logic changed
This commit is contained in:
10
local.yml
10
local.yml
@@ -48,11 +48,9 @@
|
|||||||
- name: pre-run | upgrade system (debian, ubuntu, etc.)
|
- name: pre-run | upgrade system (debian, ubuntu, etc.)
|
||||||
apt: upgrade=dist
|
apt: upgrade=dist
|
||||||
#changed_when: false
|
#changed_when: false
|
||||||
notify: Update_aide_database
|
|
||||||
when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
|
when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
|
||||||
- name: pre-run | upgrade system (arch)
|
- name: pre-run | upgrade system (arch)
|
||||||
pacman: upgrade=true
|
pacman: upgrade=true
|
||||||
notify: Update_aide_database
|
|
||||||
when: ansible_distribution == 'Archlinux'
|
when: ansible_distribution == 'Archlinux'
|
||||||
|
|
||||||
# run roles
|
# run roles
|
||||||
@@ -76,9 +74,17 @@
|
|||||||
|
|
||||||
- hosts: bastionhost
|
- hosts: bastionhost
|
||||||
tags: server,bastionhost
|
tags: server,bastionhost
|
||||||
|
handlers:
|
||||||
|
- import_tasks: global_handlers/global_handlers.yml
|
||||||
become: true
|
become: true
|
||||||
roles:
|
roles:
|
||||||
- bastionhost
|
- bastionhost
|
||||||
|
post_tasks:
|
||||||
|
- name: Update AIDE database if changes were made
|
||||||
|
include_role:
|
||||||
|
name: bastionhost
|
||||||
|
tasks_from: system_setup/aide_update.yml
|
||||||
|
when: aide_db_needs_update is defined and aide_db_needs_update
|
||||||
|
|
||||||
- hosts: nameserver
|
- hosts: nameserver
|
||||||
tags: server,nameserver
|
tags: server,nameserver
|
||||||
|
|||||||
19
roles/bastionhost/tasks/system_setup/aide_update.yml
Normal file
19
roles/bastionhost/tasks/system_setup/aide_update.yml
Normal file
@@ -0,0 +1,19 @@
|
|||||||
|
---
|
||||||
|
- name: system setup | aide | run aide --update to check for legitimate changes
|
||||||
|
tags: aide,hardening,system
|
||||||
|
command: aide --config /etc/aide/aide.conf --update
|
||||||
|
register: aide_update_result
|
||||||
|
changed_when: "'new database written to' in aide_update_result.stdout"
|
||||||
|
async: 1800 # Allow up to 30 minutes for update
|
||||||
|
poll: 15
|
||||||
|
|
||||||
|
- name: system setup | aide | activate updated database
|
||||||
|
tags: aide,hardening,system
|
||||||
|
copy:
|
||||||
|
src: /var/lib/aide/aide.db.new
|
||||||
|
dest: /var/lib/aide/aide.db
|
||||||
|
remote_src: true
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0600'
|
||||||
|
when: aide_update_result.changed
|
||||||
@@ -23,7 +23,7 @@
|
|||||||
- fortune-mod
|
- fortune-mod
|
||||||
state: absent
|
state: absent
|
||||||
purge: true # Also removes configuration files
|
purge: true # Also removes configuration files
|
||||||
notify: Update_aide_database
|
register: deb_packages_removed
|
||||||
when: ansible_os_family == "Debian"
|
when: ansible_os_family == "Debian"
|
||||||
|
|
||||||
- name: system setup | package hardening | remove unnecessary packages (RedHat family)
|
- name: system setup | package hardening | remove unnecessary packages (RedHat family)
|
||||||
@@ -40,5 +40,10 @@
|
|||||||
- avahi
|
- avahi
|
||||||
- sudo
|
- sudo
|
||||||
state: absent
|
state: absent
|
||||||
notify: Update_aide_database
|
register: rh_packages_removed
|
||||||
when: ansible_os_family == "RedHat"
|
when: ansible_os_family == "RedHat"
|
||||||
|
|
||||||
|
- name: Set fact if packages were removed
|
||||||
|
set_fact:
|
||||||
|
aide_db_needs_update: true
|
||||||
|
when: (deb_packages_removed is defined and deb_packages_removed.changed) or (rh_packages_removed is defined and rh_packages_removed.changed)
|
||||||
Reference in New Issue
Block a user