From 8c8080b20fe4c4c2e6fca23f48051a4e25257e2c Mon Sep 17 00:00:00 2001 From: Harald Pfeiffer Date: Sun, 14 Apr 2024 13:23:24 +0200 Subject: InComm: Roles to Handlers: Debian done --- patch.bak | 309 +++++++++++++++++++++++++++++++++++++ patch.yaml | 15 ++ patch.yml | 309 ------------------------------------- roles/patch_debian/tasks/main.yaml | 101 ++++++++++++ 4 files changed, 425 insertions(+), 309 deletions(-) create mode 100644 patch.bak create mode 100644 patch.yaml delete mode 100644 patch.yml create mode 100644 roles/patch_debian/tasks/main.yaml diff --git a/patch.bak b/patch.bak new file mode 100644 index 0000000..7fde63e --- /dev/null +++ b/patch.bak @@ -0,0 +1,309 @@ +--- +# You may want to change the default to your favourite host (group) you run this on the most. +- hosts: "{{ runtime_hosts | default('CHANGE_ME') }}" + order: inventory + gather_facts: false + # default: all in first step, but that shit requires (int) + serial: 666 + tasks: + - name: Gather necessary facts + setup: + filter: "ansible_distribution*" + - name: Set up Red Hat and derivatives + debug: + msg: "System is {{ansible_distribution}} {{ansible_distribution_version}}, checking in." + when: ansible_distribution_file_variety == "RedHat" + changed_when: true + notify: "redhat upd" + - name: Set up Debian and derivatives + debug: + msg: "System is {{ansible_distribution}} {{ansible_distribution_version}}, checking in." + when: ansible_distribution_file_variety == "Debian" + changed_when: true + notify: "debian upd" + - name: Set up SUSE and derivatives + debug: + msg: "System is {{ansible_distribution}} {{ansible_distribution_version}}, checking in." + # SuSE was "renamed" to SUSE somewhen around SLES 11 (now SLE :-} ), so we'll check for both. Even though generation 11 + # repositories should be pretty ...deaddish by now. + when: ansible_distribution_file_variety == "SUSE" or ansible_distribution_file_variety == "SuSE" + changed_when: true + notify: "suse upd" + - name: Set up Arch and derivatives + debug: + msg: "System is {{ansible_distribution}} ({{ansible_distribution_file_variety}}), checking in." + when: ansible_distribution_file_variety == "Archlinux" + changed_when: true + notify: "arch upd" + handlers: + - name: Update yum/dnf cache (RHEL) + # We want to see a dedicated failure if the repos cannot be fetched already. + # Cheating here: yum wants a "state" statement to be placed before it takes action, and then - other than stated in the docs - + # we can trigger an action containing update_cache without "name" being mandatory. So we will have no package present with + # updated cache :-) + yum: + state: present + update_cache: "yes" + validate_certs: "yes" + become: true + listen: "redhat upd" + - name: Update repository cache (Debian) + apt: + update_cache: "yes" + become: true + listen: "debian upd" + - name: Update repository cache (Arch) + pacman: + update_cache: "yes" + become: true + listen: "arch upd" + - name: Check for upgrades (RHEL) + # yum check-upgrade would normally throw an RC 100 if updates are available. + # But through ansible: RC0! Weeeee + shell: /usr/bin/yum -q -C check-upgrade 2>/dev/null | wc -l + args: + warn: false + register: yue + changed_when: yue.stdout|int > 1 + become: true + listen: "redhat upd" + notify: + - "redhat updates available" + - "rkhunter" + - name: Check for upgrades (Debian) + shell: + cmd: apt list --upgradable 2>/dev/null | grep -v ^Listing | wc -l + # ZWEI GEKREUZTE HÄMMER UND EIN GROSSES W + register: aue + # apt will throw an error because it doesn't like piping yet. + # for our purposes, however, everything has already been sufficiently implemented. + failed_when: false + changed_when: aue.stdout|int > 0 + notify: + - "debian updates available" + - "rkhunter" + listen: "debian upd" + - name: Check for upgrades (Arch) + # TODO: pikaur + shell: /usr/bin/pacman -Qu + become: true + register: pue + failed_when: pue.rc|int > 1 + changed_when: pue.rc|int == 0 + notify: + - "arch updates available" + - "rkhunter" + listen: "arch upd" + - name: Check for existence of rkhunter + stat: + path: /usr/bin/rkhunter + register: rkhex + ignore_errors: true + no_log: true + # yum always tosses this arbitrary extra line at you, a simple tr -s does not eradicate it, so - well, + # 0 and 1 are fine. As explained above, the RC is worthless when run through ansible. + listen: "rkhunter" + changed_when: + - rkhex.stat is defined + - rkhex.stat.executable is defined + - rkhex.stat.executable == true + notify: "rkhunter execution" + - name: rkhunter pre-check + shell: rkhunter -c --sk --rwo --ns + become: true + no_log: true + listen: "rkhunter execution" + - name: Upgrade all installed packages (RHEL) + yum: + name: '*' + state: latest + validate_certs: "yes" + skip_broken: "yes" + become: true + listen: "redhat updates available" + # Auto-removal is broken and will nuke packages we previously selected through e.g. ansible. + # See ansible issue #60349. Leaving commented out. -- pff + # - name: Auto-removal of orphaned dependencies (RHEL) + # yum: + # autoremove: "yes" + # when: (ansible_distribution_file_variety == "RedHat") or (ansible_distribution == "Red Hat Enterprise Linux") or (ansible_distribution == "CentOS") + - name: Register requirement for reboot (RHEL) + command: needs-restarting -r + ignore_errors: "yes" + register: nr + changed_when: "nr.rc > 0" + failed_when: false + notify: "Reboot if required" + become: true + # we listen to "redhat upd" here in case a previous reboot was not executed. If undesired, change to "redhat updates available". + listen: "redhat upd" + - name: Clean packages cache (Debian) + command: apt clean + become: true + listen: "debian upd" + - name: Upgrade packages (Debian) + apt: + upgrade: dist + become: true + listen: "debian updates available" + - name: Remove dependencies that are no longer required (Debian) + apt: + autoremove: "yes" + purge: "yes" + become: true + # we listen to "debian upd" here in case a previous cleanup was skipped. Change to "debian updates available" if undesired. + listen: "debian upd" +# - name: Check for existence of needrestart (Debian) +# stat: +# path: /usr/sbin/needrestart +# register: nrex +# ignore_errors: "yes" +# no_log: true +# failed_when: false +# changed_when: +# - nrex.stat.exists == true +# - nrex.stat.executable == true +# # we listen to "debian upd" here in case a previous reboot was not executed. If undesired, change to "debian updates available". +# notify: "debian needrestart" +# listen: "debian upd" +# - name: Check for outdated kernel (Debian) +# shell: /usr/sbin/needrestart -pk +# register: kernout +# when: +# - nrex.stat.exists == true +# - nrex.stat.executable == true +# become: true +# changed_when: "kernout.rc|int == 1" +# listen: "debian needrestart" +# notify: "Reboot if required" +# # failed_when necessary to have a change for RC 1 instead of a failure +# failed_when: kernout.rc > 1 + - name: Upgrade packages (Arch) + pacman: + # DO NOT RUN payman -Sy instead of pacman -Syu, i.e. avoid partial upgrades: + update_cache: "yes" + upgrade: "yes" + become: true + listen: "arch updates available" + - name: Check for existence of needrestart (Debian, Arch) + stat: + path: /usr/sbin/needrestart + register: nrex + ignore_errors: "yes" + no_log: true + failed_when: false + changed_when: + - nrex.stat.exists == true + - nrex.stat.executable == true + # we listen to "debian upd" here in case a previous reboot was not executed. If undesired, change to "debian updates available". + notify: + - "debian arch needrestart" + listen: + - "debian upd" + - "arch upd" + - name: Check for outdated kernel (Debian, Arch) + shell: /usr/sbin/needrestart -pk + register: kernout + when: + - nrex.stat.exists == true + - nrex.stat.executable == true + become: true + changed_when: "kernout.rc|int == 1" + listen: "debian arch needrestart" + notify: "Reboot if required" + # failed_when necessary to have a