🎉 add mondoo update task for linux and windows (#55)

* 🎉 add mondoo update task for linux and windows Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com> * ⭐️ add support for cron on photon --------- Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com> Co-authored-by: Christoph Hartmann <chris@lollyrock.com>
mondoohq · Nov 12, 2023 · 344617a · 344617a
1 parent 6aa7d2c
commit 344617a
Show file tree

Hide file tree

Showing 9 changed files with 247 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -64,12 +64,19 @@ This playbook demonstrates how to use the Mondoo Package role to install `cnquer
 
 In addition we support the following variables:
 
-| variable                      | description                                                               |
-|-------------------------------|---------------------------------------------------------------------------|
-| `force_registration: true`    | set to true if you want to re-register `cnquery` and `cnspec`             |
-| `ensure_managed_client: true` | ensures the configured clients are configured as managed Client in Mondoo |
-| `proxy_env['https_proxy']`    | set the proxy for the `cnspec` client                                     |
-| `annotations`                 | set annotations/ tags for the node                                        |
+| variable                      | description                                                                            |
+|-------------------------------|----------------------------------------------------------------------------------------|
+| `force_registration: true`    | set to true if you want to re-register `cnquery` and `cnspec`                          |
+| `ensure_managed_client: true` | ensures the configured clients are configured as managed Client in Mondoo              |
+| `proxy_env['https_proxy']`    | set the proxy for the `cnspec` client                                                  |
+| `annotations`                 | set annotations/ tags for the node                                                     |
+| `update_linux_enabled`        | set to true if you want to enable the update task for linux via cron job               |
+| `update_linux_cron_day`       | define the update interval in days for the cnspec update, example */3 for every 3 days |
+| `update_linux_cron_hour`      | define the hour at which the task is to be carried out                                 |
+| `update_linux_cron_minute`    | define the minute at which the task is to be carried out                               |
+| `update_windows_enabled`      | set to true if you want to enable the update task for windows via scheduled task       |
+| `update_windows_interval`     | define the update interval in days for the cnspec update                               |
+| `update_windows_time`         | define the time at which the task is to be carried out                                 |
 
 ```yaml
 ---
@@ -104,6 +111,43 @@ If you want to use cnspec behind a proxy
       environment: "{{proxy_env}}"
 ```
 
