Ansible tasks for auditd and logrotate

Auditd does not play nicely with logrotate on CentOS7.

Here is my solution, in ansible format:


# the intention with auditd is to minimize the disk usage of the logs

# modify auditd.conf which notifies the handler
- name: auditd does not keep logs
    path: "{{ auditd_conf }}"
    regexp: "{{ item.r }}"
    backrefs: yes
    line: "{{ item.l }}"
    create: no
    state: present
  notify: auditd handler
  - { r: '^max_log_file_action.*$', l: 'max_log_file_action      =  ignore' }
  - { r: '^max_log_file.*$', l: 'max_log_file             =  0' }

# tarball and cleanup any existing audit.log.1 files
- name: list all old auditd logs which need to be compressed and cleaned up
  shell: warn=no find /var/log/audit -regex {{ auditd_log_cleanup_regex }}
  register: cleanup_list
  ignore_errors: yes

- name: touch archive file
    path: "{{ auditd_log_dir }}/old-audit.log.tgz"
    state: touch
    owner: root
    group: root
    mode: 0600

- name: archive and cleanup existing audit.log.1 files
    dest: "{{ auditd_log_dir }}/old-audit.log.tgz"
    #path: "{{ auditd_log_dir }}/audit.log.*"
    path: "{{ cleanup_list.stdout_lines }}"
    format: gz
    owner: root
    group: root
    remove: yes
  ignore_errors: yes
  #check_mode: yes

- name: apply logrotate script for audit
    src: etc/logrotate.d/audit
    dest: "{{ auditd_logrotate_conf }}"
    owner: root
    group: root
    mode: 0644
    backup: yes

- name: run logrotate
  shell: warn=no /sbin/logrotate -f "{{ auditd_logrotate_conf }}"
  register: run_logrotate

- debug:
    msg: "{{run_logrotate}}"

vars or defaults

auditd_conf: /etc/audit/auditd.conf
auditd_log_dir: /var/log/audit
auditd_log_cleanup_regex: '.*audit\.log\.[0-9]+'
auditd_service: auditd
auditd_logrotate_conf: /etc/logrotate.d/audit

Ansible delegate_to a Windows host

If you use Ansible, and Windows, and you need to perform a few tasks out of a play on a Windows host, you use delegate_to.

However, using a regular delegate_to doesn’t work, because of a certificate validation error.

TASK [certreq : win_shell] *****************************************************************************************
fatal: [linux_host]: UNREACHABLE! => {"changed": false, "msg": "ssl: HTTPSConnectionPool(host='win_host', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),))", "unreachable": true}

What you need to do is set a host fact in the play:

- set_fact:
    ansible_winrm_server_cert_validation: ignore

- win_shell: Write-Host 'Hello World!'
  delegate_to: "{{ winhost_hostname }}"
    ansible_user: "{{ winhost_user }}"
    ansible_port: 5986

I have tried placing the variable in the vars on the win_shell command, but it didn’t work. You have to set it as a host fact of the regular host(s) running the play.
And that’s it! You’ll still get the warning, but the connection will work!

TASK [certreq : win_shell] *****************************************************************************************
/usr/lib/python2.7/site-packages/urllib3/ InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See:
changed: [linux_host -> win_host] => {"changed": true, "cmd": "Write-Host 'Hello World!'", "delta": "0:00:00.265626", "end": "2017-11-14 03:36:10.390993", "rc": 0, "start": "2017-11-14 03:36:10.125366", "stderr": "", "stderr_lines": [], "stdout": "Hello World!\n", "stdout_lines": ["Hello World!"]}



  1. My original research based on info from another github user, jborean93

Ansible playbook that changes root password

I wrote a playbook that updates the root password on EL6 and EL7 hosts.

Because I was not able to get the user: name=root password={{password}} directive working, I had to be creative.

Coincidentally, I learned that pasting in a link into the editor automatically shows the contents of the gist. That is nifty! See below. For the link:

Ansible use ssh tunnel for http proxy


If you need to use a web proxy on an ansible node to get to the Internet, you can use the ansible role I hacked together. I had a need for using an ad-hoc ssh tunnel to a proxy server.

So your node will need an ssh key for automatic authentication to the proxy server over ssh. The role just executes a “ssh -N -p 22 -L 1234/localhost/1234” and sets up the environment hash which includes http_proxy and https_proxy.

Check out the role at my github page.

Code walkthrough

My roles always have incredibly basic main.ymls because I always use a subdirectory architecture.
- hosts: all
- include: tasks/main.yml
- handlers/main.yml
- vars/main.yml

Now the tasks/main.yml file is where half of the work occurs.
# File: /etc/ansible/roles/use-proxy/tasks/main.yml
- name: clear any ssh tunnel
shell: ps -ef | grep -iE -- "ss[h].*{{local_proxy_port}}" | awk '{print $2}' | xargs kill -9
ignore_errors: yes
- name: start ssh tunnel
shell: nohup ssh -N -p {{proxy_server_ssh_port}} {{proxy_server}} -L {{local_proxy_port}}/localhost/{{proxy_port}} &
notify: stop ssh tunnel

It’s pretty clear what each task is doing. The start ssh tunnel opens up an ssh connection. If it is successful, it notifies the stop ssh tunnel handler which will execute at the end of the play.

- name: stop ssh tunnel
shell: ps -ef | grep -iE -- "ss[h].*{{local_proxy_port}}" | awk '{print $2}' | xargs kill -9

The handler searches for and kills the ssh connection that is using the specified port.

The vars/main.yml file is important because you must customize it to your environment.
proxy_port: 3128
local_proxy_port: "{{proxy_port}}"
proxy_server_ssh_port: 22
http_proxy: "http://localhost:{{local_proxy_port}}"
https_proxy: "http://localhost:{{local_proxy_port}}"

How you use this role in a playbook is at the beginning of the list of roles. You also need to define the environment as seen below.
- name: Playbook that uses an ssh tunnel for http_proxy
hosts: test
remote_user: root
environment: "{{ proxy_env | default(omit) }}"
- { role: use-proxy, when: usehttpproxy is defined and usehttpproxy|bool == true }
- example

You can run this playbook with the use-proxy role and environment as is against any hosts that need the http proxy. To minimize traffic back and forth, just comment out the use-proxy role, and run the play against the regular hosts.