change for RC 1 instead of a failure + failed_when: kernout.rc > 2 + - name: Check for outdated services (Debian, Arch) + shell: /usr/sbin/needrestart -pl + register: svcout + when: + - nrex.stat.exists == true + - nrex.stat.executable == true + become: true + changed_when: "svcout.rc|int == 1" + listen: "debian arch needrestart" + # we'll play it safe here: outdated services? --> reboot. + notify: "Reboot if required" + # failed_when necessary to have a change for RC 1 instead of a failure + failed_when: svcout.rc > 2 + - name: Update zypper cache (SUSE) + # we cannot cheat like we did with yum: we need to update any package to refresh the cache with the zypper module. Hence falling back + # to shell. + shell: | + zypper refs && zypper ref + become: true + listen: "suse upd" + - name: Verify Zypper repository availability + # Now, here's the thing with zypper. If you have a dead repository, you need to face the following facts: + # 1. All output goes to stdout. For zypper lu at least on SLE12/openSUSE42 and earlier, this is: + # - The packages available for update + # - Debug output lik "loading repository data..." and "reading installed packages..." + # (could be silenced with -q, but without RC feedback we need the debug strings again, kek.) + # - WARNING(!!) messages + # ... there is no STDERR. + # 2. There is no return code other than 0 for warnings. + # Great. Interaction with automatisms as if that stuff came directly from Redmond. + # So we need to parse the fucking output string in ansible. Let's start with the "repository not available" warnings. + debug: + msg: "Dead repositories existing and no update present, we consider this a failure." + when: + - zypperlu is search("Repository.*appears to be outdated") + - zypperlu is search("No updates found") + listen: "zypperlu" + failed_when: true + - name: Update all packages (SUSE) + # we could narrow this down via type:patch, but that's about all. So fire away. + zypper: + name: '*' + state: latest + become: true + # TODO: suse not productive yet, so we choose an arbitrary listener here. Change to something meaningful when going to production. + listen: "suse upd" + - name: Register requirement for reboot (SUSE) + # change in paradigm: we will now use "needs-rebooting", suse implemented that somewhere between 12 and 15, instead of "ps -sss" + # shell: zypper ps -sss + # todo: what to do if services require a refork? + # shell: zypper ps -sss + shell: zypper needs-rebooting + args: + warn: false + register: zyppout + changed_when: zyppout.rc == 102 + failed_when: zyppout.rc != 102 and zyppout.rc != 0 + notify: "Reboot if required" + # we listen to "suse upd" here in case a previous reboot was skipped. Change to "suse updates available" if undesired. + listen: "suse upd" + - name: Clean packages cache (RHEL) + # ansible's yum module does not have a dedicated action for this. So shell it is. + # CAUTION: This will only work as long as modern RHEL derivatives (RHEL/CentOS >=8, Fedora >=30) will have yum available as pseudo-alias to dnf. + # Also, despite yum not offering this feature, ansible will warn that there is a yum module and we should consider using it. Turning warnings off. + args: + warn: false + shell: yum clean packages + become: true + # we listen to "redhat upd" here in case a previous cleanup was skipped. Change to "redhat updates available" if undesired. + listen: "redhat upd" + - name: Clean apt cache (Debian) + # ansible's apt module does not have a dedicated action for this yet. So shell it is: + shell: apt clean + become: true + # here, we already listen to "debian updates available" already since we already did a more generic cleanup above (unless narrowed down as well) + listen: "debian updates available" + - name: Clean packages cache (SUSE) + # ansible's zypper module does not have a dedicated action for this yet. So shell it is: + shell: zypper clean + become: true + # we listen to "suse upd" here in case a previous cleanup