Ansible: register variable with loop

Question

What’s the best way to use registered variable ‘audit_tools’ to check if all items are own by root ? Do I need to use Jinja2 filter or something ?

Thanks

- name: Verify audit tools are own by root user.
  block: 
    - name: check if audit tools are own by root user.
      become: true
      stat:
        path: "/sbin/{{ audit_loop }}"
      loop:
        - auditctl
        - aureport
        - ausearch
        - autrace
        - auditd
        - audispd
        - augenrules
      loop_control:
        loop_var: audit_loop
      register: audit_tools
debug:
  msg: “one or more tools are not own by root.”
When: .....




Rescue
     ......

Vladimir Botka · Answer 1 · 2020-12-21T07:09:04.480

Q: "Check if all items are own by root."

A: Put the list of the tools into the variable audit_tools. Compare the length of the lists. For example

- hosts: localhost
  vars:
    audit_tools:
      - auditctl
      - aureport
      - ausearch
      - autrace
      - auditd
      - audispd
      - augenrules
  tasks:
    - block:
        - stat:
            path: "/sbin/{{ item }}"
          loop: "{{ audit_tools }}"
          register: result
        - assert:
            that: no_audit_tools == no_owner_root
            fail_msg: "One or more tools are not own by root."
          vars:
            no_audit_tools: "{{ audit_tools|length }}"
            no_owner_root: "{{ result.results|
                               json_query('[?stat.pw_name==`root`]')|
                               length }}"
      rescue:
        - debug:
            msg: "Rescue: audit tools not owned by root."

If not all items are owned by root assert will fail and the block will proceed to the rescue section

TASK [assert] ****
fatal: [localhost]: FAILED! => changed=false 
  assertion: no_audit_tools == no_owner_root
  evaluated_to: false
  msg: One or more tools are not own by root.
TASK [debug] ****
ok: [localhost] => 
  msg: 'Rescue: audit tools not owned by root.'

Q: "This solution requires JMESPath to be installed. Is there an alternative solution?"

A: Yes. It is. Use Jinja filter selectattr

            no_owner_root: "{{ result.results|
                               selectattr('stat.pw_name', 'eq', 'root')|
                               list|length }}"

Hi, with your example, where do you put the audit tools list ? Can you explain the length of 'vars' ? — sudoi, Dec 20 '20 at 17:10
Thanks for the update. I'm not sure I understand about the length string. Would this work? code "{{ result.results.map (attribute '?stat.pw_name==root] ) | length }}" code — sudoi, Dec 20 '20 at 17:20
See the complete playbook. Take a look at length and json_query. — Vladimir Botka, Dec 20 '20 at 17:20
This solution requires a 'jmespath' to be installed on the OS. Is there an alternative solution to this ? — sudoi, Dec 21 '20 at 02:14
I've updated the answer. Open new questions if you have other issues. — Vladimir Botka, Dec 21 '20 at 07:12

Ansible: register variable with loop

1 Answers1