how to control 100% of the state of a server

Ioannis_Cherouvim · February 4, 2017, 6:33am

Hello

I provision my servers using ansible, but sometimes developers will log into a server and do adhoc things.
Changes that happen on things that have been provisioned by ansible (e.g templated files, changes on configs using ini_file etc) can quickly be spotted by running the playbook using --diff --check
But what about all other “ansible untracked” changes?

For example:

someone adds a crontab entry
someone alters something in /etc/hosts which is not provisioned by ansible
someone installs a package which does not appear at all in my playbooks

I understand that ansible cannot easily solve this unless I write a million rules to catch all such cases.

So, what would a sensible approach to solving this be (apart from denying server access to those people)?

thanks

Brian_Coca · February 6, 2017, 2:52pm

You can use a file alteration monitor (tripwire, aide, osiris) to keep
track of these things. If you don't want to go through all that, you
can use gam and/or inotify to create a poor man's version.

Ioannis_Cherouvim · February 6, 2017, 7:22pm

Wow, that was an eye opener. Thanks!

Topic		Replies	Views
Configuration Management - How to Ensure Server Configuration is not changed and if changed revert back? Ansible Project	2	1	July 16, 2018
Can ansible be used to control/change management on files Ansible Project	4	0	July 26, 2018
How to enhance the --check mode Ansible Project	2	0	January 17, 2018
--check shows changes that won't actually happen Ansible Project	7	0	September 9, 2014
New in 1.1 -- Diff mode for templates! Works with and without --check, but prefers --limit Ansible Project	9	0	February 9, 2013

how to control 100% of the state of a server

Related topics