Re: [ansible-project] Configuration Drift

['Rowe, Walter P. (Fed)' via Ansible Project]

Good point. I should add that all our Linux servers also have aide installed 
and configured for performing file integrity checking.

Walter
--
Walter Rowe, Division Chief
Infrastructure Services, OISM
Mobile: 202.355.4123

On Jun 28, 2023, at 11:45 AM, Brian Coca  wrote:

Ansible CAN do many things, does not mean it should, see this old
presentation where i show an example of 'file alteration monitoring'
https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.slideshare.net%2Fbcoca%2Fansible-tips-=05%7C01%7Cwalter.rowe%40nist.gov%7Ce6f703ac677c43128bac08db77ef1afd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638235641059517237%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=2W0aGHIvU2qZMcD2N6O%2B1t4dygx06rcDVHeP%2BjvrUCI%3D=0
 tricks  slide 15
(cowsay kitty mentions aide/osiris/tripwire).


--
--
Brian Coca

--
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCACVha7cYusvntKFN8KuE1znVaAqn5rO-tpjzONpw%252BXONcmxkdA%2540mail.gmail.com=05%7C01%7Cwalter.rowe%40nist.gov%7Ce6f703ac677c43128bac08db77ef1afd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638235641059517237%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=xyXKl1lGywXWqQOIMAIPWJBMWWQl0q6cOYkFILu7KEU%3D=0.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/8CFB4E06-3A9D-482D-8618-794E53FDF806%40nist.gov.

Re: [ansible-project] Configuration Drift

[Brian Coca]

Ansible CAN do many things, does not mean it should, see this old
presentation where i show an example of 'file alteration monitoring'
https://www.slideshare.net/bcoca/ansible-tips- tricks  slide 15
(cowsay kitty mentions aide/osiris/tripwire).


-- 
--
Brian Coca

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CACVha7cYusvntKFN8KuE1znVaAqn5rO-tpjzONpw%2BXONcmxkdA%40mail.gmail.com.

Re: [ansible-project] Configuration Drift

[John Petro]

Oh, thanks. that is really helpful.  In parallel, we have been kicking the
tires on Insights for our RHEL servers too.  We have a few Ubuntu servers,
so obviously that won't work for them, but I do like the idea of using a
Tripwire/AIDE type tool and then passing it off to Ansible if needed.  You
have definitely given me some things to ponder.

--John

On Tue, Jun 27, 2023 at 5:18 PM Brian Coca  wrote:

> For drift control i've found most CM systems to be lacking. I've
> always used something like tripwire/aide to detect file changes and
> correlate that with the proper configuration updates. Puppet and other
> 'resident' systems seemsgood for this but they run every Nminutes
> doing a lot of work to verify things, instead of using something like
> inotify to trigger immediate response from a passive kenrel hook (via
> fam deamon or something as simple as incron). This ends up being a LOT
> more efficient and avoids a lot of useless processing.
>
> --
> --
> Brian Coca
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CACVha7e7L_4mCsjTXxW7aK0TpastFRmZ3sobo7aCc6%3Dhtk83jA%40mail.gmail.com
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAPAjob9_qGAnXG6qFmmWVkjjpsaY%2BBmYC6H%3D75y3qe8pBjoC8w%40mail.gmail.com.

Re: [ansible-project] Configuration Drift

[Andrew Latham]

And yes there is an inotify tool for Ansible a la
https://github.com/gantsign/ansible-role-inotify

Or you can set an attribute
```
chattr +i myconf.conf
```

or do it via
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/file_module.html

On Tue, Jun 27, 2023 at 3:18 PM Brian Coca  wrote:

> For drift control i've found most CM systems to be lacking. I've
> always used something like tripwire/aide to detect file changes and
> correlate that with the proper configuration updates. Puppet and other
> 'resident' systems seemsgood for this but they run every Nminutes
> doing a lot of work to verify things, instead of using something like
> inotify to trigger immediate response from a passive kenrel hook (via
> fam deamon or something as simple as incron). This ends up being a LOT
> more efficient and avoids a lot of useless processing.
>
> --
> --
> Brian Coca
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CACVha7e7L_4mCsjTXxW7aK0TpastFRmZ3sobo7aCc6%3Dhtk83jA%40mail.gmail.com
> .
>


-- 
- Andrew "lathama" Latham -

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CA%2Bqj4S_1ao4SRs4CK5aNdeoxO%2Bwu8_sf%3DLgq5eKXY%2BuW1hvWSQ%40mail.gmail.com.

Re: [ansible-project] Configuration Drift

[Brian Coca]

For drift control i've found most CM systems to be lacking. I've
always used something like tripwire/aide to detect file changes and
correlate that with the proper configuration updates. Puppet and other
'resident' systems seemsgood for this but they run every Nminutes
doing a lot of work to verify things, instead of using something like
inotify to trigger immediate response from a passive kenrel hook (via
fam deamon or something as simple as incron). This ends up being a LOT
more efficient and avoids a lot of useless processing.

