sgratias/semaphore
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[refacto with right name file]

Browse Source
This commit is contained in:
sgratias
2024-08-18 11:37:54 +02:00
parent 830882ee15
commit 9a8ff1f04e
5 changed files with 296 additions and 377 deletions
Download Patch File Download Diff File Expand all files Collapse all files

140
ivre.yml
View File

@@ -1,31 +1,19 @@
---
- name: Install tools
hosts: ovh01
- name: IVRE NETWORK SCAN
hosts: scaleway
become: true
gather_facts: true
vars:
fqdn: orbital23.com
vars:
ansible_user: stephane
user: staffadmin
token: !vault |
$ANSIBLE_VAULT;1.2;AES256;prod
35343365393734313034383961616333633265623037303436653739613935366666373237366562
3663316563663439363333396530376139663731346637390a366335333732303134316364363130
30313631343534643866383336623837363433303032376264373139306464313866313034663636
3961303030373531380a343061326437343066663665613833623533376437326630326432363566
37653135666331633532653436656461396131623736353962643632316135633562346631313036
6137356332636431643830666461333862613835336631333037
#TODO target in list
# 163.172.0.0/24
# 163.172.80.0/28
target_network: 163.172.16.0/20
target_network: 163.172.16.0/24
# 163.172.0.0/20
# 163.172.16.0/20
# 163.172.31.0/20
# 163.172.48.0/20
# 163.172.63.254/20
ansible_password: stephane
ansible_become_password: stephane
username: jingohalert
password: !vault |
$ANSIBLE_VAULT;1.2;AES256;prod
@@ -35,122 +23,38 @@
3863613961373430340a303866363962353262623030373061616134303366336237346631383539
3130
tasks:
- community.docker.docker_image_pull:
name: "{{ item }}"
loop:
- projectdiscovery/subfinder
- projectdiscovery/httpx
- projectdiscovery/nuclei
- ansible.builtin.git:
repo: https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/scan.git
dest: "$HOME/scan"
single_branch: yes
force: true
become_user: root
- name: Run SCAN
community.docker.docker_container_exec:
container: ivreclient
argv:
- ivre
- runscans
- --network
- "{{ target_network }}"
- --output=XMLFork
- --processes 10
- name: PREPARE SCAN {{ fqdn }}
shell: "{{ item }}"
become_user: root
ignore_errors: true
loop:
- mkdir $HOME/scan/{{ fqdn }}
- touch $HOME/scan/{{ fqdn }}/{{ fqdn }}__nuclei.json
- name: RUN HTTPX SCAN {{ fqdn }}
shell: "{{ item }}"
become_user: root
ignore_errors: true
loop:
- docker run --rm projectdiscovery/subfinder -d {{ fqdn }} -silent > $HOME/scan/{{ fqdn }}/{{ fqdn }}__subfinder.txt
- docker run -v --rm $HOME/scan/{{ fqdn }}/{{ fqdn }}__subfinder.txt:/{{ fqdn }}__subfinder.txt projectdiscovery/httpx -silent -l {{ fqdn }}__subfinder.txt > $HOME/scan/{{ fqdn }}/{{ fqdn }}__httpx.txt
