include uid with ansible entries in messages log

Steve_Zimmerman · June 21, 2017, 2:56pm

Hello,
I have an audit/security request to include the user id in the messages log for commands issued against a linux server. To illustrate, the commands are issued with as sudo:

sudo ansible —

results in /var/log/messages:

Jun 19 00:01:13 usildng-ps-03 ansible-command: Invoked with creates=None executable=None chdir=None args=lsof removes=No

ne NO_LOG=None shell=True warn=True

Our audit folks would like to see something like :

Jun 19 00:01:13 usildng-ps-03 ansible-command**-by-**: Invoked with creates=None executable=None chdir=None args=lsof removes=No

ne NO_LOG=None shell=True warn=True

If this is possible via ansible, what steps would be needed to capture the uid of the user calling the command and then pass with the command(s) to the server?

Any and all assistance would be greatly appreciated.

Thanks in advance,

Steve Zimmerman

Systems and Network Administrator

TreeHouse Private Brands

Dick_Davies · June 21, 2017, 7:09pm

Sudoing to run Ansible on the control machine won't show up in the
target server logs.

If ansible sudos on the targets (i.e. you have become: yes in the
plays) that should show up.

Dick_Davies · June 21, 2017, 7:22pm

Just checked; if you're SSHing in as a non-root user
(vagrant here)
and running the plays via become: then you'll see the sudo messages
in /var/log/secure (on CentOS6; YMMV for other distros) and the
task messages in /var/log/messages.

(the playbook just checks the mysqld service is running, essentially:

- hosts: jiras
  become: yes
  become_user: root
  tasks:
    - name: start mysql
      service: mysql
      state: started
      enabled: yes

)

==> /var/log/secure <==
Jun 21 19:18:56 jira1 sshd[3536]: subsystem request for sftp
Jun 21 19:18:56 jira1 sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ;
USER=root ; COMMAND=/bin/sh -c echo
BECOME-SUCCESS-hfjuiqroxdvdnofysfvehhgezbyanxfq; /usr/bin/python
/home/vagrant/.ansible/tmp/ansible-tmp-1498072737.75-49306779549726/service.py;
rm -rf "/home/vagrant/.ansible/tmp/ansible-tmp-1498072737.75-49306779549726/"

/dev/null 2>&1

==> /var/log/messages <==
Jun 21 19:18:57 jira1 ansible-service: Invoked with name=mysqld
pattern=None enabled=True state=started sleep=None arguments=
runlevel=default

Shame its not in one log, but it does tick the audit box for privilege
escalation...

Topic		Replies	Views
Running commands as a user without a login shell Get Help playbook , ansible-core	8	1837	January 6, 2024
Sudo: /etc/sudo.conf is owned by uid 65534, should be 0\nsudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set Get Help playbook , rhel , ansible	12	659	March 28, 2024
logging actual user instead of effective user in ansible logging Ansible Developer	0	0	March 17, 2017
[Ansible 2.*] Problem with variables Ansible Project	5	1	January 19, 2016
ansible command on messages Ansible Project	5	0	August 10, 2018

include uid with ansible entries in messages log

sudo ansible —

Related topics