Conversation
jihan-lf
force-pushed
the
feature/stig-remediations
branch
from
2cb5730 to
f71b78e
Compare
| @@ -0,0 +1,10 @@ | |||
| aide__check_time_on_calendar: '05:00:00' #5 AM | |||
There was a problem hiding this comment.
generally don't add comments that are "user documentation" in the defaults file - comments for the developer are fine. these comments should be contained in the README (either in the table or in the examples section)
| # Linuxfabrik | ||
| # see https://bugzilla.redhat.com/show_bug.cgi?id=1304334 | ||
| !/opt/wildfly-22.0.1.Final/standalone/tmp | ||
| !/opt/wildfly/standalone/tmp | ||
| !/root/.cache/borg | ||
| !/root/.config/borg/security | ||
| !/var/log | ||
| !/var/spool No newline at end of file |
There was a problem hiding this comment.
these should be in the default aide__exclude_rules, so that the user can disable them. this also means that aide__exclude_rules and aide__include_rules should be combined vars, with a state subkey that determines if the rule lands in the template or not. have a look at the CONTRIBUTING.md for examples on how to do this
| | --- | ------------ | ---------------- | | ||
| | `aide` | Runs all tasks of the role | - | | ||
| | `aide:configure` | Deploys the `/etc/aide.conf` configuration file | - | | ||
| | `aide:install` | Installs the AIDE package and initializes the AIDE database if it does not exist yet | - | |
| # set in defaults/main.yml | ||
| # custom include rules | ||
| {% for rule in aide__include_rules %} | ||
| {{ rule }} |
There was a problem hiding this comment.
should we use more specific subkeys instead of just rule? eg path and attributes? how would we handle the =?
| | `aide__check_time_on_calendar` | Specifies at what time of the day the aide check runs. Have a look at [systemd.time(7)](https://www.freedesktop.org/software/systemd/man/systemd.time.html) for the format. | `'05:00:00'` | | ||
| | `aide__include_rules` | List of paths to monitor with their AIDE rule group. | `['/srv CONTENT_EX', '/opt/venv CONTENT']` | | ||
| | `aide__exclude_rules` | List of paths to exclude from monitoring. | `['/srv/app/tmp', '/srv/app/cache']` | |
There was a problem hiding this comment.
please sort them alphabetically
| aide__include_rules: | ||
| - '/srv CONTENT_EX' # Extended content + file type + access. | ||
| - '/opt/venv CONTENT' # Content + file type. | ||
|
|
||
| aide__exclude_rules: | ||
| - '/srv/app/tmp' | ||
| - '/srv/app/cache' |
There was a problem hiding this comment.
where do these default values come from?
|
also don't forget to update the CHANGELOG.md |
2 participants
I would suggest not to merge it but to collect all remediations and then squash the commit while merging