obsolete crontab creation in role?

[vx-github]

I was wondering if the crontab that is installed under the (root) user is somewhat obsolete since a cron script is also installed by the Debian package in /etc/cron.daily/aide ?

I am refering to this crontab:
https://github.com/darkwizard242/cis_ubuntu_2004/blob/master/defaults/main/section_01.yml#L208-L218

By default /etc/aide/aide.conf (used by the command in the crontab entry) does not contain any (restrictive) selection lines, so it really does nothing.

[darkwizard242]

@vx-github - As far as I can recall, the audit command for that rule is:

grep -Prs '^([^#\n\r]+\h+)?(\/usr\/s?bin\/|^\h*)aide(\.wrapper)?\h+(--check|([^#\n\r]+\h+)?\$AIDEARGS)\b' /etc/cron.* /etc/crontab /var/spool/cron/

Based on the command it does run grep for the regex in /etc/cron.* as well, so if the role was already adding to /etc/cron.daily/aide, and the above audit command returns a cron job to you in response; then you are good with not adding to root's crontab.

To disable that specific task, you can just set ubuntu_2004_cis_section1_rule_1_3_2 to false in your playbook (example):

---
- name: Example Playbook to apply cis_ubuntu_2004 role with ipv6.
  hosts: localhost  # or any grouping of hosts
  connection: local  # or 'ssh'
  become: yes
  gather_facts: true
  roles:
    - cis_ubuntu_2004
  vars:
    ansible_python_interpreter: /usr/bin/python3
    ubuntu_2004_cis_section1_rule_1_3_2: false

[vx-github]

@darkwizard242 - Yes I understand and will propose that.

What I don't understand that it is even there, because cron will always be set by installing aide-common over here:
https://github.com/darkwizard242/cis_ubuntu_2004/blob/master/defaults/main/section_01.yml#L201-L203