- docker run -v --rm $HOME/scan/{{ fqdn }}/{{ fqdn }}__subfinder.txt:/{{ fqdn }}__subfinder.txt projectdiscovery/httpx -silent -sc -title -td -method -bp -server -ip -location -cname -asn -probe -j -l {{ fqdn }}__subfinder.txt > $HOME/scan/{{ fqdn }}/{{ fqdn }}__httpx.json
- name: RUN NUCLEI SCAN {{ fqdn }}
shell: "{{ item }}"
become_user: root
ignore_errors: true
loop:
- docker run -v --rm $HOME/scan/{{ fqdn }}/{{ fqdn }}__httpx.txt:/{{ fqdn }}__httpx.txt -v $HOME/scan/{{ fqdn }}/{{ fqdn }}__nuclei.json:/{{ fqdn }}__nuclei.json projectdiscovery/nuclei -l {{ fqdn }}__httpx.txt -j -o {{ fqdn }}__nuclei.json
- ansible.builtin.shell: |
git config user.email "stephane.gratiasquiquandon@gmail.com"
git config user.name "staffadmin"
git add .
git commit -m "Push scan {{ fqdn }} with access token"
git push https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/scan.git
args:
chdir: "$HOME/scan"
run_once: true
become_user: root
register: push_git
# - debug:
# msg: "{{ push_git.changed }}"
# - debug:
# msg: "{{ push_git.changed }}"
# when: push_git.changed is true
- ansible.builtin.git:
repo: https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/scan.git
dest: "$HOME/scan"
single_branch: yes
force: true
delegate_to: scaleway
become_user: stephane
when: push_git.changed is true
- copy:
src: "{{ item }}"
dest: /opt/dockerapps/appdata/ivre/ivre-share/{{ item.split('/')[-1] }}
remote_src: true
loop:
- /home/{{ ansible_user }}/scan/{{ fqdn }}/{{ fqdn }}__nuclei.json
- /home/{{ ansible_user }}/scan/{{ fqdn }}/{{ fqdn }}__httpx.json
delegate_to: scaleway
when: push_git.changed is true
- name: Run a simple command (argv)
- name: Run SCAN2DB
community.docker.docker_container_exec:
container: ivreclient
argv:
- ivre
- scan2db
- "-c"
- "{{ fqdn }}"
- "{{ category }}"
- "-s"
- "{{ ansible_play_hosts }}"
- "{{ source }}"
- "-r"
- /ivre-share/{{ fqdn }}__nuclei.json
delegate_to: scaleway
when: push_git.changed is true
- "scans/{{ category }}/up"
- name: Run a simple command (argv)
community.docker.docker_container_exec:
container: ivreclient
argv:
- ivre
- scan2db
- "-c"
- "{{ fqdn }}"
- "-s"
- "{{ ansible_play_hosts }}"
- "-r"
- "/ivre-share/{{ fqdn }}__httpx.json"
delegate_to: scaleway
when: push_git.changed is true
- name: Run a simple command (argv)
- name: Run DB2VIEW
community.docker.docker_container_exec:
container: ivreclient
argv:
- ivre
- db2view
- all
delegate_to: scaleway
when: push_git.changed is true
- nmap
- name: NTFY when docker compose changed
uri:
@@ -159,10 +63,8 @@
user: "{{ username }}"
password: "{{ password }}"
headers:
Title: "SCAN {{ fqdn }}"
Title: "SCAN NETWORK {{ target_network }}"
ta: "globe_with_meridians"
body: "scan finished !"
status_code: 200
tags: test1
delegate_to: localhost
when: push_git.changed is true

