aide
: Sets up a functioning AIDE system. Many parameters were plucked directly from the aide.conf(5) man page.aide::default_rules
: A helper class to keep the main AIDE class relatively readable.aide::logrotate
: A class that sets up the logrotate state for aide.aide::set_schedule
: Sets a schedule for AIDE to run a check on your systemaide::syslog
: Persist aide syslog log messages, including report output, to a local file.
aide::rule
: This define adds rules to the AIDE configuration. Rules are added to /etc/aide.conf.d unless otherwise specified.
Aide::Rotateperiod
: The AIDE rotation periodAide::SyslogFacility
: The AIDE syslog facility
Sets up a functioning AIDE system.
Many parameters were plucked directly from the aide.conf(5) man page.
The following parameters are available in the aide
class:
dbdir
logdir
database_name
database_out_name
gzip_dbout
verbose
report_urls
aliases
ruledir
rules
enable
minute
hour
monthday
month
weekday
cron_method
systemd_calendar
cron_command
default_rules
logrotate
rotate_period
rotate_number
syslog
syslog_facility
auditd
aide_init_timeout
package_ensure
Data type: Stdlib::Absolutepath
The AIDE database directory, DBDIR.
Default value: '/var/lib/aide'
Data type: Stdlib::Absolutepath
The AIDE log directory, LOGDIR.
Default value: '/var/log/aide'
Data type: String
The name of the database file within DBDIR.
Default value: 'aide.db.gz'
Data type: String
The name of the database out file within DBDIR.
Default value: 'aide.db.new.gz'
Data type: Variant[Enum['yes','no'],Boolean]
Whether to compress the output database.
Default value: 'yes'
Data type: Stdlib::Compat::Integer
The verbosity of the output messages.
Default value: '5'
Data type: Array[String]
An array of report URLs. A syslog report URL will be
automatically added to this list when syslog
is
set to true
.
Default value: [ 'file:@@{LOGDIR}/aide.report']
Data type: Array[String]
A set of common aliases that may be used within the AIDE configuration file. It is not recommended that these be changed.
Data type: Stdlib::Absolutepath
The directory to include for all additional rules.
Default value: '/etc/aide.conf.d'
Data type: Variant[Hash,Array[String]]
A hash of aide::rule
resources to create.
In previous versions, this parameter was used to specify an array
of rule files to include. This is now automatic. Passing an
array to this parameter is deprecated, does nothing, and may be
removed completely in a future release of this module.
Default value: {}
Data type: Boolean
Whether or not to enable AIDE to run on a periodic schedule. Enabling this meets CCE-27222-9.
This is 'false' by default since AIDE is quite stressful on the system and should be enabled after a good understanding of the performance impact.
Default value: false
Data type: Simplib::Cron::Minute
minute
cron parameter for when the AIDE check is run
Default value: fqdn_rand(59)
Data type: Simplib::Cron::Hour
hour
cron parameter for when the AIDE check is run
Default value: 4
Data type: Simplib::Cron::Monthday
monthday
cron parameter for when the AIDE check is run
Default value: '*'
Data type: Simplib::Cron::Month
month
cron parameter for when the AIDE check is run
Default value: '*'
Data type: Simplib::Cron::Weekday
weekday
cron parameter for when the AIDE check is run
Default value: 0
Data type: Enum['root', 'etc', 'systemd']
Set to the preferred method for scheduling the job
-
systemd => systemd timer (default)
-
root => root's crontab (legacy)
-
etc => /etc/crontab (scanner compat)
-
Methods that are not selected will be disabled
Default value: 'systemd'
Data type: Optional[String[1]]
An exact systemd calendar string
- Overrides all other scheduling parameters
- Will not be validated
Default value: undef
Data type: String[1]
command
cron parameter for when AIDE check is run
Default value: '/bin/nice -n 19 /usr/sbin/aide --check'
Data type: Variant[Array[String[1]],String]
A set of default rules to include. If this is set, the internal defaults will be overridden.
Data type: Boolean
Whether to use logrotate. If set to 'true', Hiera can be used to set the variables in aide::logrotate
Default value: simplib::lookup('simp_options::logrotate', { 'default_value' => false})
Data type: Aide::Rotateperiod
The logrotate period at which to rotate the logs.
Default value: 'weekly'
Data type: Integer
The number of log files to preserve on the system.
