Hi All,
I am new to ansible and I would like to understand or get some ideas about how to use ansible to maintain standard operating system environment.
For example : I would like to have ansible to check all my existing OS (Amazon Linux) to see if there are any additional package installed.
The idea is to have a list of rpm names as standard packages, and ansible should monitor if all my systems are having only the list of approved rpms. In case of any extra rpms installed by any of the engineer, then ansible should automatically remove it.
Not sure, if I have explained my ask clear, but the idea is to have ansible maintain software inventory (approved software) and any unauthorized software installed, then it should notify via email and remove that software.
Regards,
Sathya.R
Any suggestions/ideas on the below ask?
Hi Sathya,
You could get a list of current packages via ‘yum list’ or whatever package manager, then use that as the list of packages as the variable, and do something like the following. Maintaining and parsing that ‘master’ list however might be quite cumbersome.
name: remove unwanted packages
package:
name: “{{ item }}”
state: absent
when item not in good_packages
Of course the simpler and saner way would be to just restrict people from installing packages in the first place. 
Consider, that with this mechanism you will not detect packages which have been installed directly either by custom installer, the standard configure-make-make install or by directly copying binaries or scripts in some central location.
Also keep in mind, that if you omit (or someone removes) an essential package (let's say "python" 
from good_packages, you risk to completely screw up your systems. I am normally extremely careful when it comes to /remove/ stuff through ansible.
Also because of that you should absolutely consider Michael's comment. Additionally you might consider to implement some inventory/monitoring which allows you to monitor software changes.
Cheers
frank
Thanks frank and micheal for your useful suggestion.
The point is, the entire production system is handed over to some third party developers team with sudo privilages ( its is mistake from architecture team) and the client is so dependent on the developing team.
The developers are so that, they install lot of packages which are vulnerable to the environment.
We manage the infrasture and our CVE scores are getting hit because of those unwanted packages which development team install.
Even after informing the team multiple times, they still run those software on the server which are not even upgraded.
I know that this is something to do,restrict or to educate the team not to use system for such installation.
As of now there is no mechanism to stop it and I was thinking about doing something with ansible .
I am not sure if this is possible, any way where I can make ansible to report back to us, when there is new installation done on the system?
a quick solution might be to upgrade those packages that are vulnerable but, that varies by OS flavor and the applications been installed.