39
portainer-agent-stack.yml
View File

@@ -1,39 +0,0 @@
version: '3.2'
services:
agent:
image: portainer/agent:2.19.5
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/lib/docker/volumes:/var/lib/docker/volumes
networks:
- agent_network
deploy:
mode: global
placement:
constraints: [node.platform.os == linux]
portainer:
image: portainer/portainer-ce:2.19.5
command: -H tcp://tasks.agent:9001 --tlsskipverify
ports:
- "9443:9443"
- "9000:9000"
- "8000:8000"
volumes:
- portainer_data:/data
networks:
- agent_network
deploy:
mode: replicated
replicas: 1
placement:
constraints: [node.role == manager]
networks:
agent_network:
driver: overlay
attachable: true
volumes:
portainer_data:

112
portainer-traefik-agent.yml
View File

@@ -1,112 +0,0 @@
version: '3.2'
services:
traefik:
image: "traefik:latest"
command:
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --providers.docker=true
- --providers.swarm=true
- --providers.docker.exposedbydefault=false
- --providers.docker.network=public
- --api=true
- --api.dashboard=true
- --api.insecure=true
- --log.level=DEBUG
deploy:
mode: replicated
replicas: 1
placement:
constraints: [node.role == manager]
labels:
- "traefik.http.routers.dashboard.rule=Host(`traefik.test.com`)"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.services.dashboard.loadbalancer.server.port=8080"
tls:
certificates:
- certFile: /certificates/jingoh.private.crt
keyFile: /certificates/jingoh.private.key
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
networks:
- public
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- traefik-public-certificates:/certificates
agent:
image: portainer/agent:latest
environment:
# REQUIRED: Should be equal to the service name prefixed by "tasks." when
# deployed inside an overlay network
AGENT_CLUSTER_ADDR: tasks.agent
# AGENT_PORT: 9001
# LOG_LEVEL: debug
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/lib/docker/volumes:/var/lib/docker/volumes
networks:
- agent_network
deploy:
mode: global
placement:
constraints: [node.platform.os == linux]
portainer:
image: portainer/portainer-ce:latest
command: -H tcp://tasks.agent:9001 --tlsskipverify --http-enabled
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- data:/data
- /etc/localtime:/etc/localtime
networks:
- public
- agent_network
deploy:
mode: replicated
replicas: 1
placement:
constraints: [node.role == manager]
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.rule=Host(`portainer.jingoh.private.com`)"
- "traefik.http.routers.portainer.entrypoints=websecure"
- "traefik.http.routers.portainer.service=portainer"
- "traefik.http.services.portainer.loadbalancer.server.port=9443"
- "traefik.http.routers.portainer.tls=true"
# Edge
- "traefik.http.routers.edge.rule=Host(`edge.private.com`)"
- "traefik.http.routers.edge.entrypoints=websecure"
- "traefik.http.services.edge.loadbalancer.server.port=8000"
- "traefik.http.routers.edge.service=edge"
- "traefik.http.routers.edge.tls=true"
whoami:
image: "traefik/whoami"
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoamitest.jingoh.private`)"
- "traefik.http.routers.whoami.entrypoints=web"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
- "traefik.http.routers.whoami-secured.rule=Host(`whoamitest.jingoh.private`)"
- "traefik.http.routers.whoami-secured.entrypoints=websecure"
- traefik.docker.network=public
networks:
- public
networks:
public:
external: true
agent_network:
external: true
attachable: true
volumes:
data:
traefik-public-certificates:

