blob: b9641a61a4648d9ac8f56be4c4abf9ef73186a0b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
---
- name: "Check whether OS is a Debian derivative"
ansible.builtin.assert:
that:
- ansible_distribution_file_variety == 'Debian'
no_log: true
- name: Update repository cache
apt:
update_cache: "yes"
become: true
- name: Check for upgrades
shell:
cmd: apt list --upgradable 2>/dev/null | grep -v ^Listing | wc -l
# ZWEI GEKREUZTE HÄMMER UND EIN GROSSES W
register: aue
# apt will throw an error because it doesn't like piping yet.
# for our purposes, however, everything has already been sufficiently implemented.
failed_when: false
#changed_when: aue.stdout|int > 0
changed_when: false
- block:
- name: Check for existence of rkhunter
stat:
path: /usr/bin/rkhunter
register: rkhex
ignore_errors: true
no_log: true
changed_when: false
# - rkhex.stat is defined
# - rkhex.stat.executable is defined
# - rkhex.stat.executable == true
- name: rkhunter pre-check
shell: rkhunter -c --sk --rwo --ns
become: true
no_log: true
when:
- rkhex.stat is defined
- rkhex.stat.executable is defined
- rkhex.stat.executable == true
- name: Clean packages cache
command: apt clean
become: true
- name: Upgrade packages (Debian)
apt:
upgrade: dist
become: true
# when: aue.stdout|int > 0
- name: Remove dependencies that are no longer required
apt:
autoremove: "yes"
purge: "yes"
become: true
- name: Check for existence of needrestart
stat:
path: /usr/sbin/needrestart
register: nrex
ignore_errors: "yes"
no_log: true
failed_when: false
changed_when: false
when: aue.stdout|int > 0
- block:
- name: Check for outdated kernel
shell: /usr/sbin/needrestart -pk
register: kernout
#changed_when: "kernout.rc|int == 1"
changed_when: false
# failed_when necessary to not fail on RC 1 instead of a true failure
failed_when: kernout.rc > 2
- name: Check for outdated services
shell: /usr/sbin/needrestart -pl
register: svcout
#changed_when: "svcout.rc|int == 1"
changed_when: false
# failed_when necessary to not fail on RC 1 instead of a true failure
failed_when: svcout.rc > 2
become: true
when:
- nrex.stat.exists == true
- nrex.stat.executable == true
- name: Clean apt cache
# ansible's apt module does not have a dedicated action for this yet. So shell it is:
shell: apt clean
become: true
# here, we already listen to "debian updates available" already since we already did a more generic cleanup above (unless narrowed down as well)
- name: rkhunter properties update
command: rkhunter --propupd --rwo --ns
become: true
when:
- rkhex.stat is defined
- rkhex.stat.executable is defined
- rkhex.stat.executable == true
- name: Reboot if required
# ignore_errors: yes
reboot:
reboot_timeout: 300
pre_reboot_delay: 5
test_command: uptime
reboot_command: "/bin/systemctl reboot"
become: true
when: kernout.rc > 2 or svcout.rc > 2
|