was skipped. Change to "suse updates available" if undesired. + listen: "suse upd" + - name: rkhunter properties update + command: rkhunter --propupd --rwo --ns + become: true + listen: "rkhunter execution" + - name: Reboot if required + # ignore_errors: yes + reboot: + reboot_timeout: 300 + pre_reboot_delay: 5 + test_command: uptime + reboot_command: "/bin/systemctl reboot" + become: true diff --git a/patch.yaml b/patch.yaml new file mode 100644 index 0000000..5fa350f --- /dev/null +++ b/patch.yaml @@ -0,0 +1,15 @@ +--- +# You may want to change the default to your favourite host (group) you run this on the most. +- hosts: "{{ rthosts | default('CHANGE_ME') }}" + order: inventory + gather_facts: false + # default: all in first step, but that shit requires (int) + serial: 666 + tasks: + - name: Gather necessary facts + setup: + filter: "ansible_distribution*" + - name: Debian Patches + ansible.builtin.import_role: + name: "patch_debian" + when: ansible_distribution_file_variety == "Debian" diff --git a/patch.yml b/patch.yml deleted file mode 100644 index 7fde63e..0000000 --- a/patch.yml +++ /dev/null @@ -1,309 +0,0 @@ ---- -# You may want to change the default to your favourite host (group) you run this on the most. -- hosts: "{{ runtime_hosts | default('CHANGE_ME') }}" - order: inventory - gather_facts: false - # default: all in first step, but that shit requires (int) - serial: 666 - tasks: - - name: Gather necessary facts - setup: - filter: "ansible_distribution*" - - name: Set up Red Hat and derivatives - debug: - msg: "System is {{ansible_distribution}} {{ansible_distribution_version}}, checking in." - when: ansible_distribution_file_variety == "RedHat" - changed_when: true - notify: "redhat upd" - - name: Set up Debian and derivatives - debug: - msg: "System is {{ansible_distribution}} {{ansible_distribution_version}}, checking in." - when: ansible_distribution_file_variety == "Debian" - changed_when: true - notify: "debian upd" - - name: Set up SUSE and derivatives - debug: - msg: "System is {{ansible_distribution}} {{ansible_distribution_version}}, checking in." - # SuSE was "renamed" to SUSE somewhen around SLES 11 (now SLE :-} ), so we'll check for both. Even though generation 11 - # repositories should be pretty ...deaddish by now. - when: ansible_distribution_file_variety == "SUSE" or ansible_distribution_file_variety == "SuSE" - changed_when: true - notify: "suse upd" - - name: Set up Arch and derivatives - debug: - msg: "System is {{ansible_distribution}} ({{ansible_distribution_file_variety}}), checking in." - when: ansible_distribution_file_variety == "Archlinux" - changed_when: true - notify: "arch upd" - handlers: - - name: Update yum/dnf cache (RHEL) - # We want to see a dedicated failure if the repos cannot be fetched already. - # Cheating here: yum wants a "state" statement to be placed before it takes action, and then - other than stated in the docs - - # we can trigger an action containing update_cache without "name" being mandatory. So we will have no package present with - # updated cache :-) - yum: - state: present - update_cache: "yes" - validate_certs: "yes" - become: true - listen: "redhat upd" - - name: Update repository cache (Debian) - apt: - update_cache: "yes" - become: true - listen: "debian upd" - - name: Update repository cache (Arch) - pacman: - update_cache: "yes" - become: true - listen: "arch upd" - - name: Check for upgrades (RHEL) - # yum check-upgrade would normally throw an RC 100 if updates are available. - # But through ansible: RC0! Weeeee - shell: /usr/bin/yum -q -C check-upgrade 2>/dev/null | wc -l - args: - warn: false - register: yue - changed_when: yue.stdout|int > 1 - become: true - listen: "redhat upd" - notify: - - "redhat updates available" - - "rkhunter" - - name: Check for upgrades (Debian) - shell: - cmd: apt list --upgradable 2>/dev/null | grep -v ^Listing | wc -l - # ZWEI GEKREUZTE HÄMMER UND EIN GROSSES W - register: aue - # apt