-- 
--
Brian Coca

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CACVha7e7L_4mCsjTXxW7aK0TpastFRmZ3sobo7aCc6%3Dhtk83jA%40mail.gmail.com.

Re: [ansible-project] Configuration Drift

[Evan Hisey]

Right, this why I liked Puppet for drift control critical things. And
something I also transferred to Ansible. To avoid hard drift correction, I
find you need atleast daily config reset. On developer facing systems, I
have found going as often as an hour to as little as 30 min, is important
to catch changes and provide predictable "soft" intervals for doing things
that require temporary deviation on systems. The longer between forced true
ups the harsher the drift reset becomes and the hard to diagnose what
caused the drift and failure when correction of a drift cause a break..

On Tue, Jun 27, 2023 at 3:16 PM Todd Lewis  wrote:

> I think the idea was carried over when we migrated from Puppet to Ansible,
> but all our middleware projects include a "daily" playbook. Ideally they
> don't do anything unless something has drifted, although a few feed into
> reporting. This is separate from our patch-n-reboot process, which is more
> a systems level thing. We try to keep a separation between OS config and
> middleware configs, but the OS group's playbook, which follows the
> mono-repo pattern, also runs on each host daily.
>
> On 6/27/23 3:11 PM, John Petro wrote:
>
> Good Afternoon,
>   I was wondering what you all are doing to manage configuration drift.
> Are you having ansible  fix the drift, are you having it notify you of the
> drift, or are you doing something else.  At work, we are preparing to start
> having some conversations about what we want to do, and I thought this
> information from you all might be helpful in our journey.
>
> Thanks for your time!!
>
> ---john
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/2802f493-fffd-4d25-a89d-3e616faee442%40gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAEcFzYz9ceBsvtnBsj9tKhb9v7L4QZErTSX3HoZGfUT3aNwwnA%40mail.gmail.com.

Re: [ansible-project] Configuration Drift

[Todd Lewis]

I think the idea was carried over when we migrated from Puppet to 
Ansible, but all our middleware projects include a "daily" playbook. 
Ideally they don't do anything unless something has drifted, although a 
few feed into reporting. This is separate from our patch-n-reboot 
process, which is more a systems level thing. We try to keep a 
separation between OS config and middleware configs, but the OS group's 
playbook, which follows the mono-repo pattern, also runs on each host daily.


On 6/27/23 3:11 PM, John Petro wrote:

Good Afternoon,
  I was wondering what you all are doing to manage configuration 
drift.  Are you having ansible  fix the drift, are you having it 
notify you of the drift, or are you doing something else.  At work, we 
are preparing to start having some conversations about what we want to 
do, and I thought this information from you all might be helpful in 
our journey.


Thanks for your time!!

---john


--
You received this message because you are subscribed to the Google Groups "Ansible 
Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/2802f493-fffd-4d25-a89d-3e616faee442%40gmail.com.

Re: [ansible-project] Configuration Drift

[John Petro]

yeah, we are going to do it through AAP/AWX.  Where my interest is besides
the method ( reporting vs clobbering ), is the intervals people are using,
which you answered.  We are currently migrating away from Puppet in favor
of Ansible, and in the process, we are reviewing decisions that were made
when puppet was installed, to see if those are still valid.  Many have been
changed, because technology has changed.  Thanks for the info, it's really
helpful.

On Tue, Jun 27, 2023 at 4:09 PM Evan Hisey  wrote:

> For drift control I don't find ansible the best tool when compared to
> something like Puppet in this role. However if drift control is important,
> that is were Tower/AWX or Satellite (ir pure RHEL based) start to shine.
> You can setup a scheduled application of playbooks to always ensure the
> configurations are current and up to date. I used Satellite and Ansible to
> maintain STIG. and FISMA MED security configs across multiple federal sites
> with a scheduled nightly push of core configs to all systems.
>
> On Tue, Jun 27, 2023 at 2:11 PM John Petro  wrote:
>
>> Good Afternoon,
>>   I was wondering what you all are doing to manage configuration drift.
>> Are you having ansible  fix the drift, are you having it notify you of the
>> drift, or are you doing something else.  At work, we are preparing to start
>> having some conversations about what we want to do, and I thought this
>> information from you all might be helpful in our journey.
>>
>> Thanks for your time!!
>>
>> ---john
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ansible-project+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/CAPAjob9NsjTGPNa_J8oeBbfZQOHjjqy7ELd6eHhodbHuTykkrQ%40mail.gmail.com
>> 
>> .
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CAEcFzYwKs0zETYYuPR0TPHNJwtLQDS8ENyoE7ec%2Bvxk_vGfntA%40mail.gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAPAjob9uAPQT%2BObJw1u8hZje1ymDc-45GqjYv59F54VBRJd%2Bug%40mail.gmail.com.

