Move HIDS database update in main playbook in diagnostics role

author: Matthieu Saulnier <fantom@fedoraproject.org> 2018-12-16 17:34:11 +0100
committer: Matthieu Saulnier <fantom@fedoraproject.org> 2018-12-16 17:34:11 +0100
commit: be726a75c5ecf59b9cca10530ff8cde6e47dff6d (patch)
tree: 7912515289a5825617dbf48465194a02a0ceec3b
parent: 34737a04588df8726a93205df2a7b3ebb156ea86 (diff)
download: playbooks-ansible-be726a75c5ecf59b9cca10530ff8cde6e47dff6d.tar.gz
playbooks-ansible-be726a75c5ecf59b9cca10530ff8cde6e47dff6d.tar.xz
playbooks-ansible-be726a75c5ecf59b9cca10530ff8cde6e47dff6d.zip
8 files changed, 23 insertions, 21 deletions
diff --git a/.gitignore b/.gitignore
index 83e5a52..00f76d7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+roles/diagnostics/files/aidedb-hash
 roles/dnsserver/vars/keys.yml
 roles/torrelay/vars/email.yml
 roles/torrelay/vars/keys.yml
diff --git a/playbooks/hids-db-update.yml b/playbooks/hids-db-update.yml
deleted file mode 100644
index 1e8c0ca..0000000
--- a/playbooks/hids-db-update.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-- hosts: all
-  remote_user: root
-  tasks:
-    - name: rkhunter internal database update
-      command: /usr/bin/rkhunter --propupd
-      when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
-
-    - name: aide internal database reset
-      command: /usr/sbin/aide -i
-      when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
-
-    - name: aide internal database update
-      command: /usr/bin/cp -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
-      when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
diff --git a/replay b/replay
index ba41175..7afc719 100755
--- a/replay
+++ b/replay
@@ -4,13 +4,13 @@
 # User variables, you may edit these variables
 ###
 SOURCES=$HOME/park-admin/playbooks-ansible
-WORKDIR=/tmp
+WORKDIR=$SOURCES
 COUNTLIMIT=10
 # Availables options are: 'clearnet' or 'tornetwork'
 NETWORK=clearnet
 FORK=8
 TIMEOUT=240
-FLAGS="--force-handlers -f $FORK -T $TIMEOUT"
+FLAGS="--force-handlers --skip-tags hidsdb -f $FORK -T $TIMEOUT"
 ###
 # Stop editing, it is ready
 ###
diff --git a/roles/diagnostics/files/aidereport.sh b/roles/diagnostics/files/aidereport.sh
index fa56fe4..abd7030 100755
--- a/roles/diagnostics/files/aidereport.sh
+++ b/roles/diagnostics/files/aidereport.sh
@@ -1,4 +1,3 @@
 #!/usr/bin/bash
 
-aide --update --verbose=20
-cp -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz && echo "Updated database file: aide.db.gz"
+aide --check --verbose=20
diff --git a/roles/diagnostics/tasks/aide.yml b/roles/diagnostics/tasks/aide.yml
index 17d8d51..72fc4b1 100644
--- a/roles/diagnostics/tasks/aide.yml
+++ b/roles/diagnostics/tasks/aide.yml
@@ -11,4 +11,3 @@
     src: aidereport.sh
     dest: /etc/cron.daily/z-aidereport.sh
     mode: 0755
-  notify: initialize aide
diff --git a/roles/diagnostics/tasks/hidsdb.yml b/roles/diagnostics/tasks/hidsdb.yml
new file mode 100644
index 0000000..0040976
--- /dev/null
+++ b/roles/diagnostics/tasks/hidsdb.yml
@@ -0,0 +1,16 @@
+- name: rkhunter internal database update
+  command: /usr/bin/rkhunter --propupd
+  tags: hidsdb
+
+- name: aide internal database reset
+  command: /usr/sbin/aide -i
+  register: hashinfo
+  tags: hidsdb
+
+- name: aide internal database update
+  command: /usr/bin/cp -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+  tags: hidsdb
+
+- name: store database hash informations
+  local_action: copy content={{ hashinfo.stdout }} dest=roles/diagnostics/files/aidedb-hash/aidedb-{{ inventory_hostname }}.txt
+  tags: hidsdb
diff --git a/roles/diagnostics/tasks/main.yml b/roles/diagnostics/tasks/main.yml
index a0cc1e9..cabf47b 100644
--- a/roles/diagnostics/tasks/main.yml
+++ b/roles/diagnostics/tasks/main.yml
@@ -13,5 +13,8 @@
 - name: Installation de rkhunter
   import_tasks: rkhunter.yml
 
+- name: Mise à jour des db des HIDS
+  import_tasks: hidsdb.yml
+
 - name: Crontasks pour SELinux
   import_tasks: selinux.yml
diff --git a/roles/diagnostics/tasks/rkhunter.yml b/roles/diagnostics/tasks/rkhunter.yml
index 9501e6f..098ed17 100644
--- a/roles/diagnostics/tasks/rkhunter.yml
+++ b/roles/diagnostics/tasks/rkhunter.yml
@@ -2,7 +2,6 @@
   package:
     name: rkhunter
     state: present
-  notify: initialize rkhunter
 
 - name: Login SSH en root
   lineinfile:
author	Matthieu Saulnier <fantom@fedoraproject.org>	2018-12-16 17:34:11 +0100
committer	Matthieu Saulnier <fantom@fedoraproject.org>	2018-12-16 17:34:11 +0100
commit	be726a75c5ecf59b9cca10530ff8cde6e47dff6d (patch)
tree	7912515289a5825617dbf48465194a02a0ceec3b
parent	34737a04588df8726a93205df2a7b3ebb156ea86 (diff)
download	playbooks-ansible-be726a75c5ecf59b9cca10530ff8cde6e47dff6d.tar.gz playbooks-ansible-be726a75c5ecf59b9cca10530ff8cde6e47dff6d.tar.xz playbooks-ansible-be726a75c5ecf59b9cca10530ff8cde6e47dff6d.zip