diff --git a/CHANGELOG.md b/CHANGELOG.md index 6971816..2be0c8e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,4 +2,4 @@ ### Features * Install debsecan -* Debsecan: Configuration +* Debsecan: Configuration and cron job diff --git a/README.md b/README.md index c09b362..fbd7eba 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,11 @@ A role that provide some security tools for Debian. * **deb_sec__debsecan_suite** : Suite name used to produce more informative output [default : `{{ ansible_distribution_release }}`]. * **deb_sec__debsecan_mailto** : Mail address to which reports are sent [default : `root`]. * **deb_sec__debsecan_source** : The URL from which vulnerability data is downloaded [default : `''`]. -* +* **deb_sec__debsecan_cron_disabled** : If the Debsecan job should be disabled [default : `false`]. +* **deb_sec__debsecan_cron_job** : The command to execute for Debsecan cron [default : `test -x /usr/bin/debsecan && /usr/bin/debsecan --cron`]. +* **deb_sec__debsecan_cron_special_time** : Periodicity of the cron job for Debsecan [default : `daily`]. +* **deb_sec__debsecan_cron_user** : User whose run the job [default : `daemon`]. + ## Example Playbook * Default behaviour : @@ -36,7 +40,7 @@ A role that provide some security tools for Debian. This role will : * Install some security tools (eg. Debsecan,…). -* Configure Debsecan. +* Configure and set a cron job for Debsecan. ## Development diff --git a/defaults/main.yml b/defaults/main.yml index 21dca39..07399e1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -64,10 +64,49 @@ deb_sec__debsecan_mailto: 'root' # .. envvar:: deb_sec__debsecan_source [[[ # # The URL from which vulnerability data is downloaded. - +# # ``''`` # Default. Empty for the built-in default. # deb_sec__debsecan_source: '' # ]]] +# .. envvar:: deb_sec__debsecan_cron_disabled [[[ +# +# If the Debsecan job should be disabled. Possible options : +# +# ``false`` +# Default. According to Debsecan package. +# +# ``true`` +# Comment the job in the cron file. +# +deb_sec__debsecan_cron_disabled: false + # ]]] +# .. envvar:: deb_sec__debsecan_cron_job [[[ +# +# The command to execute for Debsecan cron. +# +# ``test -x /usr/bin/debsecan && /usr/bin/debsecan --cron`` +# Default. According to Debsecan package. +# +deb_sec__debsecan_cron_job: 'test -x /usr/bin/debsecan && /usr/bin/debsecan --cron' + # ]]] +# .. envvar:: deb_sec__debsecan_cron_special_time [[[ +# +# Periodicity of the cron job for Debsecan. +# +# ``daily`` +# Default. Run the job everyday. +# +deb_sec__debsecan_cron_special_time: 'daily' + # ]]] +# .. envvar:: deb_sec__debsecan_cron_user [[[ +# +# User whose run the job. +# +# ``daemon`` +# Default. According to Debsecan package. +# +deb_sec__debsecan_cron_user: 'daemon' + # ]]] # ]]] diff --git a/tasks/main.yml b/tasks/main.yml index 3b2e368..774f13a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -13,6 +13,7 @@ with_flattened: - '{{ deb_sec__required_packages }}' # Debsecan [[[1 +# Configuration [[[ - name: Debsecan configuration template: src: 'etc/default/debsecan.j2' @@ -21,3 +22,26 @@ group: 'root' mode: '0644' when: (deb_sec__deploy_state == "present") + # ]]] +# Cron job [[[ +- name: Debsecan disable default cron file + file: + path: '/etc/cron.d/debsecan' + state: absent + +- name: Debsecan manage cron job + cron: + cron_file: '/etc/cron.d/debsecan_ansible' + name: 'debsecan_ansible' + job: '{{ deb_sec__debsecan_cron_job }}' + disabled: '{{ deb_sec__debsecan_cron_disabled }}' + special_time: '{{ deb_sec__debsecan_cron_special_time }}' + user: '{{ deb_sec__debsecan_cron_user }}' + when: (deb_sec__deploy_state == "present") + +- name: Debsecan purge cron job + file: + path: '/etc/cron.d/debsecan_ansible' + state: absent + when: (deb_sec__deploy_state == "absent") + # ]]]