222
scan.yml
View File

@@ -1,10 +1,11 @@
---
- name: Scan
hosts: scale01
- name: Install tools
hosts: ovh01
become: true
gather_facts: false
gather_facts: true
vars:
fqdn: orbital23.com
ansible_user: stephane
user: staffadmin
token: !vault |
$ANSIBLE_VAULT;1.2;AES256;prod
@@ -23,7 +24,6 @@
# 163.172.31.0/20
# 163.172.48.0/20
# 163.172.63.254/20
ansible_user: stephane
ansible_password: stephane
ansible_become_password: stephane
username: jingohalert
@@ -34,127 +34,135 @@
65366439343135636634393832636436353764303066653530346232323164376265313039373630
3863613961373430340a303866363962353262623030373061616134303366336237346631383539
3130
# apt-get install sshpass
# #
# # @author Stéphane Gratias (2021).
#
# roles:
# - { role: geerlingguy.pip, tags: pip }
tasks:
- ansible.builtin.apt:
name: masscan
update_cache: true
- community.docker.docker_image_pull:
name: "{{ item }}"
loop:
- projectdiscovery/subfinder
- projectdiscovery/httpx
- projectdiscovery/nuclei
- ansible.builtin.git:
repo: https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/scan.git
dest: "{{ playbook_dir }}/scan"
dest: "$HOME/scan"
single_branch: yes
force: true
delegate_to: localhost
become_user: root
# apt install masscan
- ansible.builtin.command:
cmd: "masscan {{ target_network }} -p443"
become: true
register: scan_output
# pause
# - debug:
# msg: "{{ item }}"
# loop: "{{ scan_output.stdout_lines }}"
# # - "{{ cert.not_after }}"
# # - "{{ ansible_date_time.iso8601_basic }}"
# tags: test
# delegate_to: localhost
- name: Get a cert from an https port
community.crypto.get_certificate:
host: "{{ item.split('on')[-1].strip() }}"
port: 443
delegate_to: localhost
run_once: true
loop: "{{ scan_output.stdout_lines }}"
- name: PREPARE SCAN {{ fqdn }}
shell: "{{ item }}"
become_user: root
ignore_errors: true
register: cert
tags: test
loop:
- mkdir $HOME/scan/{{ fqdn }}
- touch $HOME/scan/{{ fqdn }}/{{ fqdn }}__nuclei.json
- name: RUN HTTPX SCAN {{ fqdn }}
shell: "{{ item }}"
become_user: root
ignore_errors: true
loop:
- docker run --rm projectdiscovery/subfinder -d {{ fqdn }} -silent > $HOME/scan/{{ fqdn }}/{{ fqdn }}__subfinder.txt
- docker run -v --rm $HOME/scan/{{ fqdn }}/{{ fqdn }}__subfinder.txt:/{{ fqdn }}__subfinder.txt projectdiscovery/httpx -silent -l {{ fqdn }}__subfinder.txt > $HOME/scan/{{ fqdn }}/{{ fqdn }}__httpx.txt
- docker run -v --rm $HOME/scan/{{ fqdn }}/{{ fqdn }}__subfinder.txt:/{{ fqdn }}__subfinder.txt projectdiscovery/httpx -silent -sc -title -td -method -bp -server -ip -location -cname -asn -probe -j -l {{ fqdn }}__subfinder.txt > $HOME/scan/{{ fqdn }}/{{ fqdn }}__httpx.json
# item.subject.CN
- debug:
# msg: "{{ item.subject.CN }}"
msg: "{{ item.invocation.module_args.host}}"
loop: "{{ cert.results }}"
# - "{{ cert.not_after }}"
# - "{{ ansible_date_time.iso8601_basic }}"
tags: test
delegate_to: localhost
- name: Change file ownership, group and permissions
ansible.builtin.file:
path: "{{ playbook_dir }}/scan/https/{{ item.invocation.module_args.host.split('.')[0] }}/{{ item.invocation.module_args.host.split('.')[1] }}/"
state: directory
loop: "{{ cert.results }}"
- name: Add a line to a file if the file does not exist, without passing regexp
ansible.builtin.lineinfile:
path: "{{ playbook_dir }}/scan/https/{{ item.invocation.module_args.host.split('.')[0] }}/{{ item.invocation.module_args.host.split('.')[1] }}/{{ item.invocation.module_args.host.split('.')[2] }}"
line: "{{ item.invocation.module_args.host }} ---- {{ item.subject.CN | default('---') }} ---- {{ item.issuer| default('---')}}"