will throw an error because it doesn't like piping yet. - # for our purposes, however, everything has already been sufficiently implemented. - failed_when: false - changed_when: aue.stdout|int > 0 - notify: - - "debian updates available" - - "rkhunter" - listen: "debian upd" - - name: Check for upgrades (Arch) - # TODO: pikaur - shell: /usr/bin/pacman -Qu - become: true - register: pue - failed_when: pue.rc|int > 1 - changed_when: pue.rc|int == 0 - notify: - - "arch updates available" - - "rkhunter" - listen: "arch upd" - - name: Check for existence of rkhunter - stat: - path: /usr/bin/rkhunter - register: rkhex - ignore_errors: true - no_log: true - # yum always tosses this arbitrary extra line at you, a simple tr -s does not eradicate it, so - well, - # 0 and 1 are fine. As explained above, the RC is worthless when run through ansible. - listen: "rkhunter" - changed_when: - - rkhex.stat is defined - - rkhex.stat.executable is defined - - rkhex.stat.executable == true - notify: "rkhunter execution" - - name: rkhunter pre-check - shell: rkhunter -c --sk --rwo --ns - become: true - no_log: true - listen: "rkhunter execution" - - name: Upgrade all installed packages (RHEL) - yum: - name: '*' - state: latest - validate_certs: "yes" - skip_broken: "yes" - become: true - listen: "redhat updates available" - # Auto-removal is broken and will nuke packages we previously selected through e.g. ansible. - # See ansible issue #60349. Leaving commented out. -- pff - # - name: Auto-removal of orphaned dependencies (RHEL) - # yum: - # autoremove: "yes" - # when: (ansible_distribution_file_variety == "RedHat") or (ansible_distribution == "Red Hat Enterprise Linux") or (ansible_distribution == "CentOS") - - name: Register requirement for reboot (RHEL) - command: needs-restarting -r - ignore_errors: "yes" - register: nr - changed_when: "nr.rc > 0" - failed_when: false - notify: "Reboot if required" - become: true - # we listen to "redhat upd" here in case a previous reboot was not executed. If undesired, change to "redhat updates available". - listen: "redhat upd" - - name: Clean packages cache (Debian) - command: apt clean - become: true - listen: "debian upd" - - name: Upgrade packages (Debian) - apt: - upgrade: dist - become: true - listen: "debian updates available" - - name: Remove dependencies that are no longer required (Debian) - apt: - autoremove: "yes" - purge: "yes" - become: true - # we listen to "debian upd" here in case a previous cleanup was skipped. Change to "debian updates available" if undesired. - listen: "debian upd" -# - name: Check for existence of needrestart (Debian) -# stat: -# path: /usr/sbin/needrestart -# register: nrex -# ignore_errors: "yes" -# no_log: true -# failed_when: false -# changed_when: -# - nrex.stat.exists == true -# - nrex.stat.executable == true -# # we listen to "debian upd" here in case a previous reboot was not executed. If undesired, change to "debian updates available". -# notify: "debian needrestart" -# listen: "debian upd" -# - name: Check for outdated kernel (Debian) -# shell: /usr/sbin/needrestart -pk -# register: kernout -# when: -# - nrex.stat.exists == true -# - nrex.stat.executable == true -# become: true -# changed_when: "kernout.rc|int == 1" -# listen: "debian needrestart" -# notify: "Reboot if required" -# # failed_when necessary to have a change for RC 1 instead of a failure -# failed_when: kernout.rc > 1 - - name: Upgrade packages (Arch) - pacman: - # DO NOT RUN payman -Sy instead of pacman -Syu, i.e. avoid partial upgrades: - update_cache: "yes" - upgrade: "yes" - become: true - listen: "arch updates available" - - name: Check for existence of needrestart (Debian, Arch) - stat: - path: /usr/sbin/needrestart - register: nrex - ignore_errors: "yes" - no_log: true - failed_when: false - changed_when: - - nrex.stat.exists == true - - nrex.stat.executable == true - # we listen to "debian upd" here in case a previous reboot was not executed. If undesired, change