+If you want to use the Windows update task
+
+```yaml
+---
+- hosts: windows_hosts
+  become: yes
+
+  roles:
+    - role: ansible-mondoo # if used from galaxy: mondoo.client
+      vars:
+        registration_token: "changeme"
+        force_registration: true
+        ensure_managed_client: true
+        update_windows_enabled: true
+        update_windows_interval: "1"
+        update_windows_time: "15:04"
+```
+
+If you want to use the Linux update task
+
+```yaml
+---
+- hosts: linux_hosts
+  become: yes
+
+  roles:
+    - role: ansible-mondoo # if used from galaxy: mondoo.client
+      vars:
+        registration_token: "changeme"
+        force_registration: true
+        ensure_managed_client: true
+        update_linux_enabled: true
+        update_linux_cron_day: "*"
+        update_linux_cron_hour: "11"
+        update_linux_cron_minute: "40"
+```
+
 1. Run the playbook with the local hosts file
 
 ```bash

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -17,6 +17,17 @@ registration_token_retrieval: "manual"
 # annotation/ tags for the node
 annotations: ""
 
+# Update Task for cnspec (Linux)
+update_linux_enabled: false
+update_linux_cron_day: "*/3"
+update_linux_cron_hour: "12"
+update_linux_cron_minute: "00"
+
+# Update Task for cnspec (Windows)
+update_windows_enabled: false
+update_windows_interval: "3"
+update_windows_time: "12:00:00"
+
 # gpg key id
 mondoo_gpg_keyid: 4CE909E26AE7439C39CE7647AC69C65100E1C42B
 

diff --git a/tasks/linux.yml b/tasks/linux.yml
@@ -20,6 +20,10 @@
   ansible.builtin.include_tasks: pkg_suse.yml
   when: ansible_os_family == "Suse"
 
+- name: Create update Task
+  ansible.builtin.include_tasks: linux_update.yml
+  when: update_linux_enabled
+
 - name: Login to Mondoo Platform
   ansible.builtin.include_tasks: linux_login.yml
   when: registration_token != ""
diff --git a/tasks/linux_update.yml b/tasks/linux_update.yml
@@ -0,0 +1,48 @@
+# Copyright (c) Mondoo, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+---
+
+- name: Create cron update task for cnspec update (Debian-based)
+  ansible.builtin.cron:
+    name: "mondoo-update"
+    day: "{{ update_linux_cron_day }}"
+    hour: "{{ update_linux_cron_hour }}"
+    minute: "{{ update_linux_cron_minute }}"
+    user: root
+    job: "apt update && apt --only-upgrade install -y mondoo > /var/log/mondoo_update"
+    cron_file: mondoo_update
+  when: ansible_os_family == "Debian"
+
+- name: Create cron update task for cnspec update (RedHat-based)
+  ansible.builtin.cron:
+    name: "mondoo-update"
+    day: "{{ update_linux_cron_day }}"
+    hour: "{{ update_linux_cron_hour }}"
+    minute: "{{ update_linux_cron_minute }}"
+    user: root
+    job: "yum update -y mondoo > /var/log/mondoo_update"
+    cron_file: mondoo_update
+  when: ansible_os_family == "RedHat"
+
+- name: Create cron update task for cnspec update (Photon-based)
+  ansible.builtin.cron:
+    name: "mondoo-update"
+    day: "{{ update_linux_cron_day }}"
+    hour: "{{ update_linux_cron_hour }}"
+    minute: "{{ update_linux_cron_minute }}"
+    user: root
+    job: "tdnf update -y mondoo > /var/log/mondoo_update"
+    cron_file: mondoo_update
+  when: ansible_os_family == "VMware Photon OS"
+
+- name: Create cron update task for cnspec update (Suse-based)
+  ansible.builtin.cron:
+    name: "mondoo-update"
+    day: "{{ update_linux_cron_day }}"
+    hour: "{{ update_linux_cron_hour }}"
+    minute: "{{ update_linux_cron_minute }}"
+    user: root
+    job: "zypper -n update mondoo > /var/log/mondoo_update"
+    cron_file: mondoo_update
+  when: ansible_os_family == "Suse"
diff --git a/tasks/pkg_debian.yml b/tasks/pkg_debian.yml
@@ -3,6 +3,14 @@
 
 ---
 
+- name: Install gpg
+  ansible.builtin.apt:
+    name: gpg
+    state: present
+    update_cache: yes
+  become: true
+  when: not ansible_check_mode
+
 - name: Add Mondoo apt repository key.
   ansible.builtin.get_url:
     url: "{{ mondoo_deb_gpgkey }}"
@@ -42,3 +50,24 @@
     update_cache: yes
   become: "{{ use_become }}"
   when: not ansible_check_mode
+
+- name: Ensure cron is installed
+  ansible.builtin.apt:
+    name: cron
+    state: latest
+    update_cache: yes
+  become: "{{ use_become }}"
+  when: not ansible_check_mode and update_linux_enabled
+
+- name: Ensuring unmasked cron.service
