# tags defined: [check], services, updates, restart, fileverify, iptables, selinux # for the fix part, I guess its better to include the role(s) for particular host that brings the system # to the desired state in terms of: services, updates, file verification, iptables, and selinux --- - hosts: "{{ target }}" user: root tasks: - name: Get list of active loaded services with systemctl shell: '/bin/systemctl -t service --no-legend | egrep "loaded active" | tr -s " " | cut -d " " -f1' changed_when: False when: ansible_distribution_major_version|int > 6 register: loaded_active_services_systemctl ignore_errors: True tags: - check - fix - services - name: Get list of inactive loaded services with systemctl shell: '/bin/systemctl -t service --no-legend | egrep -v "loaded active" | tr -s " " | cut -d " " -f1' changed_when: False when: ansible_distribution_major_version|int > 6 register: loaded_inactive_services_systemctl ignore_errors: True # notify: restart httpd tags: - check - fix - services - name: Get list of enabled services with chkconfig at current runlevel shell: "chkconfig | grep \"`runlevel | cut -d ' ' -f 2`:on\" | awk '{print $1}'" changed_when: False when: ansible_distribution_major_version|int <= 6 register: enabled_services_chkconfig ignore_errors: False tags: - check - fix - services - name: Get list of disabled services with chkconfig at current runlevel shell: "chkconfig | grep \"`runlevel | cut -d ' ' -f 2`:off\" | awk '{print $1}'" changed_when: False when: ansible_distribution_major_version|int <= 6 register: disabled_services_chkconfig ignore_errors: False tags: - check - services - name: output enabled service list chkconfig debug: var=enabled_services_chkconfig.stdout_lines when: enabled_services_chkconfig is defined and enabled_services_chkconfig.rc == 0 tags: - check - services - name: output disabled loaded service list chkconfig debug: var=disabled_services_chkconfig.stdout_lines when: disabled_services_chkconfig is defined and disabled_services_chkconfig.rc == 0 tags: - check - services - name: output loaded active service list systemctl debug: var=loaded_active_services_systemctl.stdout_lines when: loaded_active_services_systemctl is defined and loaded_active_services_systemctl.rc == 0 tags: - check - services - name: output loaded inactive service list systemctl debug: var=loaded_inactive_services_systemctl.stdout_lines when: loaded_inactive_services_systemctl is defined and loaded_inactive_services_systemctl.rc == 0 tags: - check - services # - name: Check for pending updates # script: {{ scripts }}/needs-updates --host {{ ansible_hostname }} -l # script: needs-updates --host {{ ansible_hostname }} -l # register: list_update # delegate_to: 127.0.0.1 # ignore_errors: True # changed_when: False # tags: # - check # - updates # # - name: Show pending updates # debug: var=list_update.stdout_lines # when: list_update.stdout != "" # tags: # - check # - updates - name: Get processes that need restarting command: "/bin/needs-restarting" register: needs_restarting ignore_errors: True changed_when: False tags: - check - restart - name: Show processes that need restarting debug: var=needs_restarting.stdout_lines when: needs_restarting.stdout != "" and needs_restarting is defined tags: - check - restart - name: Get locally changed files from the rpm package # shell: rpm -Va > {{rpm_va_file}} warn=no shell: rpm_tmp_var=`mktemp` && ! rpm -Va 2>/dev/null > $rpm_tmp_var && [[ -s $rpm_tmp_var ]] && echo $rpm_tmp_var warn=no ignore_errors: True register: localchanges changed_when: False tags: - check - fileverify - name: Get locally changed files (excluding config files) command: "egrep -v ' c /' {{ localchanges.stdout }}" register: rpm_va_nc changed_when: False when: localchanges is defined and localchanges.stdout != "" tags: - check - fileverify - name: Show locally changed files (excluding config files) debug: var=rpm_va_nc.stdout_lines when: rpm_va_nc.stdout != "" tags: - check - fileverify - name: 'Whitelist - Get locally changed files (config files)' command: "egrep ' c /' {{ localchanges.stdout }}" register: rpm_va_c when: localchanges is defined and localchanges.stdout != "" changed_when: False tags: - check - fileverify - name: 'Whitelist - Show locally changed files (config files)' debug: var=rpm_va_c.stdout_lines changed_when: False when: rpm_va_c.stdout != "" tags: - check - fileverify - name: Check if using iptables shell: /sbin/iptables -S register: iptablesn changed_when: False tags: - check - iptables - name: Show iptables rules debug: var=iptablesn.stdout_lines when: iptablesn.stdout.count('\n') > 3 and iptablesn is defined tags: - check - iptables - name: Show current SELinux status debug: msg="SELinux is {{ ansible_selinux.status }} for this System" tags: - check - selinux - name: Show Boot SELinux mode debug: msg="SELinux boots to {{ ansible_selinux.config_mode }} mode " when: ansible_selinux.status != "disabled" tags: - check - selinux - name: Show Current SELinux mode debug: msg="SELinux currently is in {{ ansible_selinux.mode }} mode" when: ansible_selinux.status != "disabled" tags: - check - selinux - name: Match current SELinux status with boot status debug: msg="SElinux Current and Boot modes are in sync" when: ansible_selinux.status != "disabled" and ansible_selinux.config_mode == ansible_selinux.mode tags: - check - selinux - name: misMatch current SELinux status with boot status debug: msg="SElinux Current and Boot modes are NOT in sync" when: ansible_selinux.status != "disabled" and ansible_selinux.config_mode != ansible_selinux.mode tags: - check - selinux # handlers: # - include: "{{ handlers }}/restart_services.yml" # - include: "restart_services.yml"