From e52f87a448f45a65ea9010bcfa760e1580e6f6cc Mon Sep 17 00:00:00 2001 From: NaeiKinDus Date: Thu, 11 Jul 2024 00:00:00 +0000 Subject: [PATCH] feat(security): update / install clamav only if desired version and installed version differs --- .../infrastructure/roles/security/defaults/main.yml | 2 +- .../infrastructure/roles/security/tasks/main.yml | 9 ++++++++- inventory/group_vars/all/vars.yml | 3 +++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml index 5fcace9..8392685 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml @@ -1,7 +1,7 @@ --- security_apt_force_https: true security_apt_https_ignore_list: [] -security_clamav_version: 1.2.1 +security_clamav_version: 1.3.1 security_firewall_enabled: true security_firewall_filter_policy_forward: drop security_firewall_filter_policy_input: drop diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml index d6d156b..0ece0ca 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml @@ -88,14 +88,21 @@ job: "/usr/bin/rkhunter -c 2>&1" state: present +- name: get current clamav version + ansible.builtin.shell: > + dpkg -l | awk '$2=="clamav"{ print $3 }' | cut -d '-' -f 1 + register: clamav_version_cmd + changed_when: false + failed_when: false + - name: '[system] clamav' become: true block: - name: '[clamav] retrieve and install clamav package' ansible.builtin.apt: deb: https://www.clamav.net/downloads/production/clamav-{{ security_clamav_version }}.linux.x86_64.deb - force_apt_get: true state: present + when: clamav_version_cmd.get("stdout", "") != security_clamav_version - name: '[clamav] add clamav group' ansible.builtin.group: name: clamav diff --git a/inventory/group_vars/all/vars.yml b/inventory/group_vars/all/vars.yml index 93de873..c874a0e 100644 --- a/inventory/group_vars/all/vars.yml +++ b/inventory/group_vars/all/vars.yml @@ -3,6 +3,9 @@ custom_base_user_account: "{{ vault_custom_base_user_account }}" custom_github_token: "{{ vault_custom_github_token | default('') }}" +# security parameters +security_clamav_version: 1.3.1 + # global (hosts' system parameters) ## TODO: move to a CMDB global_dns_type: "dot"