From c11f84d4cbe68415c96023358b817a01b83da3aa Mon Sep 17 00:00:00 2001
From: Armando Acosta <armando.acosta@oracle.com>
Date: Tue, 20 Aug 2024 12:47:10 -0600
Subject: [PATCH] Add ansible remediation

For aide_use_fips_hashes rule

Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
---
 .../aide_use_fips_hashes/ansible/shared.yml   | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/ansible/shared.yml

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/ansible/shared.yml
new file mode 100644
index 00000000000..cf624938e91
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/ansible/shared.yml
@@ -0,0 +1,36 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = enable
+# complexity = low
+# disruption = low
+
+-   name: "{{{ rule_title }}} - Ensure aide is installed"
+    ansible.builtin.package:
+        name: aide
+        state: present
+
+-   name: "{{{ rule_title }}} - Set-fact aide config file and forbidden hashes"
+    ansible.builtin.set_fact:
+        aide_conf: "/etc/aide.conf"
+        forbidden_hashes:
+            - sha1
+            - rmd160
+            - sha256
+            - whirlpool
+            - tiger
+            - haval
+            - gost
+            - crc32
+
+-   name: "{{{ rule_title }}} - Remove forbidden hashes"
+    ansible.builtin.replace:
+        path: "{{ aide_conf }}"
+        regexp: '(^\s*[A-Z][A-Za-z_]*\s*=.*?)({{ item }}\+|\+?{{ item }})(.*)'
+        replace: '\1\3'
+    loop: "{{ forbidden_hashes }}"
+
+-   name: "{{{ rule_title }}} - Set sha512"
+    ansible.builtin.replace:
+        path: "{{ aide_conf }}"
+        regexp: '(^\s*[A-Z][A-Za-z_]*\s*=)((?:(?!\+?sha512).)*)\s*$'
+        replace: '\1\2+sha512'