From 180fc448eb0dd485297da2d3b3fae48abb9d3599 Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <noonedeadpunk@ya.ru>
Date: Tue, 26 Jan 2021 17:32:39 +0200
Subject: [PATCH] Make possible to avoid aide installation

This patch adds variable `security_rhel7_enable_aide`. When it's False,
all AIDE related tasks would be ommited.

Change-Id: I64af348d9f49922ab51d8cd348d987df4263faa1
---
 defaults/main.yml                                    | 1 +
 doc/source/rhel7/domains/aide.rst                    | 6 ++++++
 releasenotes/notes/enable_aide-d9783c50675cb80f.yaml | 5 +++++
 tasks/rhel7stig/main.yml                             | 1 +
 vars/debian.yml                                      | 7 +++++--
 vars/redhat-7.yml                                    | 5 ++++-
 vars/redhat-8.yml                                    | 5 ++++-
 vars/suse.yml                                        | 5 ++++-
 8 files changed, 30 insertions(+), 5 deletions(-)
 create mode 100644 releasenotes/notes/enable_aide-d9783c50675cb80f.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 3ab4fe50..bb87433f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -69,6 +69,7 @@ security_set_maximum_password_lifetime: no                   # V-71931
 ## AIDE (aide)
 # Initialize the AIDE database immediately (may take time).
 security_rhel7_initialize_aide: no                           # V-71973
+security_rhel7_enable_aide: yes
 
 # The default Ubuntu configuration for AIDE will cause it to wander into some
 # terrible places on the system, such as /var/lib/lxc and images in /opt.
diff --git a/doc/source/rhel7/domains/aide.rst b/doc/source/rhel7/domains/aide.rst
index d96b7c15..e74533f7 100644
--- a/doc/source/rhel7/domains/aide.rst
+++ b/doc/source/rhel7/domains/aide.rst
@@ -31,4 +31,10 @@ re-apply the role:
     a long time on some systems. During this time, the CPU and disks are **very
     busy**.
 
+To avoid installing and initializing AIDE, set the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_enable_aide: false
+
 .. include:: auto_aide.rst
diff --git a/releasenotes/notes/enable_aide-d9783c50675cb80f.yaml b/releasenotes/notes/enable_aide-d9783c50675cb80f.yaml
new file mode 100644
index 00000000..477d15d6
--- /dev/null
+++ b/releasenotes/notes/enable_aide-d9783c50675cb80f.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Added variable ``security_rhel7_enable_aide`` that is designed to avoid
+    installation and initialization of the aide related STIGs
diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml
index 860e608c..0bc6b07b 100644
--- a/tasks/rhel7stig/main.yml
+++ b/tasks/rhel7stig/main.yml
@@ -81,6 +81,7 @@
 # Controls by Tag" section of the role documentation.
 - import_tasks: accounts.yml
 - import_tasks: aide.yml
+  when: security_rhel7_enable_aide | bool
 - import_tasks: auditd.yml
 - import_tasks: auth.yml
 - import_tasks: file_perms.yml
diff --git a/vars/debian.yml b/vars/debian.yml
index 1c5f1893..4d4fbe5e 100644
--- a/vars/debian.yml
+++ b/vars/debian.yml
@@ -55,14 +55,17 @@ stig_packages_rhel7:
   - packages:
       - auditd
       - audispd-plugins
-      - aide
-      - aide-common
       - libpwquality-common
       - openssh-client
       - openssh-server
       - screen
     state: "{{ security_package_state }}"
     enabled: True
+  - packages:
+      - aide
+      - aide-common
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_rhel7_enable_aide }}"
   - packages:
       - apparmor
       - apparmor-profiles
diff --git a/vars/redhat-7.yml b/vars/redhat-7.yml
index 34bb48a6..a58bb644 100644
--- a/vars/redhat-7.yml
+++ b/vars/redhat-7.yml
@@ -52,7 +52,6 @@ stig_packages_rhel7:
   - packages:
       - audispd-plugins
       - audit
-      - aide
       - dracut-fips
       - dracut-fips-aesni
       - openssh-clients
@@ -60,6 +59,10 @@ stig_packages_rhel7:
       - screen
     state: "{{ security_package_state }}"
     enabled: True
+  - packages:
+      - aide
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_rhel7_enable_aide }}"
   - packages:
       - libselinux-python
       - policycoreutils-python
diff --git a/vars/redhat-8.yml b/vars/redhat-8.yml
index b0ee966b..438240b4 100644
--- a/vars/redhat-8.yml
+++ b/vars/redhat-8.yml
@@ -52,13 +52,16 @@ stig_packages_rhel7:
   - packages:
       - audispd-plugins
       - audit
-      - aide
       - dracut-fips
       - dracut-fips-aesni
       - openssh-clients
       - openssh-server
     state: "{{ security_package_state }}"
     enabled: True
+  - packages:
+      - aide
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_rhel7_enable_aide }}"
   - packages:
       - python3-libselinux
       - policycoreutils-python-utils
diff --git a/vars/suse.yml b/vars/suse.yml
index 6a7203d1..2d810f1e 100644
--- a/vars/suse.yml
+++ b/vars/suse.yml
@@ -54,12 +54,15 @@ stig_packages_rhel7:
   - packages:
       - audit-audispd-plugins
       - audit
-      - aide
       - dracut-fips
       - openssh
       - screen
     state: "{{ security_package_state }}"
     enabled: True
+  - packages:
+      - aide
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_rhel7_enable_aide }}"
   - packages:
       - apparmor-parser
       - apparmor-profiles