Is there a way in Ansible to create a host level interceptor which does ‘something’ in case ansible-playbook command is invoked ?
What i am trying to do here is to get informed periodically about ‘ansible-playbook’ command invocations anywhere on my host. There are a large number of users and playbooks on my host now and as any of them are capable of changing my target machines, i need to know/track all ansible-playbook triggers. Parsing the logs can get tedious. I was thinking maybe there is a way in Ansible to record all commands invoked in a file that i can then read and know only what playbooks are executed.
Hi,
Is there a way in Ansible to create a host level interceptor which does
'something' in case ansible-playbook command is invoked ?
What i am trying to do here is to get informed periodically about
'ansible-playbook' command invocations anywhere on my host. There are a
large number of users and playbooks on my host now and as any of them
are capable of changing my target machines,
Sorry but that approach sounds dubious.
Solution: don't let everybody, anytime change your "target machines".
(Welcome to the world of change management.)
i need to know/track all
ansible-playbook triggers. Parsing the logs can get tedious. I was
thinking maybe there is a way in Ansible to record all commands invoked
in a file that i can then read and know only what playbooks are executed.
If you want audits and RBAC:
primary choice, obviously, look at Ansible Tower -- if you have only 10
hosts or less; or enough money.
secondary choices, if your budget is restricted but you have enough time
to fiddle yourself have a look at Openstack Ara and/or Rundeck and/or
Jenkins
Regards,
Benjamin
Thanks for suggesting ARA. It looks interesting. I am now trying it.