From 77628b800070a825e0b7e28f0ccc647d1912f4a4 Mon Sep 17 00:00:00 2001 From: Harald Pfeiffer Date: Sat, 18 Apr 2026 10:20:56 +0200 Subject: feat: Remove rkhunter - SHM monitoring becomes tedious, and SSH monitoring ignores any includes. --> infeasible, better switch to other mechanisms like integrit, tripwire, ... - http://www.catb.org/~esr/writings/unix-koans/nervous.html --- roles/patch_redhat/tasks/main.yaml | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) (limited to 'roles/patch_redhat') diff --git a/roles/patch_redhat/tasks/main.yaml b/roles/patch_redhat/tasks/main.yaml index 9732153..63b33be 100644 --- a/roles/patch_redhat/tasks/main.yaml +++ b/roles/patch_redhat/tasks/main.yaml @@ -24,16 +24,6 @@ changed_when: false become: true - block: - - name: Check for existence of rkhunter - ansible.builtin.stat: - path: /usr/bin/rkhunter - register: rkhex - - name: RKhunter pre-check - ansible.builtin.command: rkhunter -c --sk --rwo --ns - become: true - no_log: true - changed_when: false - when: rkhex.stat is defined and rkhex.stat.executable is defined and rkhex.stat.executable - name: Upgrade all installed packages (RHEL) ansible.builtin.yum: name: '*' @@ -46,7 +36,7 @@ # - name: Auto-removal of orphaned dependencies (RHEL) # ansible.builtin.yum: # autoremove: "yes" - name: Updates and RKhunter checks + name: Updates # yum always tosses an arbitrary extra line at you, a simple tr -s does not eradicate it, so - well, # 0 and 1 are fine. As explained above, the RC is worthless when run through ansible. when: yue.stdout|int > 1 @@ -69,11 +59,6 @@ ansible.builtin.command: yum clean packages changed_when: true become: true -- name: RKhunter properties update - ansible.builtin.command: rkhunter --propupd --rwo --ns - become: true - changed_when: true - when: rkhex.stat is defined and rkhex.stat.executable is defined and rkhex.stat.executable - name: Reboot if required # ignore_errors: yes ansible.builtin.reboot: -- cgit v1.2.3