InComm: Roles to Handlers: Debian done

3 files changed, 116 insertions, 0 deletions

diff --git a/patch.yml b/patch.bak
index 7fde63e..7fde63e 100644
--- a/patch.yml
+++ b/patch.bak
diff --git a/patch.yaml b/patch.yaml
new file mode 100644
index 0000000..5fa350f
--- /dev/null
+++ b/patch.yaml
@@ -0,0 +1,15 @@
+---
+# You may want to change the default to your favourite host (group) you run this on the most.
+- hosts: "{{ rthosts | default('CHANGE_ME') }}"
+  order: inventory
+  gather_facts: false
+  # default: all in first step, but that shit requires (int)
+  serial: 666
+  tasks:
+  - name: Gather necessary facts
+    setup:
+      filter: "ansible_distribution*"
+  - name: Debian Patches
+    ansible.builtin.import_role:
+      name: "patch_debian"
+    when: ansible_distribution_file_variety == "Debian"
diff --git a/roles/patch_debian/tasks/main.yaml b/roles/patch_debian/tasks/main.yaml
new file mode 100644
index 0000000..b9641a6
--- /dev/null
+++ b/roles/patch_debian/tasks/main.yaml
@@ -0,0 +1,101 @@
+---
+- name: "Check whether OS is a Debian derivative"
+  ansible.builtin.assert:
+    that:
+      - ansible_distribution_file_variety == 'Debian'
+  no_log: true
+- name: Update repository cache
+  apt:
+    update_cache: "yes"
+  become: true
+- name: Check for upgrades
+  shell:
+    cmd: apt list --upgradable 2>/dev/null | grep -v ^Listing | wc -l
+  # ZWEI GEKREUZTE HÄMMER UND EIN GROSSES W
+  register: aue
+  # apt will throw an error because it doesn't like piping yet.
+  # for our purposes, however, everything has already been sufficiently implemented.
+  failed_when: false
+  #changed_when: aue.stdout|int > 0
+  changed_when: false
+- block:
+    - name: Check for existence of rkhunter
+      stat:
+        path: /usr/bin/rkhunter
+      register: rkhex
+      ignore_errors: true
+      no_log: true
+      changed_when: false
+    #    - rkhex.stat is defined
+    #    - rkhex.stat.executable is defined
+    #    - rkhex.stat.executable == true
+    - name: rkhunter pre-check
+      shell: rkhunter -c --sk --rwo --ns
+      become: true
+      no_log: true
+      when:
+        - rkhex.stat is defined
+        - rkhex.stat.executable is defined
+        - rkhex.stat.executable == true
+    - name: Clean packages cache
+      command: apt clean
+      become: true
+    - name: Upgrade packages (Debian)
+      apt:
+        upgrade: dist
+      become: true
+      # when: aue.stdout|int > 0
+    - name: Remove dependencies that are no longer required
+      apt:
+        autoremove: "yes"
+        purge: "yes"
+      become: true
+    - name: Check for existence of needrestart
+      stat:
+        path: /usr/sbin/needrestart
+      register: nrex
+      ignore_errors: "yes"
+      no_log: true
+      failed_when: false
+      changed_when: false
+  when: aue.stdout|int > 0
+- block:
+    - name: Check for outdated kernel
+      shell: /usr/sbin/needrestart -pk
+      register: kernout
+      #changed_when: "kernout.rc|int == 1"
+      changed_when: false
+      # failed_when necessary to not fail on RC 1 instead of a true failure
+      failed_when: kernout.rc > 2
+    - name: Check for outdated services
+      shell: /usr/sbin/needrestart -pl
+      register: svcout
+      #changed_when: "svcout.rc|int == 1"
+      changed_when: false
+      # failed_when necessary to not fail on RC 1 instead of a true failure
+      failed_when: svcout.rc > 2
+  become: true
+  when:
+    - nrex.stat.exists == true
+    - nrex.stat.executable == true
+- name: Clean apt cache
+  # ansible's apt module does not have a dedicated action for this yet. So shell it is:
+  shell: apt clean
+  become: true
+  # here, we already listen to "debian updates available" already since we already did a more generic cleanup above (unless narrowed down as well)
+- name: rkhunter properties update
+  command: rkhunter --propupd --rwo --ns
+  become: true
+  when:
+    - rkhex.stat is defined
+    - rkhex.stat.executable is defined
+    - rkhex.stat.executable == true
+- name: Reboot if required
+  # ignore_errors: yes
+  reboot:
+    reboot_timeout: 300
+    pre_reboot_delay: 5
+    test_command: uptime
+    reboot_command: "/bin/systemctl reboot"
+  become: true
+  when: kernout.rc > 2 or svcout.rc > 2