ansible/playbooks/check-host.yml

# tags defined: [check], services, updates, restart, fileverify, iptables, selinux
# for the fix part, I guess its better to include the role(s) for particular host that brings the system
# to the desired state in terms of: services, updates, file verification, iptables, nftables, and selinux
---
- hosts: "{{ target }}"
  user: root
  vars:
  - datadir_prfx_path: "/var/tmp/ansible-chk-host/"

  tasks:

  - name: Create temp dir for collecting info
    ansible.builtin.shell: mktemp -d
    register: temp_dir
    changed_when: false

  - name: Get list of active loaded services with systemctl
    ansible.builtin.shell: '/bin/systemctl -t service --no-legend | egrep "loaded active" | tr -s " " | cut -d " " -f1'
    changed_when: false
    when: ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora'
    register: loaded_active_services_systemctl
    tags:
      - check
      - services

  - name: Get list of active loaded services with systemctl
    ansible.builtin.shell: '/bin/systemctl -t service --no-legend | egrep "loaded active" | tr -s " " | cut -d " " -f1'
    changed_when: false
    when: ansible_distribution_major_version|int > 6 and ansible_distribution == 'RedHat'
    register: loaded_active_services_systemctl
    tags:
      - check
      - services

  - name: Get list of inactive loaded services with systemctl
    ansible.builtin.shell: '/bin/systemctl -t service --no-legend | egrep -v "loaded active" | tr -s " " | cut -d " " -f1'
    changed_when: false
    when: ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora'
    register: loaded_inactive_services_systemctl
    tags:
      - check
      - services

  - name: Get list of inactive loaded services with systemctl
    ansible.builtin.shell: '/bin/systemctl -t service --no-legend | egrep -v "loaded active" | tr -s " " | cut -d " " -f1'
    changed_when: false
    when: ansible_distribution_major_version|int > 6 and ansible_distribution == 'RedHat'
    register: loaded_inactive_services_systemctl
    tags:
      - check
      - services


  - name: Get list of enabled services with chkconfig at current runlevel
    ansible.builtin.shell: "chkconfig | grep \"`runlevel | cut -d ' ' -f 2`:on\" | awk '{print $1}'"
    changed_when: false
    when: ansible_distribution_major_version|int <= 6 and ansible_distribution == 'RedHat'
    register: enabled_services_chkconfig
    tags:
      - check
      - services

  - name: Get list of disabled services with chkconfig at current runlevel
    ansible.builtin.shell: "chkconfig | grep \"`runlevel | cut -d ' ' -f 2`:off\" | awk '{print $1}'"
    changed_when: false
    when: ansible_distribution_major_version|int <= 6 and ansible_distribution == 'RedHat'
    register: disabled_services_chkconfig
    tags:
      - check
      - services


  - name: Output enabled service list chkconfig
    ansible.builtin.shell: echo {{enabled_services_chkconfig.stdout_lines}} >> {{temp_dir.stdout}}/eservices
    when: enabled_services_chkconfig is defined and enabled_services_chkconfig.rc == 0
    changed_when: false
    tags:
      - check
      - services

  - name: Output disabled loaded service list chkconfig
    ansible.builtin.shell: echo {{disabled_services_chkconfig.stdout_lines}} >> {{temp_dir.stdout}}/dservices
    when: disabled_services_chkconfig is defined and disabled_services_chkconfig.rc == 0
    changed_when: false
    tags:
      - check
      - services


  - name: Output loaded active service list systemctl
    ansible.builtin.shell: echo {{loaded_active_services_systemctl.stdout_lines}} >> {{temp_dir.stdout}}/laservices
    when: loaded_active_services_systemctl is defined and loaded_active_services_systemctl.rc == 0
    changed_when: false
    tags:
      - check
      - services

  - name: Output loaded inactive service list systemctl
    ansible.builtin.shell: echo {{loaded_inactive_services_systemctl.stdout_lines}} >> {{temp_dir.stdout}}/liservices
    when: loaded_inactive_services_systemctl is defined and loaded_inactive_services_systemctl.rc == 0
    changed_when: false
    tags:
      - check
      - services

  - name: Check for pending updates
#    script: {{ scripts }}/needs-updates --host {{ inventory_hostname  }}
    script: needs-updates --host {{ inventory_hostname }}
    register: list_update
    delegate_to: 127.0.0.1
    changed_when: false
    tags:
      - check
      - updates

  - name: Show pending updates
    ansible.builtin.shell: echo {{list_update.stdout_lines}} >> {{temp_dir.stdout}}/pending_updates
    changed_when: false
    tags:
      - check
      - updates

  - name: Get processes that need restarting
    ansible.builtin.shell: needs-restarting
    register: needs_restarting
    changed_when: false
    tags:
      - check
      - restart

  - name: Show processes that need restarting
    ansible.builtin.shell: echo {{needs_restarting.stdout_lines}} >> {{temp_dir.stdout}}/needing_restart
    changed_when: false
    tags:
      - check
      - restart

  - name: Get locally changed files from the rpm package
    ansible.builtin.shell: rpm_tmp_var=`mktemp` && ! rpm -Va 2>/dev/null > $rpm_tmp_var && [[ -s $rpm_tmp_var ]] && echo $rpm_tmp_var warn=no
    register: localchanges
    changed_when: false
    tags:
      - check
      - fileverify

