From e8018dff303db388bac272a019d236a0a07999df Mon Sep 17 00:00:00 2001 From: observable-it Date: Mon, 9 Jun 2025 09:55:28 -0400 Subject: [PATCH 1/5] Adding a task to peform restorecon on SELinux enabled systems before Splunk is launched. This should solve issues when Splunk is Running on RHEL systems --- roles/splunk/tasks/download_and_unarchive.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/splunk/tasks/download_and_unarchive.yml b/roles/splunk/tasks/download_and_unarchive.yml index 56fce9c..5ec76b7 100644 --- a/roles/splunk/tasks/download_and_unarchive.yml +++ b/roles/splunk/tasks/download_and_unarchive.yml @@ -31,6 +31,14 @@ notify: - start splunk +- name: "Restore SELinux contexts on Splunk directory" + become: true + command: "restorecon -Rv {{ splunk_home }}" + when: + - ansible_facts['os_family'] == "RedHat" + - ansible_facts['selinux']['status'] == "enabled" + - ansible_facts['selinux']['mode'] == "enforcing" + - name: "Remove {{ splunk_package_path }}/{{ splunk_file }} package" become: true ansible.builtin.file: From 50bcbc66585a995c0c2c66107cd6f67588dc59b8 Mon Sep 17 00:00:00 2001 From: observable-it Date: Mon, 9 Jun 2025 09:56:53 -0400 Subject: [PATCH 2/5] fix(vars): prioritize major version over full version in include_vars fallback The variable include logic was checking for RedHat10.0.yml before RedHat10.yml, which caused the more general RedHat.yml to be included instead of the correct major version-specific file. This commit reorders the fallback list to check RedHat10.yml (using ansible_distribution_major_version) before RedHat.yml, ensuring correct variable precedence on systems like RHEL 10. Also improves compatibility with other distros that may report minor versions (e.g., 10.0) not matching existing variable files. --- roles/splunk/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/splunk/tasks/main.yml b/roles/splunk/tasks/main.yml index 213e1f3..fe7c099 100644 --- a/roles/splunk/tasks/main.yml +++ b/roles/splunk/tasks/main.yml @@ -3,8 +3,8 @@ ansible.builtin.include_vars: "{{ item }}" with_first_found: - "{{ ansible_distribution }}{{ ansible_distribution_version }}.yml" - - "{{ ansible_distribution }}.yml" - "{{ ansible_os_family }}{{ ansible_distribution_major_version }}.yml" + - "{{ ansible_distribution }}.yml" - "{{ ansible_os_family }}.yml" - name: Include prerequisites From 38f31c54e2cb2cbc0ba38df50487f856e6857c11 Mon Sep 17 00:00:00 2001 From: observable-it Date: Mon, 9 Jun 2025 10:06:58 -0400 Subject: [PATCH 3/5] fixed logrotate_file for RHEL 10 distributions --- roles/splunk/vars/RedHat10.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 roles/splunk/vars/RedHat10.yml diff --git a/roles/splunk/vars/RedHat10.yml b/roles/splunk/vars/RedHat10.yml new file mode 100644 index 0000000..9053435 --- /dev/null +++ b/roles/splunk/vars/RedHat10.yml @@ -0,0 +1,21 @@ +--- +global_bashrc: /etc/bashrc +chk_config_cmd: chkconfig --add disable-thp +linux_packages: + - nload + - iotop + - iftop + - sysstat + - telnet + - tcpdump + - htop + - atop + - lsof + - policycoreutils-python-utils + - policycoreutils + - setroubleshoot + - nethogs + - gdb + - bind-utils +firewall_service: firewalld +logrotate_file: /etc/logrotate.d/rsyslog From 8b8c7eac8b0c1b7860921898a11bb4cb01de8886 Mon Sep 17 00:00:00 2001 From: observable-it Date: Mon, 9 Jun 2025 10:14:06 -0400 Subject: [PATCH 4/5] Not all required ansible and python modules are installed by default on RHEL 10 systems. Adding requirements.yml for Ansible and requirements.txt for Python --- requirements.txt | 3 +++ requirements.yml | 12 ++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 requirements.txt create mode 100644 requirements.yml diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..f5fae3a --- /dev/null +++ b/requirements.txt @@ -0,0 +1,3 @@ +# Core dependency for Paramiko connection type in Ansible +# Install using: pip install -r requirements.txt +paramiko>=2.11.0 diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..eaa4652 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,12 @@ +--- +# Install using: ansible-galaxy collection install -r requirements.yml +collections: + # For the sefcontext module (used for SELinux context management) + - name: ansible.posix + version: ">=2.0.0" + # For ini_file and slack modules + - name: community.general + version: ">=3.0.0" + # Most other modules (stat, command, include_tasks, debug, file, unarchive, template, git, etc.) + # are part of ansible-core and require no additional collection. + From ed911f98c66b4faf4e734e221df01a3a64ad67d5 Mon Sep 17 00:00:00 2001 From: observable-it <142211654+observable-it@users.noreply.github.com> Date: Mon, 9 Jun 2025 17:14:19 +0200 Subject: [PATCH 5/5] Update RedHat10.yml Added newline