blob: 45d9e180fc31999e6b9bed44c15f44f462dd5172 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
---
- name: "Check whether OS is a Red Hat derivative"
ansible.builtin.assert:
that:
- ansible_distribution_file_variety == 'RedHat'
no_log: true
- name: Update yum/dnf cache
# We want to see a dedicated failure if the repos cannot be fetched already.
# Cheating here: yum wants a "state" statement to be placed before it takes action, and then - other than stated in the docs -
# we can trigger an action containing update_cache without "name" being mandatory. So we will have no package present with
# updated cache :-)
ansible.builtin.yum:
state: present
update_cache: "yes"
validate_certs: "yes"
become: true
- name: Check for upgrades (RHEL)
# yum check-upgrade would normally throw an RC 100 if updates are available.
# But through ansible: RC0! Weeeee
ansible.builtin.shell: /usr/bin/yum -q -C check-upgrade 2>/dev/null | wc -l
# args:
# warn: false
register: yue
changed_when: false
become: true
- block:
- name: Check for existence of rkhunter
ansible.builtin.stat:
path: /usr/bin/rkhunter
register: rkhex
ignore_errors: true
no_log: true
changed_when: false
- name: RKhunter pre-check
ansible.builtin.command: rkhunter -c --sk --rwo --ns
become: true
no_log: true
changed_when: false
when:
- rkhex.stat is defined
- rkhex.stat.executable is defined
- rkhex.stat.executable
- name: Upgrade all installed packages (RHEL)
ansible.builtin.yum:
name: '*'
state: latest
validate_certs: "yes"
skip_broken: "yes"
become: true
# Auto-removal is broken and will nuke packages we previously selected through e.g. ansible.
# See ansible issue #60349. Leaving commented out. -- pff
# - name: Auto-removal of orphaned dependencies (RHEL)
# ansible.builtin.yum:
# autoremove: "yes"
name: Updates and RKhunter checks
# yum always tosses an arbitrary extra line at you, a simple tr -s does not eradicate it, so - well,
# 0 and 1 are fine. As explained above, the RC is worthless when run through ansible.
when: yue.stdout|int > 1
- block:
- name: Register requirement for reboot (RHEL)
# "yum needs-restarting still works on RHEL 8, and "needs-restarting" is obsolete
# On major releases >= 9 you may want to create an alternative for symlinking yum to dnf
ansible.builtin.command: yum needs-restarting -r
ignore_errors: "yes"
register: nr
changed_when: false
failed_when: false
become: true
name: Check reboot requirement
- name: Clean packages cache (RHEL)
# ansible's yum module does not have a dedicated action for this. So shell it is.
# CAUTION: This will only work as long as modern RHEL derivatives (RHEL/CentOS >=8, Fedora >=30) will have yum available as pseudo-alias to dnf.
# Also, despite ansible's yum not offering this feature, ansible will warn that there is a yum module and we should consider using it. Turning warnings off.
#args:
# warn: false
ansible.builtin.command: yum clean packages
changed_when: true
become: true
- name: RKhunter properties update
ansible.builtin.command: rkhunter --propupd --rwo --ns
become: true
changed_when: true
when:
- rkhex.stat is defined
- rkhex.stat.executable is defined
- rkhex.stat.executable
- name: Reboot if required
# ignore_errors: yes
ansible.builtin.reboot:
reboot_timeout: 300
pre_reboot_delay: 5
test_command: uptime
reboot_command: "/bin/systemctl reboot"
become: true
when: ( nr.rc is defined and nr.rc|int > 0 ) or ( nr.rc is not defined )
|