to "debian updates available". - notify: - - "debian arch needrestart" - listen: - - "debian upd" - - "arch upd" - - name: Check for outdated kernel (Debian, Arch) - shell: /usr/sbin/needrestart -pk - register: kernout - when: - - nrex.stat.exists == true - - nrex.stat.executable == true - become: true - changed_when: "kernout.rc|int == 1" - listen: "debian arch needrestart" - notify: "Reboot if required" - # failed_when necessary to have a change for RC 1 instead of a failure - failed_when: kernout.rc > 2 - - name: Check for outdated services (Debian, Arch) - shell: /usr/sbin/needrestart -pl - register: svcout - when: - - nrex.stat.exists == true - - nrex.stat.executable == true - become: true - changed_when: "svcout.rc|int == 1" - listen: "debian arch needrestart" - # we'll play it safe here: outdated services? --> reboot. - notify: "Reboot if required" - # failed_when necessary to have a change for RC 1 instead of a failure - failed_when: svcout.rc > 2 - - name: Update zypper cache (SUSE) - # we cannot cheat like we did with yum: we need to update any package to refresh the cache with the zypper module. Hence falling back - # to shell. - shell: | - zypper refs && zypper ref - become: true - listen: "suse upd" - - name: Verify Zypper repository availability - # Now, here's the thing with zypper. If you have a dead repository, you need to face the following facts: - # 1. All output goes to stdout. For zypper lu at least on SLE12/openSUSE42 and earlier, this is: - # - The packages available for update - # - Debug output lik "loading repository data..." and "reading installed packages..." - # (could be silenced with -q, but without RC feedback we need the debug strings again, kek.) - # - WARNING(!!) messages - # ... there is no STDERR. - # 2. There is no return code other than 0 for warnings. - # Great. Interaction with automatisms as if that stuff came directly from Redmond. - # So we need to parse the fucking output string in ansible. Let's start with the "repository not available" warnings. - debug: - msg: "Dead repositories existing and no update present, we consider this a failure." - when: - - zypperlu is search("Repository.*appears to be outdated") - - zypperlu is search("No updates found") - listen: "zypperlu" - failed_when: true - - name: Update all packages (SUSE) - # we could narrow this down via type:patch, but that's about all. So fire away. - zypper: - name: '*' - state: latest - become: true - # TODO: suse not productive yet, so we choose an arbitrary listener here. Change to something meaningful when going to production. - listen: "suse upd" - - name: Register requirement for reboot (SUSE) - # change in paradigm: we will now use "needs-rebooting", suse implemented that somewhere between 12 and 15, instead of "ps -sss" - # shell: zypper ps -sss - # todo: what to do if services require a refork? - # shell: zypper ps -sss - shell: zypper needs-rebooting - args: - warn: false - register: zyppout - changed_when: zyppout.rc == 102 - failed_when: zyppout.rc != 102 and zyppout.rc != 0 - notify: "Reboot if required" - # we listen to "suse upd" here in case a previous reboot was skipped. Change to "suse updates available" if undesired. - listen: "suse upd" - - name: Clean packages cache (RHEL) - # ansible's yum module does not have a dedicated action for this. So shell it is. - # CAUTION: This will only work as long as modern RHEL derivatives (RHEL/CentOS >=8, Fedora >=30) will have yum available as pseudo-alias to dnf. - # Also, despite yum not offering this feature, ansible will warn that there is a yum module and we should consider using it. Turning warnings off. - args: - warn: false - shell: yum clean packages - become: true - # we listen to "redhat upd" here in case a previous cleanup was skipped. Change to "redhat updates available" if undesired. - listen: "redhat upd" - - name: Clean apt cache (Debian) - # ansible's apt module does not have a dedicated action for this yet. So