Remove AIDE, bump Ubuntu CIS role version

stackhpc-ci · stackhpc-ci · commit fc11c91b5507 · 2025-10-24T12:50:57.000+01:00
diff --git a/etc/kayobe/ansible/maintenance/cis.yml b/etc/kayobe/ansible/maintenance/cis.yml
@@ -1,51 +1,5 @@
 ---
-- name: CIS - Ensure existing AIDE installation is cleaned
-  hosts: cis-hardening
-  become: true
-  tags:
-    - cis
-  gather_facts: true
-  tasks:
-    - name: Gather package facts
-      ansible.builtin.package_facts:
-        manager: auto
-
-    - name: Check if AIDE cleanup has already run
-      ansible.builtin.stat:
-        path: /opt/kayobe/aide/aide_cleanup_complete.flag
-      register: aide_cleanup_flag
-
-    - name: Cleanup existing AIDE config
-      when:
-        - "'aide' in ansible_facts.packages"
-        - not aide_cleanup_flag.stat.exists
-        - ansible_facts.distribution == 'Ubuntu'
-      block:
-        - name: Ensure AIDE packages is removed
-          ansible.builtin.apt:
-            name:
-              - aide
-              - aide-common
-            state: absent
-            purge: true
-
-        - name: Ensure flag directory exists
-          ansible.builtin.file:
-            path: /opt/kayobe/aide
-            state: directory
-            mode: '0755'
-            owner: stack
-            group: stack
-
-        - name: Create flag file to prevent re-running cleanup
-          ansible.builtin.file:
-            path: /opt/kayobe/aide/aide_cleanup_complete.flag
-            state: touch
-            mode: '0644'
-            owner: stack
-            group: stack
-
-- name: CIS - General Prerequisites
+- name: CIS - Prerequisites
   hosts: cis-hardening
   become: true
   tags:
diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml
@@ -17,7 +17,7 @@ roles:
     version: 1.1.0
   - name: ansible-lockdown.ubuntu24_cis
     src: https://github.com/ansible-lockdown/UBUNTU24-CIS
-    version: 1.0.1
+    version: 1.0.4
   - name: ansible-lockdown.rhel9_cis
     src: https://github.com/ansible-lockdown/RHEL9-CIS
     version: v1.3.4
diff --git a/etc/kayobe/inventory/group_vars/cis-hardening/cis b/etc/kayobe/inventory/group_vars/cis-hardening/cis
@@ -98,8 +98,8 @@ ubtu24cis_syslog_service: journald
 # Allow rsync server
 ubtu24cis_rsync_server: true
 
-# AIDE is very slow to init, especially on an AIO in CI
-ubtu24cis_aide_init_async: 1800
+# AIDE doesn't play well with hosts that have been upgraded from Jammy to Noble
+ubtu24cis_config_aide: false
 
 # Do not change Chrony Time servers
 ubtu24cis_rule_2_3_3_1: false
