Need help

[Sathya Narayanan]

Hi All, 

I am new to ansible and I would like to understand or get some ideas about how to use ansible to maintain standard operating system environment.

For example :  I would like to have ansible to check all my existing OS (Amazon Linux) to see if there are any additional package installed.

The idea is to have a list of rpm names as standard packages, and ansible should monitor if all my systems are having only the list of approved rpms. In case of any extra rpms installed by any of the engineer, then ansible should automatically remove it.

Not sure, if I have explained my ask clear, but the idea is to have ansible maintain software inventory (approved software) and any unauthorized software installed, then it should notify via email and remove that software.

Regards,

Sathya.R

[Sathya Narayanan]

Any suggestions/ideas on the below ask?

[Michael Mullay]

Hi Sathya,

You could get a list of current packages via 'yum list' or whatever package manager, then use that as the list of packages as the variable, and do something like the following. Maintaining and parsing that 'master' list however might be quite cumbersome.

 name: remove unwanted packages

  package:

    name: "{{ item }}"

    state: absent

  when item not in good_packages 

Of course the simpler and saner way would be to just restrict people from installing packages in the first place. ;)

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CACqv84jQ%2BpHqRtk4fAoCvyhey-o6cRgugv0uOWnNn4Odf%2BgEDA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Jonathan Lozada De La Matta]

I 2nd Michael's comment.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAH4rTPtxobZgb%3DiD4qGpfvQJg17d1Z5EeZD41_Ry6pz%2BVwLkJA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Jonathan lozada de la matta

AUTOMATION PRACTICE

 

[Frank Thommen]

Consider, that with this mechanism you will not detect packages which
have been installed directly either by custom installer, the standard
configure-make-make install or by directly copying binaries or scripts
in some central location.

Also keep in mind, that if you omit (or someone removes) an essential
package (let's say "python" :-) from good_packages, you risk to
completely screw up your systems. I am normally extremely careful when
it comes to /remove/ stuff through ansible.

Also because of that you should absolutely consider Michael's comment.
Additionally you might consider to implement some inventory/monitoring
which allows you to monitor software changes.

Cheers
frank

> <mailto:ansible-proje...@googlegroups.com>.

> To post to this group, send email to
> ansible...@googlegroups.com

> <mailto:ansible...@googlegroups.com>.

> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CACqv84jQ%2BpHqRtk4fAoCvyhey-o6cRgugv0uOWnNn4Odf%2BgEDA%40mail.gmail.com

> <https://groups.google.com/d/msgid/ansible-project/CACqv84jQ%2BpHqRtk4fAoCvyhey-o6cRgugv0uOWnNn4Odf%2BgEDA%40mail.gmail.com?utm_medium=email&utm_source=footer>.

> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to ansible-proje...@googlegroups.com

> <mailto:ansible-proje...@googlegroups.com>.

> To post to this group, send email to
> ansible...@googlegroups.com

> <mailto:ansible...@googlegroups.com>.

> To view this discussion on the web visit

> https://groups.google.com/d/msgid/ansible-project/CAH4rTPtxobZgb%3DiD4qGpfvQJg17d1Z5EeZD41_Ry6pz%2BVwLkJA%40mail.gmail.com
> <https://groups.google.com/d/msgid/ansible-project/CAH4rTPtxobZgb%3DiD4qGpfvQJg17d1Z5EeZD41_Ry6pz%2BVwLkJA%40mail.gmail.com?utm_medium=email&utm_source=footer>.

> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
>
> Jonathan lozada de la matta
>
> AUTOMATION PRACTICE
>
>
>
>
>
>

> --
> You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ansible-proje...@googlegroups.com

> <mailto:ansible-proje...@googlegroups.com>.

> To post to this group, send email to ansible...@googlegroups.com

> <mailto:ansible...@googlegroups.com>.

> To view this discussion on the web visit

> https://groups.google.com/d/msgid/ansible-project/CAFYJA%2BLrTbWvnJiBt71FduuK1A24NAo0a6gfdH1cq%3D04YHsvBQ%40mail.gmail.com
> <https://groups.google.com/d/msgid/ansible-project/CAFYJA%2BLrTbWvnJiBt71FduuK1A24NAo0a6gfdH1cq%3D04YHsvBQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.

[Sathya Narayanan]

Thanks frank and micheal for your useful suggestion.

The point is, the entire production system is handed over to some third party developers team with sudo privilages ( its is mistake from architecture team) and the client is so dependent on the developing team.

The developers are so that, they install lot of packages which are vulnerable to the environment.

We manage the infrasture and our CVE scores are getting hit because of those unwanted packages which development team install.

Even after informing the team multiple times, they still run those software on the server which are not even upgraded.

I know that this is something to do,restrict or to educate the team not to use system for such installation.

As of now there is no mechanism to stop it and I was thinking about doing something with ansible .

I am not sure if this is possible, any way where I can make ansible to report back to us, when there is new installation done on the system?

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/af230f5e-db71-561c-57d2-31ebbf0df11d%40drosera.ch.

[Jonathan Lozada De La Matta]

a quick solution might be to upgrade those packages that are vulnerable but, that varies by OS flavor and the applications been installed.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CACqv84gsoqe6XO7bmdyhiaCVCiNG2vZJVcBfHZFLZ-6yhDc--w%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.