ansible(base): rebuild-aide handler drops marker for operator re-baseline
- SHA
7df3e7a1b560c1ca420fe42e50c62af4d8f66362- Parents
-
38a8ad0 - Tree
a94f1bc
tenseleyflow/shithub
/
7df3e7a
Browse files
1 changed file
| Status | File | + | - |
|---|---|---|---|
| M |
deploy/ansible/roles/base/handlers/main.yml
|
16 | 0 |
deploy/ansible/roles/base/handlers/main.ymlmodified@@ -4,3 +4,19 @@ | ||
| 4 | 4 | name: fail2ban |
| 5 | 5 | state: restarted |
| 6 | 6 | enabled: yes |
| 7 | + | |
| 8 | +# Re-baselining is operator-driven, not automatic — see runbooks/aide.md. | |
| 9 | +# This handler drops a marker the next aide-check surfaces in the journal | |
| 10 | +# so the operator knows the config drifted and the DB is stale. | |
| 11 | +- name: rebuild aide database | |
| 12 | + copy: | |
| 13 | + dest: /var/lib/aide/.config-changed | |
| 14 | + content: | | |
| 15 | + AIDE config was modified by Ansible at {{ ansible_date_time.iso8601 }}. | |
| 16 | + Operator must re-baseline before the next check produces meaningful | |
| 17 | + diffs: | |
| 18 | + sudo aideinit -y -f && \ | |
| 19 | + sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz && \ | |
| 20 | + sudo rm /var/lib/aide/.config-changed | |
| 21 | + See docs/internal/runbooks/aide.md. | |
| 22 | + mode: "0644" | |