  - name: Get locally changed files (excluding config files)
    ansible.builtin.command: "egrep -v '  c /' {{ localchanges.stdout }}"
    register: rpm_va_nc
    changed_when: false
    when: localchanges is defined and localchanges.stdout != ""
    tags:
      - check
      - fileverify

  - name: Show locally changed files (excluding config files)
    ansible.builtin.shell: echo {{rpm_va_nc.stdout_lines}} >> {{temp_dir.stdout}}/local_changed
    when: rpm_va_nc.stdout != ""
    changed_when: false
    tags:
      - check
      - fileverify

  - name: 'Whitelist - Get locally changed files (config files)'
    ansible.builtin.command: "egrep '  c /' {{ localchanges.stdout }}"
    register: rpm_va_c
    when: localchanges is defined and localchanges.stdout != ""
    changed_when: false
    tags:
      - check
      - fileverify

  - name: 'Whitelist - Show locally changed files (config files)'
    ansible.builtin.shell: echo {{rpm_va_c.stdout_lines}} >> {{temp_dir.stdout}}/local_config_changed
    changed_when: false
    when: rpm_va_c.stdout != ""
    tags:
      - check
      - fileverify

  - name: Check if using iptables
    ansible.builtin.shell: /sbin/iptables -S
    register: iptablesn
    changed_when: false
    tags:
      - check
      - iptables

  - name: Check if using nftables
    ansible.builtin.shell: /sbin/nft list ruleset
    register: nftablesn
    changed_when: false
    tags:
      - check
      - iptables

  - name: Show iptables rules
    ansible.builtin.shell: echo "{{iptablesn.stdout_lines}}" >> {{ temp_dir.stdout }}/iptables
    changed_when: false
    tags:
      - check
      - iptables

  - name: Show nftables rules
    ansible.builtin.shell: echo "{{nftablesn.stdout_lines}}" >> {{ temp_dir.stdout }}/nftables
    changed_when: false
    tags:
      - check
      - iptables

  - name: Show current SELinux status
    ansible.builtin.shell: echo "SELinux is {{ ansible_selinux.status }} for this System" >> {{temp_dir.stdout}}/selinux
    changed_when: false
    tags:
      - check
      - selinux

  - name: Show Boot SELinux mode
    ansible.builtin.shell: echo "SELinux boots to {{ ansible_selinux.config_mode }} mode " >> {{temp_dir.stdout}}/selinux
    when: ansible_selinux.status != "disabled"
    changed_when: false
    tags:
      - check
      - selinux

  - name: Show Current SELinux mode
    ansible.builtin.shell: echo "SELinux currently is in {{ ansible_selinux.mode }} mode" >> {{temp_dir.stdout}}/selinux
    when: ansible_selinux.status != "disabled"
    changed_when: false
    tags:
      - check
      - selinux

  - name: Match current SELinux status with boot status
    ansible.builtin.shell: echo "SElinux Current and Boot modes are in sync" >> {{temp_dir.stdout}}/selinux
    when: ansible_selinux.status != "disabled" and ansible_selinux.config_mode == ansible_selinux.mode
    changed_when: false
    tags:
      - check
      - selinux


  - name: MisMatch current SELinux status with boot status
    ansible.builtin.shell: echo "SElinux Current and Boot modes are NOT in sync" >> {{temp_dir.stdout}}/selinux
    when: ansible_selinux.status != "disabled" and ansible_selinux.config_mode != ansible_selinux.mode
    changed_when: false
    tags:
      - check
      - selinux

  - name: Resolve last persisted dir - if one is present
    local_action: shell ls -d -1 {{datadir_prfx_path}}/{{inventory_hostname}}-* 2>/dev/null | sort -r | head -1
    register: last_dir
    changed_when: false
    ignore_errors: true

  - name: Get file list
    ansible.builtin.shell: ls -1 {{temp_dir.stdout}}/*
    register: file_list
    changed_when: false

  - name: Get timestamp
    ansible.builtin.shell: "date +%Y-%m-%d-%H-%M-%S"
    register: timestamp
    changed_when: false

  - name: Create persisting-state directory
    local_action: file path=/{{datadir_prfx_path}}/{{inventory_hostname}}-{{timestamp.stdout}} state=directory
    changed_when: false

  - name: Fetch file list
    fetch: src={{item}} dest=/{{datadir_prfx_path}}/{{inventory_hostname}}-{{timestamp.stdout}}/ flat=true
    with_items: "{{file_list.stdout_lines}}"
    changed_when: false


  - name: Diff the new files with last ones presisted
    local_action: shell for file in {{datadir_prfx_path}}/{{inventory_hostname}}-{{timestamp.stdout}}/*; do filename=$(basename $file); diff {{datadir_prfx_path}}/{{inventory_hostname}}-{{timestamp.stdout}}/$filename {{last_dir.stdout.strip(':')}}/$filename; done
    ignore_errors: true
    changed_when: false
    register: file_diff
    when: last_dir is defined and last_dir.stdout != ""

  - name: Display diff
    debug: var=file_diff.stdout_lines
    ignore_errors: true
    changed_when: false
    when: file_diff is defined

# clean up: can also be put as handlers

  - name: Clean remote temp dir
    ansible.builtin.file: path={{temp_dir.stdout}} state=absent
    changed_when: false

  - name: Clean rpm temp file
    ansible.builtin.file: path={{localchanges.stdout}} state=absent
    changed_when: false


#  handlers:
#  - import_tasks: "{{ handlers_path }}/restart_services.yml"
#  - import_tasks: "restart_services.yml"