"It’s not so much OCD as it is DISA STIG. The RHEL6 STIG rules explicitly
state for specific services that if it’s not needed on a host it must be
disabled/uninstalled."
I did a small amount of consulting around STIG for a previous systems
management app company -- so I know what you are talking about.
Ultimately, those tools are not *great* at describing something that isn't
there, and this still holds for Ansible, though having a list of services
to remove and doing the following is not heinous evil:
- yum: name={{ item }} state=absent
with_items: packages_to_remove
Etc.
(Of course if someone installs "banned_package" in
/usr/local/you-are-not-going-to-find-it, that's not a complete solution)
Thanks for clarifying the use case!
On Tue, May 6, 2014 at 9:42 AM, Snyder, Chris <[email protected]> wrote:
> It’s not so much OCD as it is DISA STIG. The RHEL6 STIG rules
> explicitly state for specific services that if it’s not needed on a host it
> must be disabled/uninstalled. Granted I don’t need to do that for every
> possible service, but I do have to do it for specific services. What I
> may end up doing is have a general ‘base’ OS playbook for when I’m setting
> up host that only turns on stuff. And then have a separate STIG playbook
> that I run occasionally to ensure that only those needed services on a
> given host are actually enabled and other STIG-identified services are not.
>
>
>
> Thx, all.
>
> Chris.
>
>
>
>
>
> *From:* [email protected] [
> mailto:[email protected] <[email protected]>]
> *On Behalf Of *Michael DeHaan
> *Sent:* Thursday, May 01, 2014 5:31 PM
> *To:* [email protected]
> *Subject:* Re: [ansible-project] Re: Need help organizing tasks/playbooks
> for multiple operating systems
>
>
>
> I think this comes from some sort of OCD and you may wish to give this up
> :)
>
>
>
> State what should be on the machines, not what should not.
>
>
>
> It would be impossible to define all the things a server could not be.
>
>
>
>
>
>
>
> On Thu, May 1, 2014 at 1:59 PM, Adam Morris <[email protected]> wrote:
>
>
>
> On Thursday, May 1, 2014 10:12:58 AM UTC-7, Snyder, Chris wrote:
>
> I’m stuck. I’m sure this can all be done a better way, but right now, I’m
> just not seeing it. Can anyone offer suggestions of what else to try here?
>
> I'm sure that there are many better ways...
>
>
>
> First, you can detect you OS programmatically and add it to the
> appropriate group... I start with a playbook that has this...
>
>
>
>
>
> ---
>
> # file: group.yml
>
> - hosts: all
>
> gather_facts: true
>
> tasks:
>
> - group_by: key={{ ansible_os_family }}
>
> - group_by: key={{ ansible_product_name.split()[0] }}
>
>
>
> This creates a group for each OS family (RedHat/Debian/AIX) but you can be
> more specific if you want, and one that lets me detect HP Proliant hardware
> (I have some tasks specifically for that...)
>
>
>
> Then I run some playbooks with generic tasks some of which have
> alternatives for different OSes. Equally I could split these into four
> roles, one for Generic tasks, and one for each of the OS variants...
>
>
>
> If the only difference between two tasks is some parameters (This file
> should be owned by group "sys" on this OS but "root" on that...) then I use
> variables for those differences and set variables for different groups in
> the group_vars directory.
>
>
>
> And I did this for *EVERY SERVICE* (xinetd, vsftpd, httpd, etc….) on my
> hosts. In short, if it didn’t have to be on, it had to be explicitly
> disabled. [If there’s a better form for these types of patterns, PLEASE let
> me know – it’s so verbose and ugly, especially duplicated for every service
> I have on my boxes.]
>
> Much better would be to have a list of services to disable and use
> with_items...
>
>
>
> - name: Ensure servers removed
>
> yum: name={{ item }} state=absent
>
> with_items: remove_server_list
>
>
>
> You can get fancier still, but this should be enough to get you moving
> along cleaner lines...
>
>
>
> I hope that this helps,
>
> Adam
>
>
>
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
>
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/2a1392bc-17c6-42b8-8991-748e9ae24cc8%40googlegroups.com<https://groups.google.com/d/msgid/ansible-project/2a1392bc-17c6-42b8-8991-748e9ae24cc8%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
>
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyAocxjA8uqPWhZC6jxuGGMHPyHJbbHe_hDCttVvcNxOQ%40mail.gmail.com<https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyAocxjA8uqPWhZC6jxuGGMHPyHJbbHe_hDCttVvcNxOQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/BFD6B7398AEB474A9A28B39B9B5D00CB588A7183%40SRAexMBX05.sra.com<https://groups.google.com/d/msgid/ansible-project/BFD6B7398AEB474A9A28B39B9B5D00CB588A7183%40SRAexMBX05.sra.com?utm_medium=email&utm_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzEOiTz%2BKfTVL6sBG4f%3DMm_0%2BSDk0oMhxdGnsKPM1BVvg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
