{ chroot_command }} {{ '/usr/sbin/aideinit -y -f' if is_debian | bool else '/usr/sbin/aide --init' }}"
  register: cis_aide_init
  changed_when: cis_aide_init.rc == 0

- name: Locate the freshly built AIDE database
  when: cis_effective_rules.aide | default(false)
  ansible.builtin.find:
    paths: /mnt/var/lib/aide
    patterns: "aide.db.new*"
  register: cis_aide_newdb

- name: Activate the AIDE database
  when:
    - cis_effective_rules.aide | default(false)
    - cis_aide_newdb.files | length > 0
  ansible.builtin.copy:
    src: "{{ cis_aide_newdb.files[0].path }}"
    dest: "{{ cis_aide_newdb.files[0].path | regex_replace('\\.new', '') }}"
    remote_src: true
    mode: "0600"

- name: Schedule the daily AIDE integrity check
  when: cis_effective_rules.aide | default(false)
  ansible.builtin.copy:
    dest: /mnt/etc/cron.d/cis-aide
    mode: "0644"
    content: |
      PATH=/usr/sbin:/usr/bin:/sbin:/bin
      {{ cis_cfg.aide_cron_minute }} {{ cis_cfg.aide_cron_hour }} * * * root aide --check