create: yes
loop: "{{ cert.results }}"
delegate_to: localhost
# - name: Copy file with owner and permissions
# ansible.builtin.copy:
# dest: "{{ playbook_dir }}/scan/scan_https_{{ target_network.split('/')[0] }}_{{ target_network.split('/')[-1] }}"
# content: |
# "{{ item.invocation.module_args.host }} ---- {{ item.subject.CN }} ---- {{ item.issuer}}"
# loop: "{{ cert.results }}"
# delegate_to: localhost
# # item.subject.CN
# - debug:
# msg: "{{ item.item.split('on')[-1].strip() }}"
# loop: "{{ cert.results }}"
# # - "{{ cert.not_after }}"
# # - "{{ ansible_date_time.iso8601_basic }}"
# tags: test
# delegate_to: localhost
- name: RUN NUCLEI SCAN {{ fqdn }}
shell: "{{ item }}"
become_user: root
ignore_errors: true
loop:
- docker run -v --rm $HOME/scan/{{ fqdn }}/{{ fqdn }}__httpx.txt:/{{ fqdn }}__httpx.txt -v $HOME/scan/{{ fqdn }}/{{ fqdn }}__nuclei.json:/{{ fqdn }}__nuclei.json projectdiscovery/nuclei -l {{ fqdn }}__httpx.txt -j -o {{ fqdn }}__nuclei.json
- ansible.builtin.shell: |
git config user.email "stephane.gratiasquiquandon@gmail.com"
git config user.name "staffadmin"
git add .
git commit -m "Push scan with access token"
git commit -m "Push scan {{ fqdn }} with access token"
git push https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/scan.git
args:
chdir: "{{ playbook_dir }}/scan/"
chdir: "$HOME/scan"
run_once: true
delegate_to: localhost
become_user: root
register: push_git
# - debug:
# msg: "{{ host_interfaces }}"
# msg: "{{ push_git.changed }}"
# - debug:
# msg: "{{ push_git.changed }}"
# when: push_git.changed is true
# - name: NTFY when docker compose changed
# uri:
# url: "https://alert.jingoh.fr/scaleway"
# method: POST
# user: "{{ username }}"
# password: "{{ password }}"
# headers:
# Title: "SCAN HTTPS "
# ta: "file_folder"
# body: "{{ target_network }}"
# status_code: 200
# tags: test1
# delegate_to: localhost
# when: fetch_files_backup.changed is true
- ansible.builtin.git:
repo: https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/scan.git
dest: "$HOME/scan"
single_branch: yes
force: true
delegate_to: scaleway
become_user: stephane
when: push_git.changed is true
- copy:
src: "{{ item }}"
dest: /opt/dockerapps/appdata/ivre/ivre-share/{{ item.split('/')[-1] }}
remote_src: true
loop:
- /home/{{ ansible_user }}/scan/{{ fqdn }}/{{ fqdn }}__nuclei.json
- /home/{{ ansible_user }}/scan/{{ fqdn }}/{{ fqdn }}__httpx.json
delegate_to: scaleway
when: push_git.changed is true
- name: Run a simple command (argv)
community.docker.docker_container_exec:
container: ivreclient
argv:
- ivre
- scan2db
- "-c"
- "{{ fqdn }}"
- "-s"
- "{{ ansible_play_hosts }}"
- "-r"
- /ivre-share/{{ fqdn }}__nuclei.json
delegate_to: scaleway
when: push_git.changed is true
- name: Run a simple command (argv)
community.docker.docker_container_exec:
container: ivreclient
argv:
- ivre
- scan2db
- "-c"
- "{{ fqdn }}"
- "-s"
- "{{ ansible_play_hosts }}"
- "-r"
- "/ivre-share/{{ fqdn }}__httpx.json"
delegate_to: scaleway
when: push_git.changed is true
- name: Run a simple command (argv)
community.docker.docker_container_exec:
container: ivreclient
argv:
- ivre
- db2view
- all
delegate_to: scaleway
when: push_git.changed is true
- name: NTFY when docker compose changed
uri:
url: "https://alert.jingoh.fr/scaleway"
method: POST
user: "{{ username }}"
password: "{{ password }}"
headers:
Title: "SCAN {{ fqdn }}"
ta: "globe_with_meridians"
body: "scan finished !"
status_code: 200
tags: test1
delegate_to: localhost
when: push_git.changed is true

