diff --git a/home/.chezmoidata.yaml b/home/.chezmoidata.yaml index dc5816a5..b2b13728 100644 --- a/home/.chezmoidata.yaml +++ b/home/.chezmoidata.yaml @@ -718,6 +718,7 @@ softwareGroups: Security: &Security - bitwarden-cli - boringtun + - debsecan - envchain - envconsul - pony diff --git a/home/.chezmoiexternal.toml.tmpl b/home/.chezmoiexternal.toml.tmpl index fa202ddd..7dd0f358 100644 --- a/home/.chezmoiexternal.toml.tmpl +++ b/home/.chezmoiexternal.toml.tmpl @@ -131,6 +131,16 @@ pull.args = ["--ff-only"] {{- end }} +{{- if (and (lookPath "apt") (lookPath "debsecan")) }} +### Netdata Debsecan +[".local/share/netdata-debsecan"] + type = "git-repo" + url = "https://gitlab.com/nodiscc/netdata-debsecan.git" + refreshPeriod = "{{ $refreshPeriod }}" + clone.args = ["--depth", "1"] + pull.args = ["--ff-only"] +{{- end }} + ### Git Template # [".config/git/template/_/husky.sh"] # type = "file" diff --git a/home/.chezmoiscripts/universal/run_onchange_after_57-netdata.sh.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_57-netdata.sh.tmpl index 34787721..390d4812 100644 --- a/home/.chezmoiscripts/universal/run_onchange_after_57-netdata.sh.tmpl +++ b/home/.chezmoiscripts/universal/run_onchange_after_57-netdata.sh.tmpl @@ -68,26 +68,28 @@ if command -v netdata-claim.sh > /dev/null; then if command -v apt > /dev/null; then ### Configure Netdata to gather information about CVEs in the installed packages if command -v debsecan > /dev/null; then + DEBSECAN_GIT="${XDG_DATA_HOME:-$HOME/.local/share}/netdata-debsecan" + # Installing the script to generate report on CVEs in installed packages logg info 'Installing script to generate on CVEs in installed packages' - sudo curl -sSL https://raw.githubusercontent.com/nodiscc/netdata-debsecan/master/usr_local_bin_debsecan-by-type -o /usr/local/bin/debsecan-by-type + sudo cp -f "$DEBSECAN_GIT/usr_local_bin_debsecan-by-type" /usr/local/bin/debsecan-by-type # Generate initial debsecan reports in /var/log/debsecan/ logg info 'Generating initial debsecan reports in /var/log/debsecan/' - /usr/local/bin/debsecan-by-type + debsecan-by-type # Configure dpkg to refresh the file after each run logg info 'Configuring dpkg to refresh the file after each run' - sudo curl -sSL https://github.com/nodiscc/netdata-debsecan/raw/master/etc_apt_apt.conf.d_99debsecan -o /etc/apt/apt.conf.d/99debsecan + sudo cp -f "$DEBSECAN_GIT/etc_apt_apt.conf.d_99debsecan" /etc/apt/apt.conf.d/99-debsecan # Add a cron job to refresh the file every hour logg info 'Adding a cron job to refresh the file every hour' - sudo curl -sSL https://github.com/nodiscc/netdata-debsecan/raw/master/etc_cron.d_debsecan -o /etc/cron.d/debsecan + sudo cp -f "$DEBSECAN_GIT/etc_cron.d_debsecan" /etc/cron.d/debsecan # Install the module/configuration file logg info 'Installing the module and configuration file - sudo curl -sSL https://github.com/nodiscc/netdata-debsecan/raw/master/debsecan.chart.py -o /usr/libexec/netdata/python.d/ - sudo curl -sSL https://github.com/nodiscc/netdata-debsecan/raw/master/debsecan.conf -o /etc/netdata/python.d/ + sudo "$DEBSECAN_GIT/debsecan.chart.py" /usr/libexec/netdata/python.d/debsecan.chart.py + sudo "$DEBSECAN_GIT/debsecan.conf" /etc/netdata/python.d/debsecan.conf # Restart Netdata service logg info 'Restarting netdata service' diff --git a/software.yml b/software.yml index 6df1eb45..9a0925aa 100644 --- a/software.yml +++ b/software.yml @@ -1750,7 +1750,7 @@ softwarePackages: ansible: professormanhattan.debloat _type: cli debsecan: - _bin: null + _bin: debsecan-by-type _desc: `debsecan` analyzes the list of installed packages on the current host and reports vulnerabilities found on the system. _docs: null _github: null