shell it is: - shell: apt clean - become: true - # here, we already listen to "debian updates available" already since we already did a more generic cleanup above (unless narrowed down as well) - listen: "debian updates available" - - name: Clean packages cache (SUSE) - # ansible's zypper module does not have a dedicated action for this yet. So shell it is: - shell: zypper clean - become: true - # we listen to "suse upd" here in case a previous cleanup was skipped. Change to "suse updates available" if undesired. - listen: "suse upd" - - name: rkhunter properties update - command: rkhunter --propupd --rwo --ns - become: true - listen: "rkhunter execution" - - name: Reboot if required - # ignore_errors: yes - reboot: - reboot_timeout: 300 - pre_reboot_delay: 5 - test_command: uptime - reboot_command: "/bin/systemctl reboot" - become: true diff --git a/roles/patch_debian/tasks/main.yaml b/roles/patch_debian/tasks/main.yaml new file mode 100644 index 0000000..b9641a6 --- /dev/null +++ b/roles/patch_debian/tasks/main.yaml @@ -0,0 +1,101 @@ +--- +- name: "Check whether OS is a Debian derivative" + ansible.builtin.assert: + that: + - ansible_distribution_file_variety == 'Debian' + no_log: true +- name: Update repository cache + apt: + update_cache: "yes" + become: true +- name: Check for upgrades + shell: + cmd: apt list --upgradable 2>/dev/null | grep -v ^Listing | wc -l + # ZWEI GEKREUZTE HÄMMER UND EIN GROSSES W + register: aue + # apt will throw an error because it doesn't like piping yet. + # for our purposes, however, everything has already been sufficiently implemented. + failed_when: false + #changed_when: aue.stdout|int > 0 + changed_when: false +- block: + - name: Check for existence of rkhunter + stat: + path: /usr/bin/rkhunter + register: rkhex + ignore_errors: true + no_log: true + changed_when: false + # - rkhex.stat is defined + # - rkhex.stat.executable is defined + # - rkhex.stat.executable == true + - name: rkhunter pre-check + shell: rkhunter -c --sk --rwo --ns + become: true + no_log: true + when: + - rkhex.stat is defined + - rkhex.stat.executable is defined + - rkhex.stat.executable == true + - name: Clean packages cache + command: apt clean + become: true + - name: Upgrade packages (Debian) + apt: + upgrade: dist + become: true + # when: aue.stdout|int > 0 + - name: Remove dependencies that are no longer required + apt: + autoremove: "yes" + purge: "yes" + become: true + - name: Check for existence of needrestart + stat: + path: /usr/sbin/needrestart + register: nrex + ignore_errors: "yes" + no_log: true + failed_when: false + changed_when: false + when: aue.stdout|int > 0 +- block: + - name: Check for outdated kernel + shell: /usr/sbin/needrestart -pk + register: kernout + #changed_when: "kernout.rc|int == 1" + changed_when: false + # failed_when necessary to not fail on RC 1 instead of a true failure + failed_when: kernout.rc > 2 + - name: Check for outdated services + shell: /usr/sbin/needrestart -pl + register: svcout + #changed_when: "svcout.rc|int == 1" + changed_when: false + # failed_when necessary to not fail on RC 1 instead of a true failure + failed_when: svcout.rc > 2 + become: true + when: + - nrex.stat.exists == true + - nrex.stat.executable == true +- name: Clean apt cache + # ansible's apt module does not have a dedicated action for this yet. So shell it is: + shell: apt clean + become: true + # here, we already listen to "debian updates available" already since we already did a more generic cleanup above (unless narrowed down as well) +- name: rkhunter properties update + command: rkhunter --propupd --rwo --ns + become: true + when: + - rkhex.stat is defined + - rkhex.stat.executable is defined + - rkhex.stat.executable == true +- name: Reboot if required + # ignore_errors: yes + reboot: + reboot_timeout: 300 + pre_reboot_delay: 5 + test_command: uptime + reboot_command: "/bin/systemctl reboot" + become: true + when: kernout.rc > 2 or svcout.rc > 2 -- cgit v1.2.3