how to control 100% of the state of a server
29 views
Skip to first unread message
Ioannis Cherouvim
Feb 6, 2017, 9:41:47 AM2/6/17
to Ansible Project
Hello
I provision my servers using ansible, but sometimes developers will log into a server and do adhoc things.
Changes that happen on things that have been provisioned by ansible (e.g templated files, changes on configs using ini_file etc) can quickly be spotted by running the playbook using --diff --check
But what about all other "ansible untracked" changes?
For example:
- someone adds a crontab entry
- someone alters something in /etc/hosts which is not provisioned by ansible
- someone installs a package which does not appear at all in my playbooks
I understand that ansible cannot easily solve this unless I write a million rules to catch all such cases.
So, what would a sensible approach to solving this be (apart from denying server access to those people)?
thanks
Brian Coca
Feb 6, 2017, 9:52:49 AM2/6/17
to Ansible Project
You can use a file alteration monitor (tripwire, aide, osiris) to keep
track of these things. If you don't want to go through all that, you
can use gam and/or inotify to create a poor man's version.
----------
Brian Coca
track of these things. If you don't want to go through all that, you
can use gam and/or inotify to create a poor man's version.
----------
Brian Coca
Ioannis Cherouvim
Feb 6, 2017, 2:22:55 PM2/6/17
to Ansible Project
Wow, that was an eye opener. Thanks!
Reply all
Reply to author
Forward
0 new messages