Thanks frank and micheal for your useful suggestion.
The point is, the entire production system is handed over to some third party developers team with sudo privilages ( its is mistake from architecture team) and the client is so dependent on the developing team. The developers are so that, they install lot of packages which are vulnerable to the environment. We manage the infrasture and our CVE scores are getting hit because of those unwanted packages which development team install. Even after informing the team multiple times, they still run those software on the server which are not even upgraded. I know that this is something to do,restrict or to educate the team not to use system for such installation. As of now there is no mechanism to stop it and I was thinking about doing something with ansible . I am not sure if this is possible, any way where I can make ansible to report back to us, when there is new installation done on the system? On Sun, 28 Oct 2018, 10:46 pm Frank Thommen, <[email protected]> wrote: > Consider, that with this mechanism you will not detect packages which > have been installed directly either by custom installer, the standard > configure-make-make install or by directly copying binaries or scripts > in some central location. > > Also keep in mind, that if you omit (or someone removes) an essential > package (let's say "python" :-) from good_packages, you risk to > completely screw up your systems. I am normally extremely careful when > it comes to /remove/ stuff through ansible. > > Also because of that you should absolutely consider Michael's comment. > Additionally you might consider to implement some inventory/monitoring > which allows you to monitor software changes. > > Cheers > frank > > > On 28/10/18 17:34, Jonathan Lozada De La Matta wrote: > > I 2nd Michael's comment. > > > > On Sun, Oct 28, 2018 at 11:37 AM Michael Mullay <[email protected] > > <mailto:[email protected]>> wrote: > > > > Hi Sathya, > > > > You could get a list of current packages via 'yum list' or whatever > > package manager, then use that as the list of packages as the > > variable, and do something like the following. Maintaining and > > parsing that 'master' list however might be quite cumbersome. > > > > name: remove unwanted packages > > package: > > name: "{{ item }}" > > state: absent > > when item not in good_packages > > > > Of course the simpler and saner way would be to just restrict people > > from installing packages in the first place. ;) > > > > > > On Sat, Oct 27, 2018 at 10:44 AM Sathya Narayanan > > <[email protected] <mailto:[email protected]>> wrote: > > > > Hi All, > > > > I am new to ansible and I would like to understand or get some > > ideas about how to use ansible to maintain standard operating > > system environment. > > > > For example : I would like to have ansible to check all my > > existing OS (Amazon Linux) to see if there are any additional > > package installed. > > > > The idea is to have a list of rpm names as standard packages, > > and ansible should monitor if all my systems are having only the > > list of approved rpms. In case of any extra rpms installed by > > any of the engineer, then ansible should automatically remove it. > > > > Not sure, if I have explained my ask clear, but the idea is to > > have ansible maintain software inventory (approved software) and > > any unauthorized software installed, then it should notify via > > email and remove that software. > > > > Regards, > > Sathya.R > > > > -- > > You received this message because you are subscribed to the > > Google Groups "Ansible Project" group. > > To unsubscribe from this group and stop receiving emails from > > it, send an email to > > [email protected] > > <mailto:[email protected]>. > > To post to this group, send email to > > [email protected] > > <mailto:[email protected]>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/ansible-project/CACqv84jQ%2BpHqRtk4fAoCvyhey-o6cRgugv0uOWnNn4Odf%2BgEDA%40mail.gmail.com > > < > https://groups.google.com/d/msgid/ansible-project/CACqv84jQ%2BpHqRtk4fAoCvyhey-o6cRgugv0uOWnNn4Odf%2BgEDA%40mail.gmail.com?utm_medium=email&utm_source=footer > >. > > For more options, visit https://groups.google.com/d/optout. > > > > -- > > You received this message because you are subscribed to the Google > > Groups "Ansible Project" group. > > To unsubscribe from this group and stop receiving emails from it, > > send an email to [email protected] > > <mailto:[email protected]>. > > To post to this group, send email to > > [email protected] > > <mailto:[email protected]>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/ansible-project/CAH4rTPtxobZgb%3DiD4qGpfvQJg17d1Z5EeZD41_Ry6pz%2BVwLkJA%40mail.gmail.com > > < > https://groups.google.com/d/msgid/ansible-project/CAH4rTPtxobZgb%3DiD4qGpfvQJg17d1Z5EeZD41_Ry6pz%2BVwLkJA%40mail.gmail.com?utm_medium=email&utm_source=footer > >. > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > -- > > > > Jonathan lozada de la matta > > > > AUTOMATION PRACTICE > > > > > > > > > > > > > > -- > > You received this message because you are subscribed to the Google > > Groups "Ansible Project" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an email to [email protected] > > <mailto:[email protected]>. > > To post to this group, send email to [email protected] > > <mailto:[email protected]>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/ansible-project/CAFYJA%2BLrTbWvnJiBt71FduuK1A24NAo0a6gfdH1cq%3D04YHsvBQ%40mail.gmail.com > > < > https://groups.google.com/d/msgid/ansible-project/CAFYJA%2BLrTbWvnJiBt71FduuK1A24NAo0a6gfdH1cq%3D04YHsvBQ%40mail.gmail.com?utm_medium=email&utm_source=footer > >. > > For more options, visit https://groups.google.com/d/optout. > > > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/af230f5e-db71-561c-57d2-31ebbf0df11d%40drosera.ch > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CACqv84gsoqe6XO7bmdyhiaCVCiNG2vZJVcBfHZFLZ-6yhDc--w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
