diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/debian.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/debian.yml index 5e46651fd48f..91cc470cccbd 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/debian.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/debian.yml @@ -9,14 +9,14 @@ name: aide state: present -- name: "{{{ rule_title }}} - Check if DB Path in /etc/aide/aide.conf Is Already Set" +- name: "{{{ rule_title }}} - Check if DB In Path in /etc/aide/aide.conf Is Already Set" ansible.builtin.lineinfile: path: /etc/aide/aide.conf - regexp: ^#?(\s*)(database=)(.*)$ + regexp: ^#?(\s*)({{ aide_db_in_key }}=)(.*)$ state: absent check_mode: true changed_when: false - register: database_replace + register: database_in_replace - name: "{{{ rule_title }}} - Check if DB Out Path in /etc/aide/aide.conf Is Already Set" ansible.builtin.lineinfile: @@ -27,13 +27,13 @@ changed_when: false register: database_out_replace -- name: "{{{ rule_title }}} - Fix DB Path in Config File if Necessary" +- name: "{{{ rule_title }}} - Fix DB In Path in Config File if Necessary" ansible.builtin.lineinfile: path: /etc/aide/aide.conf - regexp: ^#?(\s*)(database)(\s*)=(\s*)(.*)$ + regexp: ^#?(\s*)({{ aide_db_in_key }})(\s*)=(\s*)(.*)$ line: \2\3=\4file:/var/lib/aide/aide.db backrefs: true - when: database_replace.found > 0 + when: database_in_replace.found > 0 - name: "{{{ rule_title }}} - Fix DB Out Path in Config File if Necessary" ansible.builtin.lineinfile: @@ -43,14 +43,14 @@ backrefs: true when: database_out_replace.found > 0 -- name: "{{{ rule_title }}} - Ensure the Default DB Path is Added" +- name: "{{{ rule_title }}} - Ensure the Default DB In Path is Added" ansible.builtin.lineinfile: path: /etc/aide/aide.conf - line: database=file:/var/lib/aide/aide.db + line: "{{ aide_db_in_key }}=file:/var/lib/aide/aide.db" create: true - when: database_replace.found == 0 + when: database_in_replace.found == 0 -- name: "{{{ rule_title }}} - Ensure the Default Out Path is Added" +- name: "{{{ rule_title }}} - Ensure the Default DB Out Path is Added" ansible.builtin.lineinfile: path: /etc/aide/aide.conf line: database_out=file:/var/lib/aide/aide.db.new diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/shared.yml index 3255fa424d66..8ef80f887df5 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/shared.yml @@ -26,6 +26,15 @@ with_items: - aide +- name: "{{{ rule_title }}} - Gather AIDE Package Facts" + ansible.builtin.package_facts: + manager: auto + filter: aide + +- name: "{{{ rule_title }}} - Set AIDE DB Key" + ansible.builtin.set_fact: + aide_db_in_key: "{{ 'database_in' if (ansible_facts.packages['aide'][0].version is version('0.17', '>=')) else 'database' }}" + - name: "{{{ rule_title }}} - Check Whether the Stock AIDE Database Exists" ansible.builtin.stat: path: {{{ aide_stage_src }}} diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/ubuntu.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/ubuntu.yml index 4ec7a4fed8fe..7f527fce5b6d 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/ubuntu.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/ubuntu.yml @@ -9,14 +9,14 @@ name: aide state: present -- name: "{{{ rule_title }}} - Check if DB Path in /etc/aide/aide.conf Is Already Set" +- name: "{{{ rule_title }}} - Check if DB In Path in /etc/aide/aide.conf Is Already Set" ansible.builtin.lineinfile: path: /etc/aide/aide.conf - regexp: ^#?(\s*)(database=)(.*)$ + regexp: ^#?(\s*)({{ aide_db_in_key }}=)(.