Default value: 4
Data type: Boolean
Whether to send the AIDE output to syslog, in addition to the local report file. Use Hiera to set the parameters on aide::syslog appropriately if you don't care for the defaults.
Default value: simplib::lookup('simp_options::syslog', { 'default_value' => false })
Data type: Aide::SyslogFacility
The syslog facility to use for the AIDE output syslog messages.
Default value: 'LOG_LOCAL6'
Data type: Boolean
Whether to add rules for changes to the aide configuration.
Default value: simplib::lookup('simp_options::auditd', { 'default_value' => false })
Data type: Integer
Maximum time to wait in seconds for AIDE database initialization
Default value: 300
Data type: String
The ensure status of packages to be managed
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
A helper class to keep the main AIDE class relatively readable.
The following parameters are available in the aide::default_rules
class:
Data type: Variant[Array[String[1]],String]
A set of default rules to include. If this is set, the internal defaults will be overridden.
Default value: $aide::default_rules
Data type: Stdlib::Absolutepath
The directory in which the default rules file will be written.
Default value: $aide::ruledir
A class that sets up the logrotate state for aide.
The following parameters are available in the aide::logrotate
class:
Data type: Stdlib::Absolutepath
Directory containing the logs to be rotated. The logs in that directory are assumed to end with '.log'.
Default value: $::aide::logdir
Data type: Aide::Rotateperiod
The logrotate period at which to rotate the logs.
Default value: $::aide::rotate_period
Data type: Integer
The number of log files to preserve on the system.
Default value: $::aide::rotate_number
Sets a schedule for AIDE to run a check on your system
The following parameters are available in the aide::set_schedule
class:
Data type: Enum['root', 'etc', 'systemd']
How you wish to schedule the run
Default value: pick(getvar('aide::cron_method'), 'systemd')
Data type: Optional[String[1]]
If $method
is systemd
, set this exact calendar string
This is not verified, use systemd-analyze calendar
on a modern system to
ensure that you have a valid string
Default value: getvar('aide::systemd_calendar')
Data type: Simplib::Cron::Minute
minute
cron parameter
Default value: pick(getvar('aide::minute'), fqdn_rand(59))
Data type: Simplib::Cron::Hour
hour
cron parameter
Default value: pick(getvar('aide::hour'), 4)
Data type: Simplib::Cron::Monthday
monthday
cron parameter
Default value: pick(getvar('aide::monthday'), '*')
Data type: Simplib::Cron::Month
month
cron parameter
Default value: pick(getvar('aide::month'), '*')
Data type: Simplib::Cron::Weekday
weekday
cron parameter
Default value: pick(getvar('aide::weekday'), 0)
Data type: String
command
cron parameter
Default value: pick(getvar('aide::cron_command'), '/bin/nice -n 19 /usr/sbin/aide --check')
Persist aide syslog log messages, including report output, to a local file.
The following parameters are available in the aide::syslog
class:
Data type: Stdlib::Absolutepath
The AIDE log directory.
Default value: $::aide::logdir
This define adds rules to the AIDE configuration. Rules are added to /etc/aide.conf.d unless otherwise specified.
aide::rule { 'tmp':
rules => '!/tmp'
}
The following parameters are available in the aide::rule
defined type:
Data type: String
The actual string that should be written into the rules file. Leading spaces are stripped so that you can format your manifest in a more readable fashion.
Data type: Stdlib::Absolutepath
The directory within which all additional rules should be written. This MUST be the same value as that entered in aide::conf if you want the system to work properly. Default: '/etc/aide.conf.d'
Default value: '/etc/aide.conf.d'
Data type: String
Order of aide rules can be significant. This parameter can be used to control the order of included rule files.
Default value: '999'
The AIDE rotation period
Alias of
Enum['daily', 'weekly', 'monthly', 'yearly']
The AIDE syslog facility
Alias of
Enum['LOG_KERN', 'LOG_USER', 'LOG_MAIL', 'LOG_DAEMON', 'LOG_AUTH', 'LOG_SYSLOG', 'LOG_LPR', 'LOG_NEWS', 'LOG_UUCP', 'LOG_CRON', 'LOG_LOCAL0', 'LOG_LOCAL1', 'LOG_LOCAL2', 'LOG_LOCAL3', 'LOG_LOCAL4', 'LOG_LOCAL5', 'LOG_LOCAL6', 'LOG_LOCAL7']