From 9a4738a1643f10915ddeb60575ea1532d11cb65b Mon Sep 17 00:00:00 2001
From: Andrew Williams <andy@tensixtyone.com>
Date: Thu, 13 Mar 2025 16:15:49 +0000
Subject: [PATCH] Improve exclusions

---
 defaults/main.yaml  |  2 +-
 tasks/aide.yaml     | 15 ++++++++++++++-
 vars/os/Debian.yaml |  4 +++-
 vars/os/RedHat.yaml |  2 ++
 4 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/defaults/main.yaml b/defaults/main.yaml
index 7f344f8..cc3ab4f 100644
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@@ -4,6 +4,6 @@ cis_hide_proc: false
 cis_cron_service_name: crond
 cis_auditd_package: auditd
 
-cis_aide_options:
+cis_aide_options: "--config {{ cis_aide_config_file }}"
 cis_aide_new_file: /var/lib/aide/aide.db.new.gz
 cis_aide_current_file: /var/lib/aide/aide.db.gz
diff --git a/tasks/aide.yaml b/tasks/aide.yaml
index 027840d..333cdc0 100644
--- a/tasks/aide.yaml
+++ b/tasks/aide.yaml
@@ -13,7 +13,7 @@
 
 - name: Add excluded folders to AIDE, if defined
   ansible.builtin.copy:
-    dest: /etc/aide.conf.d/98_aide_exclusions
+    dest: "{{ cis_aide_config_path }}/98_aide_exclusions"
     owner: root
     group: root
     mode: u=rw,go=r
@@ -22,6 +22,19 @@
       !{{ directory }}
       {% endfor %}
   when:
+    - cis_aide_config_path
+    - cis_aide_excluded_directories is defined
+
+- name: Add excluded folders to AIDE, if defined
+  ansible.builtin.blockinfile:
+    path: "{{ cis_aide_config_file }}"
+    marker: "# Ansible CIS role managed block - {mark}"
+    block: |
+      {% for directory in cis_aide_excluded_directories %}
+      !{{ directory }}
+      {% endfor %}
+  when:
+    - not cis_aide_config_path
     - cis_aide_excluded_directories is defined
 
 - name: Install AIDE crontab
diff --git a/vars/os/Debian.yaml b/vars/os/Debian.yaml
index 724cd1f..83d1487 100644
--- a/vars/os/Debian.yaml
+++ b/vars/os/Debian.yaml
@@ -1,6 +1,8 @@
 ---
 cis_cron_service_name: cron
 
-cis_aide_options: --config /etc/aide/aide.conf
 cis_aide_new_file: /var/lib/aide/aide.db.new
 cis_aide_current_file: /var/lib/aide/aide.db
+
+cis_aide_config_file: /etc/aide/aide.conf
+cis_aide_config_path: /etc/aide/aide.conf.d
\ No newline at end of file
diff --git a/vars/os/RedHat.yaml b/vars/os/RedHat.yaml
index ff03593..8bf87eb 100644
--- a/vars/os/RedHat.yaml
+++ b/vars/os/RedHat.yaml
@@ -1,2 +1,4 @@
 ---
 cis_auditd_package: audit
+
+cis_aide_config_file: /etc/aide.conf
\ No newline at end of file