*)$ state: absent check_mode: true changed_when: false - register: database_replace + register: database_in_replace - name: "{{{ rule_title }}} - Check if DB Out Path in /etc/aide/aide.conf Is Already Set" ansible.builtin.lineinfile: @@ -27,13 +27,13 @@ changed_when: false register: database_out_replace -- name: "{{{ rule_title }}} - Fix DB Path in Config File if Necessary" +- name: "{{{ rule_title }}} - Fix DB In Path in Config File if Necessary" ansible.builtin.lineinfile: path: /etc/aide/aide.conf - regexp: ^#?(\s*)(database)(\s*)=(\s*)(.*)$ + regexp: ^#?(\s*)({{ aide_db_in_key }})(\s*)=(\s*)(.*)$ line: \2\3=\4file:/var/lib/aide/aide.db backrefs: true - when: database_replace.found > 0 + when: database_in_replace.found > 0 - name: "{{{ rule_title }}} - Fix DB Out Path in Config File if Necessary" ansible.builtin.lineinfile: @@ -43,14 +43,14 @@ backrefs: true when: database_out_replace.found > 0 -- name: "{{{ rule_title }}} - Ensure the Default DB Path is Added" +- name: "{{{ rule_title }}} - Ensure the Default DB In Path is Added" ansible.builtin.lineinfile: path: /etc/aide/aide.conf - line: database=file:/var/lib/aide/aide.db + line: "{{ aide_db_in_key }}=file:/var/lib/aide/aide.db" create: true - when: database_replace.found == 0 + when: database_in_replace.found == 0 -- name: "{{{ rule_title }}} - Ensure the Default Out Path is Added" +- name: "{{{ rule_title }}} - Ensure the Default DB Out Path is Added" ansible.builtin.lineinfile: path: /etc/aide/aide.conf line: database_out=file:/var/lib/aide/aide.db.new diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/bash/debian.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/bash/debian.sh index 73d394c6f25d..84099e5f1759 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/bash/debian.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/bash/debian.sh @@ -2,21 +2,21 @@ {{{ bash_package_install("aide") }}} +AIDE_VERSION=$(aide -v | grep -oP 'aide \K[0-9]+\.[0-9]+') +if [ "$(echo "$AIDE_VERSION >= 0.17" | bc -l)" -eq 1 ]; then + AIDE_DB__KEY="database_in" +else + AIDE_DB_IN_KEY="database" +fi AIDE_CONFIG=/etc/aide/aide.conf DEFAULT_DB_PATH=/var/lib/aide/aide.db # Fix db path in the config file, if necessary -{{% if product == 'debian13' %}} -if ! grep -q '^database_in=file:' ${AIDE_CONFIG}; then - echo "database_in=file:${DEFAULT_DB_PATH}" >> ${AIDE_CONFIG} -fi -{{% else %}} -if ! grep -q '^database=file:' ${AIDE_CONFIG}; then +if ! grep -q "^${AIDE_DB_IN_KEY}=file:" ${AIDE_CONFIG}; then # replace_or_append gets confused by 'database=file' as a key, so should not be used. #replace_or_append "${AIDE_CONFIG}" '^database=file' "${DEFAULT_DB_PATH}" '@CCENUM@' '%s:%s' - echo "database=file:${DEFAULT_DB_PATH}" >> ${AIDE_CONFIG} + echo "${AIDE_DB_IN_KEY}=file:${DEFAULT_DB_PATH}" >> ${AIDE_CONFIG} fi -{{% endif %}} # Fix db out path in the config file, if necessary if ! grep -q '^database_out=file:' ${AIDE_CONFIG}; then diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/bash/ubuntu.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/bash/ubuntu.sh index 0bf4bbc76e97..6d382f98fdbd 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/bash/ubuntu.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/bash/ubuntu.sh @@ -2,14 +2,20 @@ {{{ bash_package_install("aide") }}} +AIDE_VERSION=$(aide -v | grep -oP 'aide \K[0-9]+\.