I am relatively new and just starting to us ansible in my company. One of the tasks I am looking to accomplish is to control files such as different Linux config files to ensure they are the correct version. For example I am looking to control the /etc/sysctl.conf file on my Suse servers which hold some specific parameters that we set. I know I can push that config file to all my servers with ansible but is there a way to manage it as well? For example can ansible monitor the file to say compare it to a correct version that it is identical. Then also if someone makes an unauthorized change to the file can ansible be used to detect that a file has been changed and then take action to replace the file back to the original. I was just looking to see if ansible has these capabilities built in or would I need to just create a playbook that compares the files and then set up another script or cron job that will continuously run the play book to check.
The first thing that comes to mind would be use the copy or template
module in dry-run mode, and configure a handler that takes the
appropriate action (notifications).
It all depends on what you are trying to do.
There are existing and well-tested products that do things like check for changes (tripwire), prevent changes (SELinux, apparmor) and so on.
If a file changes and you didn’t expect or can’t explain the change, especially if the file is something that only root can alter, then your system has been fatally compromised. Trying to repair it is futile. I would suggest looking into a mechanism for completely rebuilding the system if you detect an unexpected change - e.g. network boot the system and reload it from scratch.
If the systems are virtuals, just wipe them regardless and spin up new ones. Don’t bother testing or checking them, just blow them away.
Regards, K.
See the response by Karl Auer if you are taking this action if you suspect a system has been compromised. Ansible is not a “defense” program, nor is it a good tool to watch for and report changes to any system file. See “TripWire” and other tools mentioned.
But, I assume you’re looking for the ability to ensure that your 500 servers have the proper configuration settings - such as ensure they are using the proper configuration files (e.g. sssd.conf settings for LDAP, or sshd.conf for SSH, etc).
You have some choices: the copy: or template: modules, or the lineinfile: module
Since most configuration files need to have a few lines changed, my preference is to use Ansible to push down the entire configuration file so you know exactly what is in there.
If you truly only have one line to change in the file, the lineinfile: module would work but it won’t catch changes to other lines in the file. This might be a benefit to you if you’re not the only one maintaining the file but it leaves you open to problems if the teams that are maintaining it don’t communicate or test their changes well.
The template: module is my preferred method. You keep a copy of the file along side the playbook, and when Ansible runs it compares the file on the destination with the copy in the playbook and only copies it over if there is a difference. (I believe it uses a sha1sum of the file to save comparing long files, but I can’t find that in the code to verify.)
The nice thing with templates is you can put in plain text files that are identical on all machines, or you can put in Ansible variables into the template files and use Jinja2 scripting to expand sections based on other Ansible variables.
For example, we use this heavily when we’re configuring our RedHat systems to connect into our LDAP infrastructure. The sssd.conf file is a template, but within the template are configurations to use the correct LDAP servers (primary and secondary) for the machine to use. Each of our datacenters has a primary and secondary LDAP server, so even if I run the same playbook on a server in each datacenter, the variables that Ansible pulls in are unique each datacenter (machine) and the file is consistent each run for that machine but are maintained in one location company wide.
You wrote:
or would I need to just create a playbook that compares the
files and then set up another script or cron job that will
continuously run the play book to check.
You could, though if you’re that concerned then you’d want to setup TripWire and alert you when things change. Ansible can reset them if you determine it was a novice admin or honest mistake, but Ansible can’t protect you from someone who’s got in and setup a backdoor on the system.
Though Ansible can help you recover by rebuilding a new system once you’ve found the back door and updated your hardening playbook to close it.
Hope that helps!
Thanks for you inputs, I will definitely look into the templates module a bit more and see if that can get the job done. I don’t have any systems that are compromised nor do I really worry about that happening. A few other groups outside our Sys Admin team have access to these servers so I just wanted to try to prevent or be aware if someone makes a change to one of these config files without us knowing. So that why I was just wondering if Ansible could be “aware” of these files and run checks against them on its own to see if there are any differences and then if there are change the file back to the original say from the template. However, I guess I would need other software to accomplish this or have to manually/script a playbook to run and check the conf files on the servers.