Re: [ansible-project] Configuration Drift

[Evan Hisey]

For drift control I don't find ansible the best tool when compared to
something like Puppet in this role. However if drift control is important,
that is were Tower/AWX or Satellite (ir pure RHEL based) start to shine.
You can setup a scheduled application of playbooks to always ensure the
configurations are current and up to date. I used Satellite and Ansible to
maintain STIG. and FISMA MED security configs across multiple federal sites
with a scheduled nightly push of core configs to all systems.

On Tue, Jun 27, 2023 at 2:11 PM John Petro  wrote:

> Good Afternoon,
>   I was wondering what you all are doing to manage configuration drift.
> Are you having ansible  fix the drift, are you having it notify you of the
> drift, or are you doing something else.  At work, we are preparing to start
> having some conversations about what we want to do, and I thought this
> information from you all might be helpful in our journey.
>
> Thanks for your time!!
>
> ---john
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CAPAjob9NsjTGPNa_J8oeBbfZQOHjjqy7ELd6eHhodbHuTykkrQ%40mail.gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAEcFzYwKs0zETYYuPR0TPHNJwtLQDS8ENyoE7ec%2Bvxk_vGfntA%40mail.gmail.com.

Re: [ansible-project] Configuration Drift

[John Petro]

That is very interesting, and helpful.  Thanks..

On Tue, Jun 27, 2023 at 3:21 PM 'Rowe, Walter P. (Fed)' via Ansible Project
 wrote:

> We have an ansible role that applies the CIS Distro Independent Linux 2
> baseline when we launch new machines. We also have an ansible tower
> workflow for regularly scheduled patching. At the end of the patching
> workflow we again run the CIS baseline role to ensure we are maintaining
> compliance with our secure configuration baseline.
>
> stop machine -> snapshot -> start machine -> patch -> reboot -> test ->
> snapshot -> secure config -> reboot
>
> if patching fails we revert to the starting snapshot.
> if secure config fails we revert to the post-test snapshot.
>
> All of this is done via ansible automation platform.
>
> Walter
> --
> Walter Rowe, Division Chief
> Infrastructure Services, OISM
> Mobile: 202.355.4123
>
> On Jun 27, 2023, at 3:11 PM, John Petro  wrote:
>
> Good Afternoon,
>   I was wondering what you all are doing to manage configuration drift.
> Are you having ansible  fix the drift, are you having it notify you of the
> drift, or are you doing something else.  At work, we are preparing to start
> having some conversations about what we want to do, and I thought this
> information from you all might be helpful in our journey.
>
> Thanks for your time!!
>
> ---john
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CAPAjob9NsjTGPNa_J8oeBbfZQOHjjqy7ELd6eHhodbHuTykkrQ%40mail.gmail.com
> 
> .
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/74E8295F-0895-4DF2-9CF2-1C363FD92C38%40nist.gov
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAPAjob8_UviH_X75AZqrPpPSyjx7BKnfX%3DvJBN0dznHZ4H%2B6ag%40mail.gmail.com.

Re: [ansible-project] Configuration Drift

['Rowe, Walter P. (Fed)' via Ansible Project]

We have an ansible role that applies the CIS Distro Independent Linux 2 
baseline when we launch new machines. We also have an ansible tower workflow 
for regularly scheduled patching. At the end of the patching workflow we again 
run the CIS baseline role to ensure we are maintaining compliance with our 
secure configuration baseline.

stop machine -> snapshot -> start machine -> patch -> reboot -> test -> 
snapshot -> secure config -> reboot

if patching fails we revert to the starting snapshot.
if secure config fails we revert to the post-test snapshot.

All of this is done via ansible automation platform.

Walter
--
Walter Rowe, Division Chief
Infrastructure Services, OISM
Mobile: 202.355.4123

On Jun 27, 2023, at 3:11 PM, John Petro  wrote:

Good Afternoon,
  I was wondering what you all are doing to manage configuration drift.  Are 
you having ansible  fix the drift, are you having it notify you of the drift, 
or are you doing something else.  At work, we are preparing to start having 
some conversations about what we want to do, and I thought this information 
from you all might be helpful in our journey.

Thanks for your time!!

---john

--
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAPAjob9NsjTGPNa_J8oeBbfZQOHjjqy7ELd6eHhodbHuTykkrQ%40mail.gmail.com.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/74E8295F-0895-4DF2-9CF2-1C363FD92C38%40nist.gov.

[ansible-project] Configuration Drift

[John Petro]

Good Afternoon,
  I was wondering what you all are doing to manage configuration drift.
Are you having ansible  fix the drift, are you having it notify you of the
drift, or are you doing something else.  At work, we are preparing to start
having some conversations about what we want to do, and I thought this
information from you all might be helpful in our journey.

Thanks for your time!!

---john

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAPAjob9NsjTGPNa_J8oeBbfZQOHjjqy7ELd6eHhodbHuTykkrQ%40mail.gmail.com.