Improve exclusions

defaults/main.yaml

@@ -4,6 +4,6 @@ cis_hide_proc: false
 cis_cron_service_name: crond
 cis_auditd_package: auditd
 
-cis_aide_options:
+cis_aide_options: "--config {{ cis_aide_config_file }}"
 cis_aide_new_file: /var/lib/aide/aide.db.new.gz
 cis_aide_current_file: /var/lib/aide/aide.db.gz

tasks/aide.yaml

@@ -13,7 +13,7 @@
 
 - name: Add excluded folders to AIDE, if defined
   ansible.builtin.copy:
-    dest: /etc/aide.conf.d/98_aide_exclusions
+    dest: "{{ cis_aide_config_path }}/98_aide_exclusions"
     owner: root
     group: root
     mode: u=rw,go=r
@@ -22,6 +22,19 @@
       !{{ directory }}
       {% endfor %}
   when:
+    - cis_aide_config_path
+    - cis_aide_excluded_directories is defined
+
+- name: Add excluded folders to AIDE, if defined
+  ansible.builtin.blockinfile:
+    path: "{{ cis_aide_config_file }}"
+    marker: "# Ansible CIS role managed block - {mark}"
+    block: |
+      {% for directory in cis_aide_excluded_directories %}
+      !{{ directory }}
+      {% endfor %}
+  when:
+    - not cis_aide_config_path
     - cis_aide_excluded_directories is defined
 
 - name: Install AIDE crontab

vars/os/Debian.yaml

@@ -1,6 +1,8 @@
 ---
 cis_cron_service_name: cron
 
-cis_aide_options: --config /etc/aide/aide.conf
 cis_aide_new_file: /var/lib/aide/aide.db.new
 cis_aide_current_file: /var/lib/aide/aide.db
+
+cis_aide_config_file: /etc/aide/aide.conf
+cis_aide_config_path: /etc/aide/aide.conf.d

vars/os/RedHat.yaml

@@ -1,2 +1,4 @@
 ---
 cis_auditd_package: audit
+
+cis_aide_config_file: /etc/aide.conf