diff --git a/CHANGELOG.md b/CHANGELOG.md index 678aea2..6971816 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,3 +2,4 @@ ### Features * Install debsecan +* Debsecan: Configuration diff --git a/README.md b/README.md index c856495..c09b362 100644 --- a/README.md +++ b/README.md @@ -15,9 +15,13 @@ A role that provide some security tools for Debian. ## Role Variables -* **deb_sec__required_packages** : List of required packages [default : `debsecan`] -* **deb_sec__deploy_state** : The desired state this role should achieve. [default : `present`]. - +* **deb_sec__required_packages** : List of required packages [default : `debsecan`]. +* **deb_sec__deploy_state** : The desired state this role should achieve [default : `present`]. +* **deb_sec__debsecan_report** : If daily reports should be enable [default : `true`]. +* **deb_sec__debsecan_suite** : Suite name used to produce more informative output [default : `{{ ansible_distribution_release }}`]. +* **deb_sec__debsecan_mailto** : Mail address to which reports are sent [default : `root`]. +* **deb_sec__debsecan_source** : The URL from which vulnerability data is downloaded [default : `''`]. +* ## Example Playbook * Default behaviour : @@ -32,6 +36,7 @@ A role that provide some security tools for Debian. This role will : * Install some security tools (eg. Debsecan,…). +* Configure Debsecan. ## Development diff --git a/defaults/main.yml b/defaults/main.yml index d58d06c..21dca39 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -27,3 +27,47 @@ deb_sec__required_packages: deb_sec__deploy_state: 'present' # ]]] # ]]] +# Debsecan [[[ +# ------------ + +# .. envvar:: deb_sec__debsecan_report [[[ +# +# If daily reports should be enable. Possible options : +# +# ``true`` +# Default. +# +# ``false`` +# +deb_sec__debsecan_report: true + # ]]] +# .. envvar:: deb_sec__debsecan_suite [[[ +# +# The suite name used to produce more informative output. Possible options are +# all Debian (and derivative) codename (eg. stretch) not the temporal +# name (eg. stable,…). +# +# ``ansible_distribution_release`` +# Default. Use ansible variable to determine the current codename. +# +deb_sec__debsecan_suite: '{{ ansible_distribution_release }}' + # ]]] +# .. envvar:: deb_sec__debsecan_mailto [[[ +# +# Mail address to which reports are sent. +# +# ``root`` +# Default. +# +deb_sec__debsecan_mailto: 'root' + # ]]] +# .. envvar:: deb_sec__debsecan_source [[[ +# +# The URL from which vulnerability data is downloaded. + +# ``''`` +# Default. Empty for the built-in default. +# +deb_sec__debsecan_source: '' + # ]]] + # ]]] diff --git a/tasks/main.yml b/tasks/main.yml index 8a84514..3b2e368 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -12,3 +12,12 @@ install_recommends: False with_flattened: - '{{ deb_sec__required_packages }}' +# Debsecan [[[1 +- name: Debsecan configuration + template: + src: 'etc/default/debsecan.j2' + dest: '/etc/default/debsecan' + owner: 'root' + group: 'root' + mode: '0644' + when: (deb_sec__deploy_state == "present") diff --git a/templates/etc/default/debsecan.j2 b/templates/etc/default/debsecan.j2 new file mode 100644 index 0000000..326e705 --- /dev/null +++ b/templates/etc/default/debsecan.j2 @@ -0,0 +1,19 @@ +# {{ ansible_managed }} +# +# Configuration file for debsecan. Contents of this file should +# adhere to the KEY=VALUE shell syntax. This file may be edited by +# debsecan's scripts, but your modifications are preserved. + +# If true, enable daily reports, sent by email. +REPORT={{ deb_sec__debsecan_report }} + +# For better reporting, specify the correct suite here, using the code +# name (that is, "sid" instead of "unstable"). +SUITE={{ deb_sec__debsecan_suite }} + +# Mail address to which reports are sent. +MAILTO={{ deb_sec__debsecan_mailto }} + +# The URL from which vulnerability data is downloaded. Empty for the +# built-in default. +SOURCE={{ deb_sec__debsecan_source }}