+  ansible.builtin.systemd:
+    name: cron.service
+    masked: no
+  when: update_linux_enabled
+
+- name: Configuring cron.service
+  ansible.builtin.service:
+    name: cron.service
+    state: started
+    enabled: yes
+  when: update_linux_enabled
diff --git a/tasks/pkg_photon.yml b/tasks/pkg_photon.yml
@@ -14,7 +14,30 @@
   become: "{{ use_become }}"
   when: not ansible_check_mode
 
+- name: Update the repository cache
+  ansible.builtin.command: tdnf makecache
+  become: "{{ use_become }}"
+  when: not ansible_check_mode
+
 - name: Ensure Mondoo package is installed
   ansible.builtin.command: tdnf install -y mondoo
   become: "{{ use_become }}"
   when: not ansible_check_mode
+
+- name: Ensure cron is installed
+  ansible.builtin.command: tdnf install -y cronie
+  become: "{{ use_become }}"
+  when: not ansible_check_mode and update_linux_enabled
+
+- name: Ensuring unmasked crond.service
+  ansible.builtin.systemd:
+    name: crond.service
+    masked: no
+  when: update_linux_enabled
+
+- name: Configuring crond.service
+  ansible.builtin.service:
+    name: crond.service
+    state: started
+    enabled: yes
+  when: update_linux_enabled
diff --git a/tasks/pkg_rhel.yml b/tasks/pkg_rhel.yml
@@ -21,3 +21,24 @@
     state: latest
   become: "{{ use_become }}"
   when: not ansible_check_mode
+
+- name: Ensure cron is installed
+  ansible.builtin.yum:
+    name: cronie
+    update_cache: yes
+    state: latest
+  become: "{{ use_become }}"
+  when: not ansible_check_mode and update_linux_enabled
+
+- name: Ensuring unmasked crond.service
+  ansible.builtin.systemd:
+    name: crond.service
+    masked: no
+  when: update_linux_enabled
+
+- name: Configuring crond.service
+  ansible.builtin.service:
+    name: crond.service
+    state: started
+    enabled: yes
+  when: update_linux_enabled
diff --git a/tasks/pkg_suse.yml b/tasks/pkg_suse.yml
@@ -34,3 +34,24 @@
     state: latest
   become: "{{ use_become }}"
   when: not ansible_check_mode
+
+- name: Ensure cron is installed
+  community.general.zypper:
+    name: cron
+    update_cache: yes
+    state: latest
+  become: "{{ use_become }}"
+  when: not ansible_check_mode and update_linux_enabled
+
+- name: Ensuring unmasked cron.service
+  ansible.builtin.systemd:
+    name: cron.service
+    masked: no
+  when: update_linux_enabled
+
+- name: Configuring cron.service
+  ansible.builtin.service:
+    name: cron.service
+    state: started
+    enabled: yes
+  when: update_linux_enabled
diff --git a/tasks/windows.yml b/tasks/windows.yml
@@ -86,3 +86,43 @@
   args:
     chdir: "C:\\Program Files\\Mondoo"
   when: (ensure_managed_client is not undefined and ensure_managed_client) and not ansible_check_mode
+
+- name: Store update command as string (Scheduled Task)
+  ansible.builtin.set_fact:
+    task_cmd: "-NoProfile -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $wc = New-Object Net.Webclient; "
+  when: update_windows_enabled
+
+- name: Add Proxy to Scheduled Task command
+  ansible.builtin.set_fact:
+    task_cmd: "{{ '$wc.proxy = New-Object System.Net.WebProxy(\"' + proxy_env['https_proxy'] + '\"); ' }}"
+  when: proxy_env['https_proxy'] is defined and update_windows_enabled
+
+- name: Add Install Powershell Script to Scheduled Task Command
+  ansible.builtin.set_fact:
+    task_cmd: "{{ task_cmd + 'iex ($wc.DownloadString(\\\"https://install.mondoo.com/ps1\\\")); Install-Mondoo -Service enable' }}"
+  when: update_windows_enabled
+
+- name: Add Proxy to Install command wihin Scheduled Task command
+  ansible.builtin.set_fact:
+    task_cmd: "{{ task_cmd + ' -Proxy \"' + proxy_env['https_proxy'] + '\"' }}"
+  when: proxy_env['https_proxy'] is defined and update_windows_enabled
+
+- name: Create the Windows Update Task for cnspec
+  community.windows.win_scheduled_task:
+    name: MondooUpdater
+    description: Mondoo Updater Task
+    actions:
+      - path: Powershell.exe
+        arguments: "{{ task_cmd + ';}' }}"
+    triggers:
+      - type: daily
+        days_interval: "{{ update_windows_interval }}"
+        start_boundary: "{{ update_windows_time }}"
+        enabled: yes
+    username: NT AUTHORITY\SYSTEM
+    run_level: Highest
+    compatibility: 4
+    path: Mondoo
+    state: present
+    enabled: yes
+  when: update_windows_enabled