Ansible tasks for auditd and logrotate

Auditd does not play nicely with logrotate on CentOS7.

Here is my solution, in ansible format:

tasks

---
# the intention with auditd is to minimize the disk usage of the logs

# modify auditd.conf which notifies the handler
- name: auditd does not keep logs
  lineinfile:
    path: "{{ auditd_conf }}"
    regexp: "{{ item.r }}"
    backrefs: yes
    line: "{{ item.l }}"
    create: no
    state: present
  notify: auditd handler
  with_items:
  - { r: '^max_log_file_action.*$', l: 'max_log_file_action      =  ignore' }
  - { r: '^max_log_file.*$', l: 'max_log_file             =  0' }

# tarball and cleanup any existing audit.log.1 files
- name: list all old auditd logs which need to be compressed and cleaned up
  shell: warn=no find /var/log/audit -regex {{ auditd_log_cleanup_regex }}
  register: cleanup_list
  ignore_errors: yes

- name: touch archive file
  file:
    path: "{{ auditd_log_dir }}/old-audit.log.tgz"
    state: touch
    owner: root
    group: root
    mode: 0600

- name: archive and cleanup existing audit.log.1 files
  archive:
    dest: "{{ auditd_log_dir }}/old-audit.log.tgz"
    #path: "{{ auditd_log_dir }}/audit.log.*"
    path: "{{ cleanup_list.stdout_lines }}"
    format: gz
    owner: root
    group: root
    remove: yes
  ignore_errors: yes
  #check_mode: yes

- name: apply logrotate script for audit
  copy:
    src: etc/logrotate.d/audit
    dest: "{{ auditd_logrotate_conf }}"
    owner: root
    group: root
    mode: 0644
    backup: yes

- name: run logrotate
  shell: warn=no /sbin/logrotate -f "{{ auditd_logrotate_conf }}"
  register: run_logrotate

- debug:
    msg: "{{run_logrotate}}"

vars or defaults

auditd_conf: /etc/audit/auditd.conf
auditd_log_dir: /var/log/audit
auditd_log_cleanup_regex: '.*audit\.log\.[0-9]+'
auditd_service: auditd
auditd_logrotate_conf: /etc/logrotate.d/audit
Advertisements

Ansible delegate_to a Windows host

If you use Ansible, and Windows, and you need to perform a few tasks out of a play on a Windows host, you use delegate_to.

However, using a regular delegate_to doesn’t work, because of a certificate validation error.

TASK [certreq : win_shell] *****************************************************************************************
fatal: [linux_host]: UNREACHABLE! => {"changed": false, "msg": "ssl: HTTPSConnectionPool(host='win_host', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),))", "unreachable": true}

What you need to do is set a host fact in the play:

- set_fact:
    ansible_winrm_server_cert_validation: ignore

- win_shell: Write-Host 'Hello World!'
  delegate_to: "{{ winhost_hostname }}"
  vars:
    ansible_user: "{{ winhost_user }}"
    ansible_port: 5986

I have tried placing the variable in the vars on the win_shell command, but it didn’t work. You have to set it as a host fact of the regular host(s) running the play.
And that’s it! You’ll still get the warning, but the connection will work!

TASK [certreq : win_shell] *****************************************************************************************
/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
changed: [linux_host -> win_host] => {"changed": true, "cmd": "Write-Host 'Hello World!'", "delta": "0:00:00.265626", "end": "2017-11-14 03:36:10.390993", "rc": 0, "start": "2017-11-14 03:36:10.125366", "stderr": "", "stderr_lines": [], "stdout": "Hello World!\n", "stdout_lines": ["Hello World!"]}

References

Weblinks

  1. My original research based on info from another github user, jborean93 https://github.com/ansible/ansible/issues/32673#issuecomment-344291429

Ansible playbook that changes root password

I wrote a playbook that updates the root password on EL6 and EL7 hosts.

Because I was not able to get the user: name=root password={{password}} directive working, I had to be creative.

Coincidentally, I learned that pasting in a gist.github.com link into the WordPress.com editor automatically shows the contents of the gist. That is nifty! See below. For the link: https://gist.github.com/bgstack15/d565880badb92599536b751a15dc7189

Ansible use ssh tunnel for http proxy

Overview

If you need to use a web proxy on an ansible node to get to the Internet, you can use the ansible role I hacked together. I had a need for using an ad-hoc ssh tunnel to a proxy server.

So your node will need an ssh key for automatic authentication to the proxy server over ssh. The role just executes a “ssh -N -p 22 username@proxy.example.com -L 1234/localhost/1234” and sets up the environment hash which includes http_proxy and https_proxy.

Check out the role at my github page.

Code walkthrough

My roles always have incredibly basic main.ymls because I always use a subdirectory architecture.
---
- hosts: all
tasks:
- include: tasks/main.yml
handlers:
- handlers/main.yml
vars_files:
- vars/main.yml

Now the tasks/main.yml file is where half of the work occurs.
---
# File: /etc/ansible/roles/use-proxy/tasks/main.yml
- name: clear any ssh tunnel
shell: ps -ef | grep -iE -- "ss[h].*{{local_proxy_port}}" | awk '{print $2}' | xargs kill -9
ignore_errors: yes
- name: start ssh tunnel
shell: nohup ssh -N -p {{proxy_server_ssh_port}} {{proxy_server}} -L {{local_proxy_port}}/localhost/{{proxy_port}} &
notify: stop ssh tunnel

It’s pretty clear what each task is doing. The start ssh tunnel opens up an ssh connection. If it is successful, it notifies the stop ssh tunnel handler which will execute at the end of the play.

- name: stop ssh tunnel
shell: ps -ef | grep -iE -- "ss[h].*{{local_proxy_port}}" | awk '{print $2}' | xargs kill -9

The handler searches for and kills the ssh connection that is using the specified port.

The vars/main.yml file is important because you must customize it to your environment.
---
proxy_port: 3128
local_proxy_port: "{{proxy_port}}"
proxy_server: tunnel@demo.example.com
proxy_server_ssh_port: 22
proxy_env:
http_proxy: "http://localhost:{{local_proxy_port}}"
https_proxy: "http://localhost:{{local_proxy_port}}"

How you use this role in a playbook is at the beginning of the list of roles. You also need to define the environment as seen below.
---
- name: Playbook that uses an ssh tunnel for http_proxy
hosts: test
remote_user: root
environment: "{{ proxy_env | default(omit) }}"
roles:
- { role: use-proxy, when: usehttpproxy is defined and usehttpproxy|bool == true }
- example

You can run this playbook with the use-proxy role and environment as is against any hosts that need the http proxy. To minimize traffic back and forth, just comment out the use-proxy role, and run the play against the regular hosts.

References

Weblinks

  1. https://ansiblemaster.wordpress.com/2016/04/29/run-ansible-tasks-to-a-remote-server-using-a-ssh-tunnel/
  2. https://www.engadget.com/2006/03/21/how-to-ssh-tunnels-for-secure-network-access/