160
scan_old.yml Normal file
View File

@@ -0,0 +1,160 @@
---
- name: Scan
hosts: scale01
become: true
gather_facts: false
vars:
user: staffadmin
token: !vault |
$ANSIBLE_VAULT;1.2;AES256;prod
35343365393734313034383961616333633265623037303436653739613935366666373237366562
3663316563663439363333396530376139663731346637390a366335333732303134316364363130
30313631343534643866383336623837363433303032376264373139306464313866313034663636
3961303030373531380a343061326437343066663665613833623533376437326630326432363566
37653135666331633532653436656461396131623736353962643632316135633562346631313036
6137356332636431643830666461333862613835336631333037
#TODO target in list
# 163.172.0.0/24
# 163.172.80.0/28
target_network: 163.172.16.0/20
# 163.172.0.0/20
# 163.172.16.0/20
# 163.172.31.0/20
# 163.172.48.0/20
# 163.172.63.254/20
ansible_user: stephane
ansible_password: stephane
ansible_become_password: stephane
username: jingohalert
password: !vault |
$ANSIBLE_VAULT;1.2;AES256;prod
66346630333538386564396632636161316239326530653037666465616165393135666532643264
3037363865363531636635306535663736353734333733340a363639636638396662616538343335
65366439343135636634393832636436353764303066653530346232323164376265313039373630
3863613961373430340a303866363962353262623030373061616134303366336237346631383539
3130
# apt-get install sshpass
# #
# # @author Stéphane Gratias (2021).
#
# roles:
# - { role: geerlingguy.pip, tags: pip }
tasks:
- ansible.builtin.apt:
name: masscan
update_cache: true
- ansible.builtin.git:
repo: https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/scan.git
dest: "{{ playbook_dir }}/scan"
single_branch: yes
force: true
delegate_to: localhost
# apt install masscan
- ansible.builtin.command:
cmd: "masscan {{ target_network }} -p443"
become: true
register: scan_output
# pause
# - debug:
# msg: "{{ item }}"
# loop: "{{ scan_output.stdout_lines }}"
# # - "{{ cert.not_after }}"
# # - "{{ ansible_date_time.iso8601_basic }}"
# tags: test
# delegate_to: localhost
- name: Get a cert from an https port
community.crypto.get_certificate:
host: "{{ item.split('on')[-1].strip() }}"
port: 443
delegate_to: localhost
run_once: true
loop: "{{ scan_output.stdout_lines }}"
ignore_errors: true
register: cert
tags: test
# item.subject.CN
- debug:
# msg: "{{ item.subject.CN }}"
msg: "{{ item.invocation.module_args.host}}"
loop: "{{ cert.results }}"
# - "{{ cert.not_after }}"
# - "{{ ansible_date_time.iso8601_basic }}"
tags: test
delegate_to: localhost
- name: Change file ownership, group and permissions
ansible.builtin.file:
path: "{{ playbook_dir }}/scan/https/{{ item.invocation.module_args.host.split('.')[0] }}/{{ item.invocation.module_args.host.split('.')[1] }}/"
state: directory
loop: "{{ cert.results }}"
- name: Add a line to a file if the file does not exist, without passing regexp
ansible.builtin.lineinfile:
path: "{{ playbook_dir }}/scan/https/{{ item.invocation.module_args.host.split('.')[0] }}/{{ item.invocation.module_args.host.split('.')[1] }}/{{ item.invocation.module_args.host.split('.')[2] }}"
line: "{{ item.invocation.module_args.host }} ---- {{ item.subject.CN | default('---') }} ---- {{ item.issuer| default('---')}}"
create: yes
loop: "{{ cert.results }}"
delegate_to: localhost
# - name: Copy file with owner and permissions
# ansible.builtin.copy:
# dest: "{{ playbook_dir }}/scan/scan_https_{{ target_network.split('/')[0] }}_{{ target_network.split('/')[-1] }}"
# content: |
# "{{ item.invocation.module_args.host }} ---- {{ item.subject.CN }} ---- {{ item.issuer}}"
# loop: "{{ cert.results }}"
# delegate_to: localhost
# # item.subject.CN
# - debug:
# msg: "{{ item.item.split('on')[-1].strip() }}"
# loop: "{{ cert.results }}"
# # - "{{ cert.not_after }}"
# # - "{{ ansible_date_time.iso8601_basic }}"
# tags: test
# delegate_to: localhost
- ansible.builtin.shell: |
git config user.email "stephane.gratiasquiquandon@gmail.com"
git config user.name "staffadmin"
git add .
git commit -m "Push scan with access token"
git push https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/scan.git
args:
chdir: "{{ playbook_dir }}/scan/"
run_once: true
delegate_to: localhost
# - debug:
# msg: "{{ host_interfaces }}"
# - name: NTFY when docker compose changed
# uri:
# url: "https://alert.jingoh.fr/scaleway"
# method: POST
# user: "{{ username }}"
# password: "{{ password }}"
# headers:
# Title: "SCAN HTTPS "
# ta: "file_folder"
# body: "{{ target_network }}"
# status_code: 200
# tags: test1
# delegate_to: localhost
# when: fetch_files_backup.changed is true