[0-9]+') +if [ "$(echo "$AIDE_VERSION >= 0.17" | bc -l)" -eq 1 ]; then + AIDE_DB__KEY="database_in" +else + AIDE_DB_IN_KEY="database" +fi AIDE_CONFIG=/etc/aide/aide.conf DEFAULT_DB_PATH=/var/lib/aide/aide.db # Fix db path in the config file, if necessary -if ! grep -q '^database=file:' ${AIDE_CONFIG}; then +if ! grep -q "^${AIDE_DB_IN_KEY}=file:" ${AIDE_CONFIG}; then # replace_or_append gets confused by 'database=file' as a key, so should not be used. #replace_or_append "${AIDE_CONFIG}" '^database=file' "${DEFAULT_DB_PATH}" '@CCENUM@' '%s:%s' - echo "database=file:${DEFAULT_DB_PATH}" >> ${AIDE_CONFIG} + echo "${AIDE_DB_IN_KEY}=file:${DEFAULT_DB_PATH}" >> ${AIDE_CONFIG} fi # Fix db out path in the config file, if necessary diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/debian.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/debian.xml index 162a5312b68a..cae5c68c2dc2 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/debian.xml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/debian.xml @@ -39,11 +39,7 @@ /etc/aide/aide.conf - {{% if product == "debian13" %}} - ^database_in=file:(?:@@{DBDIR}/)?([a-z./]+)$ - {{% else %}} - ^database=file:(?:@@{DBDIR}/)?([a-z./]+)$ - {{% endif %}} + ^database(?:_in)?=file:(?:@@{DBDIR}/)?([a-z./]+)$ 1 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/ubuntu.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/ubuntu.xml index 5f4bff50c905..cae5c68c2dc2 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/ubuntu.xml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/ubuntu.xml @@ -39,7 +39,7 @@ /etc/aide/aide.conf - ^database=file:(?:@@{DBDIR}/)?([a-z./]+)$ + ^database(?:_in)?=file:(?:@@{DBDIR}/)?([a-z./]+)$ 1 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/tests/get_db_path_absolute.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/tests/get_db_path_absolute.pass.sh index b91979423c94..ecb18e8651c4 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/tests/get_db_path_absolute.pass.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/tests/get_db_path_absolute.pass.sh @@ -16,8 +16,10 @@ DB_CONF=/etc/aide.conf cp "$DB_PATH/$DB_NAME_NEW" "$DB_PATH/$DB_NAME" -{{% if product in [ 'ol10', 'rhel10', 'fedora' ] %}} -sed -i "s#^database_in=file:.*#database_in=file:$DB_PATH/$DB_NAME#" $DB_CONF -{{% else %}} -sed -i "s#^database=file:.*#database=file:$DB_PATH/$DB_NAME#" $DB_CONF -{{% endif %}} +AIDE_VERSION=$(aide -v | grep -oP 'aide \K[0-9]+\.[0-9]+') +if [ "$(echo "$AIDE_VERSION >= 0.17" | bc -l)" -eq 1 ]; then + AIDE_DB__KEY="database_in" +else + AIDE_DB_IN_KEY="database" +fi +sed -i "s#^$AIDE_DB_IN_KEY}=file:.*#${AIDE_DB_IN_KEY}=file:$DB_PATH/$DB_NAME#" $DB_CONF diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/tests/get_db_path_dbdir.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/tests/get_db_path_dbdir.pass.sh index 4fb7b0b9c7fa..6020dbafe4db 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/tests/get_db_path_dbdir.pass.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/tests/get_db_path_dbdir.pass.sh @@ -16,8 +16,11 @@ DB_CONF=/etc/aide.conf cp "$DB_PATH/$DB_NAME_NEW" "$DB_PATH/$DB_NAME" -{{% if product in [ 'ol10', 'rhel10', 'fedora' ] %}} -sed -i "s#^database_in=file:.*#database_in=file:@@{DBDIR}/$DB_NAME#" $DB_CONF -{{% else %}} -sed -i "s#^database=file:.*#database=file:@@{DBDIR}/$DB_NAME#" $DB_CONF -{{% endif %}} + +AIDE_VERSION=$(aide -v | grep -oP 'aide \K[0-9]+\.[0-9]+') +if [ "$(echo "$AIDE_VERSION >= 0.17" | bc -l)" -eq 1 ]; then + AIDE_DB__KEY="database_in" +else + AIDE_DB_IN_KEY="database" +fi +sed -i "s#^${AIDE_DB_IN_KEY}=file:.*#${AIDE_DB_IN_KEY}=file:@@{DBDIR}/$DB_NAME#" $DB_CONF