From b716c104770f0b47368d4075d94caf0838f48737 Mon Sep 17 00:00:00 2001
From: Rene Mewissen <rene@tantooine.myfirewall.org>
Date: Thu, 2 Oct 2025 09:16:34 +0200
Subject: [PATCH] logic changed

---
 local.yml                                     | 10 ++++++++--
 .../tasks/system_setup/aide_update.yml        | 19 +++++++++++++++++++
 .../tasks/system_setup/package_hardening.yml  | 11 ++++++++---
 3 files changed, 35 insertions(+), 5 deletions(-)
 create mode 100644 roles/bastionhost/tasks/system_setup/aide_update.yml

diff --git a/local.yml b/local.yml
index 364c69f..1c4c524 100644
--- a/local.yml
+++ b/local.yml
@@ -48,11 +48,9 @@
     - name: pre-run | upgrade system (debian, ubuntu, etc.)
       apt: upgrade=dist
       #changed_when: false
-      notify: Update_aide_database
       when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
     - name: pre-run | upgrade system (arch)
       pacman: upgrade=true
-      notify: Update_aide_database
       when: ansible_distribution == 'Archlinux'
 
 # run roles
@@ -76,9 +74,17 @@
 
 - hosts: bastionhost
   tags: server,bastionhost
+  handlers:
+    - import_tasks: global_handlers/global_handlers.yml
   become: true
   roles:
     - bastionhost
+  post_tasks:
+    - name: Update AIDE database if changes were made
+      include_role:
+        name: bastionhost
+        tasks_from: system_setup/aide_update.yml
+      when: aide_db_needs_update is defined and aide_db_needs_update
 
 - hosts: nameserver
   tags: server,nameserver
diff --git a/roles/bastionhost/tasks/system_setup/aide_update.yml b/roles/bastionhost/tasks/system_setup/aide_update.yml
new file mode 100644
index 0000000..e3233af
--- /dev/null
+++ b/roles/bastionhost/tasks/system_setup/aide_update.yml
@@ -0,0 +1,19 @@
+---
+- name: system setup | aide | run aide --update to check for legitimate changes
+  tags: aide,hardening,system
+  command: aide --config /etc/aide/aide.conf --update
+  register: aide_update_result
+  changed_when: "'new database written to' in aide_update_result.stdout"
+  async: 1800 # Allow up to 30 minutes for update
+  poll: 15
+
+- name: system setup | aide | activate updated database
+  tags: aide,hardening,system
+  copy:
+    src: /var/lib/aide/aide.db.new
+    dest: /var/lib/aide/aide.db
+    remote_src: true
+    owner: root
+    group: root
+    mode: '0600'
+  when: aide_update_result.changed
\ No newline at end of file
diff --git a/roles/bastionhost/tasks/system_setup/package_hardening.yml b/roles/bastionhost/tasks/system_setup/package_hardening.yml
index 38b1d7a..0bbf609 100644
--- a/roles/bastionhost/tasks/system_setup/package_hardening.yml
+++ b/roles/bastionhost/tasks/system_setup/package_hardening.yml
@@ -23,7 +23,7 @@
       - fortune-mod
     state: absent
     purge: true # Also removes configuration files
-  notify: Update_aide_database
+  register: deb_packages_removed
   when: ansible_os_family == "Debian"
 
 - name: system setup | package hardening | remove unnecessary packages (RedHat family)
@@ -40,5 +40,10 @@
       - avahi
       - sudo
     state: absent
-  notify: Update_aide_database
-  when: ansible_os_family == "RedHat"
\ No newline at end of file
+  register: rh_packages_removed
+  when: ansible_os_family == "RedHat"
+
+- name: Set fact if packages were removed
+  set_fact:
+    aide_db_needs_update: true
+  when: (deb_packages_removed is defined and deb_packages_removed.changed) or (rh_packages_removed is defined and rh_packages_removed.changed)
\ No newline at end of file