On Thursday, March 27, 2014 11:07:02 AM UTC-7, Michael DeHaan wrote: > > So you're probably going to have problems above because one thing wants to > return a basic list and the other list you're trying to use is structured. > > I've seen this pattern held by others in the past where they keep a list > of users to remove, such as people who have left a company, and this may be > a better approach -- this way you wouldn't remove some user account set > down by an application or something (though I think that's what your UID > range is going for). > > I think a much better option would be to manage those user accounts that you know about and use another tool to warn you about changes... AIDE (http://aide.sourceforge.net/) could easily be set up and automated to run on a periodic basis, this would let you know whether certain files had changed and you could decide whether those were acceptable changes. If you are just concerned about the addition of accounts then you can monitor the password file. On some of our systems we have Zabbix monitoring the password file and it tells us whenever there is a change (including when someone changes their password). That means that if we are concerned we can go in and check the password file for changes immediately and decide what action to take.
I think my biggest concern about using Ansible to manage unknown accounts (rather than known ones) is that you could remove an account that was deliberately added, for a very good reason, but not added to your list... If you are dealing with a uniform system build (same version, same users) then you might want to push the password file from ansible instead... But that seems pretty dangerous to me for the reasons that I gave above. Do remember that the passwords themselves will not usually be stored in /etc/passwd so you're not going to be changing peoples passwords for the this way. If you HAVE to do this programatically I would consider writing a shell script to create a local facts file consisting of a list of users NOT in your should exist list. Then gather facts again and remove the ones in the "removelist" if any are in there... To ensure that you have the right "should exist list" push that out from Ansible. In other words you would have something like this pseudocode:- Initial Play - - name: create list of users that should exist - name: run a shell script that creates a file in /etc/ansible/facts.d with a list of users to remove Next Play (so we can gather facts again) - name: Group the hosts based on a variable we set in the /etc/ansible/facts.d/remove file based on whether we had any users to remove - name: Remove the users that are in the remove list The hardest part will be writing the shell script, but even that shouldn't be too hard (look at the comm command) Adam -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4ee0bf97-d1d3-4ff4-ad30-1a3f248da446%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
