a quick solution might be to upgrade those packages that are vulnerable but, that varies by OS flavor and the applications been installed.
On Sun, Oct 28, 2018 at 2:11 PM Sathya Narayanan <[email protected]> wrote: > Thanks frank and micheal for your useful suggestion. > > > The point is, the entire production system is handed over to some third > party developers team with sudo privilages ( its is mistake from > architecture team) and the client is so dependent on the developing team. > > The developers are so that, they install lot of packages which are > vulnerable to the environment. > > We manage the infrasture and our CVE scores are getting hit because of > those unwanted packages which development team install. > > Even after informing the team multiple times, they still run those > software on the server which are not even upgraded. > > I know that this is something to do,restrict or to educate the team not to > use system for such installation. > > As of now there is no mechanism to stop it and I was thinking about doing > something with ansible . > > I am not sure if this is possible, any way where I can make ansible to > report back to us, when there is new installation done on the system? > > On Sun, 28 Oct 2018, 10:46 pm Frank Thommen, <[email protected]> > wrote: > >> Consider, that with this mechanism you will not detect packages which >> have been installed directly either by custom installer, the standard >> configure-make-make install or by directly copying binaries or scripts >> in some central location. >> >> Also keep in mind, that if you omit (or someone removes) an essential >> package (let's say "python" :-) from good_packages, you risk to >> completely screw up your systems. I am normally extremely careful when >> it comes to /remove/ stuff through ansible. >> >> Also because of that you should absolutely consider Michael's comment. >> Additionally you might consider to implement some inventory/monitoring >> which allows you to monitor software changes. >> >> Cheers >> frank >> >> >> On 28/10/18 17:34, Jonathan Lozada De La Matta wrote: >> > I 2nd Michael's comment. >> > >> > On Sun, Oct 28, 2018 at 11:37 AM Michael Mullay <[email protected] >> > <mailto:[email protected]>> wrote: >> > >> > Hi Sathya, >> > >> > You could get a list of current packages via 'yum list' or whatever >> > package manager, then use that as the list of packages as the >> > variable, and do something like the following. Maintaining and >> > parsing that 'master' list however might be quite cumbersome. >> > >> > name: remove unwanted packages >> > package: >> > name: "{{ item }}" >> > state: absent >> > when item not in good_packages >> > >> > Of course the simpler and saner way would be to just restrict people >> > from installing packages in the first place. ;) >> > >> > >> > On Sat, Oct 27, 2018 at 10:44 AM Sathya Narayanan >> > <[email protected] <mailto:[email protected]>> wrote: >> > >> > Hi All, >> > >> > I am new to ansible and I would like to understand or get some >> > ideas about how to use ansible to maintain standard operating >> > system environment. >> > >> > For example : I would like to have ansible to check all my >> > existing OS (Amazon Linux) to see if there are any additional >> > package installed. >> > >> > The idea is to have a list of rpm names as standard packages, >> > and ansible should monitor if all my systems are having only the >> > list of approved rpms. In case of any extra rpms installed by >> > any of the engineer, then ansible should automatically remove >> it. >> > >> > Not sure, if I have explained my ask clear, but the idea is to >> > have ansible maintain software inventory (approved software) and >> > any unauthorized software installed, then it should notify via >> > email and remove that software. >> > >> > Regards, >> > Sathya.R >> > >> > -- >> > You received this message because you are subscribed to the >> > Google Groups "Ansible Project" group. >> > To unsubscribe from this group and stop receiving emails from >> > it, send an email to >> > [email protected] >> > <mailto:[email protected]>. >> > To post to this group, send email to >> > [email protected] >> > <mailto:[email protected]>. >> > To view this discussion on the web visit >> > >> https://groups.google.com/d/msgid/ansible-project/CACqv84jQ%2BpHqRtk4fAoCvyhey-o6cRgugv0uOWnNn4Odf%2BgEDA%40mail.gmail.com >> > < >> https://groups.google.com/d/msgid/ansible-project/CACqv84jQ%2BpHqRtk4fAoCvyhey-o6cRgugv0uOWnNn4Odf%2BgEDA%40mail.gmail.com?utm_medium=email&utm_source=footer >> >. >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups "Ansible Project" group. >> > To unsubscribe from this group and stop receiving emails from it, >> > send an email to [email protected] >> > <mailto:[email protected]>. >> > To post to this group, send email to >> > [email protected] >> > <mailto:[email protected]>. >> > To view this discussion on the web visit >> > >> https://groups.google.com/d/msgid/ansible-project/CAH4rTPtxobZgb%3DiD4qGpfvQJg17d1Z5EeZD41_Ry6pz%2BVwLkJA%40mail.gmail.com >> > < >> https://groups.google.com/d/msgid/ansible-project/CAH4rTPtxobZgb%3DiD4qGpfvQJg17d1Z5EeZD41_Ry6pz%2BVwLkJA%40mail.gmail.com?utm_medium=email&utm_source=footer >> >. >> > For more options, visit https://groups.google.com/d/optout. >> > >> > >> > >> > -- >> > >> > Jonathan lozada de la matta >> > >> > AUTOMATION PRACTICE >> > >> > >> > >> > >> > >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups "Ansible Project" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to [email protected] >> > <mailto:[email protected]>. >> > To post to this group, send email to [email protected] >> > <mailto:[email protected]>. >> > To view this discussion on the web visit >> > >> https://groups.google.com/d/msgid/ansible-project/CAFYJA%2BLrTbWvnJiBt71FduuK1A24NAo0a6gfdH1cq%3D04YHsvBQ%40mail.gmail.com >> > < >> https://groups.google.com/d/msgid/ansible-project/CAFYJA%2BLrTbWvnJiBt71FduuK1A24NAo0a6gfdH1cq%3D04YHsvBQ%40mail.gmail.com?utm_medium=email&utm_source=footer >> >. >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/af230f5e-db71-561c-57d2-31ebbf0df11d%40drosera.ch >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CACqv84gsoqe6XO7bmdyhiaCVCiNG2vZJVcBfHZFLZ-6yhDc--w%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CACqv84gsoqe6XO7bmdyhiaCVCiNG2vZJVcBfHZFLZ-6yhDc--w%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Jonathan lozada de la matta AUTOMATION PRACTICE -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAFYJA%2BLr82dUPf7RZTxfs3Qk%3DhEMW%2BgOJN5uju9PbjZ%3DkFup6g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
