10 years ago · 24f9549f2d
--- a/roles/common/handlers/security.yml
+++ b/roles/common/handlers/security.yml
@@ -1,5 +1,8 @@
 
				 - name: Reconfigure unattended-upgrades
			
 
				   raw: rm -f /etc/apt/apt.conf.d/20auto-upgrades* ; UCF_FORCE_CONFFMISS=1 UCF_FORCE_CONFFNEW=1 dpkg-reconfigure --frontend noninteractive unattended-upgrades
			
 
				 
			
 
				+- name: Reconfigure rkhunter
			
 
				+  raw: rm -f /etc/default/rkhunter* ; UCF_FORCE_CONFFMISS=1 UCF_FORCE_CONFFNEW=1 dpkg-reconfigure --frontend noninteractive rkhunter
			
 
				+
			
 
				 - name: Remount /proc
			
 
				   shell: mount -o remount /proc
			
--- a/roles/common/tasks/security.yml
+++ b/roles/common/tasks/security.yml
@@ -67,8 +67,14 @@
 
				     - rkhunter
			
 
				   when: with_rkhunter
			
 
				 
			
 
				-- name: Update rkhunter default/init parameters
			
 
				-  template: src=rkhunter/default.j2 dest=/etc/default/rkhunter owner=root group=root mode=0644
			
 
				+- name: Reconfigure rkhunter package
			
 
				+  debconf: name="{{item.name}}" question="{{item.question}}" value="{{item.value}}" vtype="{{item.vtype}}"
			
 
				+  with_items:
			
 
				+    - { name: 'rkhunter', question: 'rkhunter/apt_autogen', value: 'true', vtype: 'boolean' }
			
 
				+    - { name: 'rkhunter', question: 'rkhunter/cron_daily_run', value: 'true', vtype: 'boolean' }
			
 
				+    - { name: 'rkhunter', question: 'rkhunter/cron_db_update', value: 'true', vtype: 'boolean' }
			
 
				+  notify:
			
 
				+    - Reconfigure rkhunter
			
 
				   when: with_rkhunter
			
 
				 
			
 
				 - name: Update rkhunter configuration
			
--- a/roles/common/templates/rkhunter/default.j2
+++ b/roles/common/templates/rkhunter/default.j2
@@ -1,38 +0,0 @@
 
				-{% if ansible_prolog -%}
			
 
				-{% from 'templates/ansible/prolog.j2' import prolog with context %}
			
 
				-{{ prolog() }}
			
 
				-{% endif -%}
			
 
				-# Defaults for rkhunter automatic tasks
			
 
				-# sourced by /etc/cron.*/rkhunter and /etc/apt/apt.conf.d/90rkhunter
			
 
				-#
			
 
				-# This is a POSIX shell fragment
			
 
				-#
			
 
				-
			
 
				-# Set this to yes to enable rkhunter daily runs
			
 
				-# (default: true)
			
 
				-CRON_DAILY_RUN="yes"
			
 
				-
			
 
				-# Set this to yes to enable rkhunter weekly database updates
			
 
				-# (default: true)
			
 
				-CRON_DB_UPDATE="yes"
			
 
				-
			
 
				-# Set this to yes to enable reports of weekly database updates
			
 
				-# (default: false)
			
 
				-DB_UPDATE_EMAIL="no"
			
 
				-
			
 
				-# Set this to the email address where reports and run output should be sent
			
 
				-# (default: root)
			
 
				-REPORT_EMAIL="root"
			
 
				-
			
 
				-# Set this to yes to enable automatic database updates
			
 
				-# (default: false)
			
 
				-APT_AUTOGEN="true"
			
 
				-
			
 
				-# Nicenesses range from -20 (most favorable scheduling) to 19 (least favorable)
			
 
				-# (default: 0)
			
 
				-NICE="0"
			
 
				-
			
 
				-# Should daily check be run when running on battery
			
 
				-# powermgmt-base is required to detect if running on battery or on AC power
			
 
				-# (default: false)
			
 
				-RUN_CHECK_ON_BATTERY="false"