Ansible tasks for auditd and logrotate

Auditd does not play nicely with logrotate on CentOS7.

Here is my solution, in ansible format:


# the intention with auditd is to minimize the disk usage of the logs

# modify auditd.conf which notifies the handler
- name: auditd does not keep logs
    path: "{{ auditd_conf }}"
    regexp: "{{ item.r }}"
    backrefs: yes
    line: "{{ item.l }}"
    create: no
    state: present
  notify: auditd handler
  - { r: '^max_log_file_action.*$', l: 'max_log_file_action      =  ignore' }
  - { r: '^max_log_file.*$', l: 'max_log_file             =  0' }

# tarball and cleanup any existing audit.log.1 files
- name: list all old auditd logs which need to be compressed and cleaned up
  shell: warn=no find /var/log/audit -regex {{ auditd_log_cleanup_regex }}
  register: cleanup_list
  ignore_errors: yes

- name: touch archive file
    path: "{{ auditd_log_dir }}/old-audit.log.tgz"
    state: touch
    owner: root
    group: root
    mode: 0600

- name: archive and cleanup existing audit.log.1 files
    dest: "{{ auditd_log_dir }}/old-audit.log.tgz"
    #path: "{{ auditd_log_dir }}/audit.log.*"
    path: "{{ cleanup_list.stdout_lines }}"
    format: gz
    owner: root
    group: root
    remove: yes
  ignore_errors: yes
  #check_mode: yes

- name: apply logrotate script for audit
    src: etc/logrotate.d/audit
    dest: "{{ auditd_logrotate_conf }}"
    owner: root
    group: root
    mode: 0644
    backup: yes

- name: run logrotate
  shell: warn=no /sbin/logrotate -f "{{ auditd_logrotate_conf }}"
  register: run_logrotate

- debug:
    msg: "{{run_logrotate}}"

vars or defaults

auditd_conf: /etc/audit/auditd.conf
auditd_log_dir: /var/log/audit
auditd_log_cleanup_regex: '.*audit\.log\.[0-9]+'
auditd_service: auditd
auditd_logrotate_conf: /etc/logrotate.d/audit

xfe spec Fedora 26 with proper build dependencies

See the spec file at

The wonderful X File Explorer does not properly describe what is needed to compile it. So here is my research to help anyone else trying to compile it on Fedora 26.

dnf install rpm-build intltool fox-devel glib-devel libpng-devel libXft-devel freetype-devel gcc-c++

Debug the values passed to a function in python

Tested on python 2.

import inspect

def caller_args():
   frame = inspect.currentframe()
   outer_frames = inspect.getouterframes(frame)
   caller_frame = outer_frames[1][0]
   return inspect.getargvalues(caller_frame)

def updateval(infile,regex,result,verbose=False,apply=False,debug=0,stanza="",stanzaregex="",atbeginning=False):
   print caller_args()

It’s that simple!




Check if network port is open

On the local system, check if something is listening to the port:

netstat -tlpn

On a remote system, you can use telnet or ncat to check to see if you can actually get to the port:

echo '' | telnet myserver 1054

If successful, telnet returns ‘Connected to myserver’ before closing out.

echo '' | nc -v myserver 1054
$ echo '' | nc -v myserver 1054
Ncat: Version 6.40 ( )
Ncat: Connected to
$ echo '' | nc -v myserver 1055
Ncat: Version 6.40 ( )
Ncat: No route to host.

Ansible delegate_to a Windows host

If you use Ansible, and Windows, and you need to perform a few tasks out of a play on a Windows host, you use delegate_to.

However, using a regular delegate_to doesn’t work, because of a certificate validation error.

TASK [certreq : win_shell] *****************************************************************************************
fatal: [linux_host]: UNREACHABLE! => {"changed": false, "msg": "ssl: HTTPSConnectionPool(host='win_host', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),))", "unreachable": true}

What you need to do is set a host fact in the play:

- set_fact:
    ansible_winrm_server_cert_validation: ignore

- win_shell: Write-Host 'Hello World!'
  delegate_to: "{{ winhost_hostname }}"
    ansible_user: "{{ winhost_user }}"
    ansible_port: 5986

I have tried placing the variable in the vars on the win_shell command, but it didn’t work. You have to set it as a host fact of the regular host(s) running the play.
And that’s it! You’ll still get the warning, but the connection will work!

TASK [certreq : win_shell] *****************************************************************************************
/usr/lib/python2.7/site-packages/urllib3/ InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See:
changed: [linux_host -> win_host] => {"changed": true, "cmd": "Write-Host 'Hello World!'", "delta": "0:00:00.265626", "end": "2017-11-14 03:36:10.390993", "rc": 0, "start": "2017-11-14 03:36:10.125366", "stderr": "", "stderr_lines": [], "stdout": "Hello World!\n", "stdout_lines": ["Hello World!"]}



  1. My original research based on info from another github user, jborean93

Ansible playbook that changes root password

I wrote a playbook that updates the root password on EL6 and EL7 hosts.

Because I was not able to get the user: name=root password={{password}} directive working, I had to be creative.

Coincidentally, I learned that pasting in a link into the editor automatically shows the contents of the gist. That is nifty! See below. For the link:

Pretty print json in python

For python2

I wanted to show what variables are in use in a function, and I wanted to see it in a nicer format than a really long, single line.

import inspect, json
def function():
print json.dumps(locals(),indent=3,separators=(',',': '))


To view what parameters were passed in to a function, add these.

def caller_args():
   frame = inspect.currentframe()
   outer_frames = inspect.getouterframes(frame)
   caller_frame = outer_frames[1][0]
   return inspect.getargvalues(caller_frame)

def function():
print caller_args()


  2. compact encoding