| 1 | --- |
| 2 | # SPDX-License-Identifier: AGPL-3.0-or-later |
| 3 | # |
| 4 | # AIDE — file-integrity monitoring. Builds a baseline hash database |
| 5 | # of system files at install time and re-checks nightly. Catches |
| 6 | # the "someone with root SSH'd in and modified /usr/local/bin/shithubd |
| 7 | # or planted a systemd unit" class of post-compromise persistence. |
| 8 | # |
| 9 | # Alerting: writes to /var/log/shithub/aide.log + tagged systemd |
| 10 | # journal (`journalctl -t shithub-aide`). Email is deliberately |
| 11 | # deferred — see comment in shithub-aide-check.sh. |
| 12 | # |
| 13 | # Operator workflow when alerts fire (see runbooks/aide.md): |
| 14 | # 1. journalctl -t shithub-aide -n 200 --no-pager |
| 15 | # 2. Confirm the diff matches an authorized change (deploy, apt |
| 16 | # upgrade, manual edit). If not: incident response. |
| 17 | # 3. Re-baseline: sudo aideinit && \ |
| 18 | # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz |
| 19 | |
| 20 | - name: AIDE — install |
| 21 | apt: |
| 22 | name: |
| 23 | - aide |
| 24 | - aide-common |
| 25 | state: present |
| 26 | |
| 27 | - name: AIDE — drop shithub exclusions |
| 28 | copy: |
| 29 | src: aide-shithub.conf |
| 30 | dest: /etc/aide/aide.conf.d/99_shithub_exclude |
| 31 | mode: "0644" |
| 32 | notify: rebuild aide database |
| 33 | |
| 34 | - name: AIDE — install nightly check wrapper |
| 35 | copy: |
| 36 | src: shithub-aide-check.sh |
| 37 | dest: /usr/local/bin/shithub-aide-check |
| 38 | mode: "0755" |
| 39 | |
| 40 | # Disable the upstream /etc/cron.daily/aide so we run only our wrapper. |
| 41 | # Upstream's script mails root locally — useless without an MTA. |
| 42 | # Replace (not delete) so apt's post-install scripts can't restore it |
| 43 | # silently on the next aide-common upgrade. |
| 44 | - name: AIDE — neutralize upstream daily cron |
| 45 | copy: |
| 46 | dest: /etc/cron.daily/aide |
| 47 | content: | |
| 48 | #!/bin/sh |
| 49 | # Disabled by Ansible; the real check is at /usr/local/bin/shithub-aide-check |
| 50 | # invoked by a separate cron entry. See deploy/ansible/roles/base/tasks/aide.yml. |
| 51 | exit 0 |
| 52 | mode: "0755" |
| 53 | |
| 54 | - name: AIDE — initialize baseline DB if missing |
| 55 | # Use creates: so this is a one-shot. Re-baselining is an explicit |
| 56 | # operator action (runbook), not an Ansible side-effect. The DB |
| 57 | # path is .db (uncompressed) on Ubuntu 24's aide 0.18 — older |
| 58 | # references say .db.gz, but the shipped /etc/aide/aide.conf |
| 59 | # writes uncompressed. |
| 60 | command: |
| 61 | cmd: /usr/sbin/aideinit -y -f |
| 62 | creates: /var/lib/aide/aide.db |
| 63 | |
| 64 | - name: cron — nightly aide check at 03:30 UTC |
| 65 | # Slightly after the 03:17 backup so the backup's transient files |
| 66 | # (in /var/backups/shithub) have settled. /var/backups isn't in |
| 67 | # our exclude list so it WILL flag — operator confirms via the |
| 68 | # daily backup log that the new file matches the expected dump. |
| 69 | cron: |
| 70 | name: shithub-aide-check |
| 71 | job: /usr/local/bin/shithub-aide-check |
| 72 | minute: "30" |
| 73 | hour: "3" |
| 74 |