"It’s not so much OCD as it is DISA STIG. The RHEL6 STIG rules explicitly
state for specific services that if it’s not needed on a host it must be
disabled/uninstalled."
I did a small amount of consulting around STIG for a previous systems
management app company -- so I know what you are talking about.
Ultimately, those tools are not *great* at describing something that isn't
there, and this still holds for Ansible, though having a list of services
to remove and doing the following is not heinous evil:
- yum: name={{ item }} state=absent
with_items: packages_to_remove
Etc.
(Of course if someone installs "banned_package" in
/usr/local/you-are-not-going-to-find-it, that's not a complete solution)
Thanks for clarifying the use case!
On Tue, May 6, 2014 at 9:42 AM, Snyder, Chris <chris_sny...@sra.com> wrote:
> It’s not so much OCD as it is DISA STIG. The RHEL6 STIG rules
> explicitly state for specific services that if it’s not needed on a host it
> must be disabled/uninstalled. Granted I don’t need to do that for every
> possible service, but I do have to do it for specific services. What I
> may end up doing is have a general ‘base’ OS playbook for when I’m setting
> up host that only turns on stuff. And then have a separate STIG playbook
> that I run occasionally to ensure that only those needed services on a
> given host are actually enabled and other STIG-identified services are not.
>
>
>
> Thx, all.
>
> Chris.
>
>
>
>
>
> *From:* ansible-project@googlegroups.com [
> mailto:ansible-project@googlegroups.com <ansible-project@googlegroups.com>]
> *On Behalf Of *Michael DeHaan
> *Sent:* Thursday, May 01, 2014 5:31 PM
> *To:* ansible-project@googlegroups.com
> *Subject:* Re: [ansible-project] Re: Need help organizing tasks/playbooks
> for multiple operating systems
>
>
>
> I think this comes from some sort of OCD and you may wish to give this up
> :)
>
>
>
> State what should be on the machines, not what should not.
>
>
>
> It would be impossible to define all the things a server could not be.
>
>
>
>
>
>
>
> On Thu, May 1, 2014 at 1:59 PM, Adam Morris <zwack...@gmail.com> wrote:
>
>
>
> On Thursday, May 1, 2014 10:12:58 AM UTC-7, Snyder, Chris wrote:
>
> I’m stuck. I’m sure this can all be done a better way, but right now, I’m
> just not seeing it. Can anyone offer suggestions of what else to try here?
>
> I'm sure that there are many better ways...
>
>
>
> First, you can detect you OS programmatically and add it to the
> appropriate group... I start with a playbook that has this...
>
>
>
>
>
> ---
>
> # file: group.yml
>
> - hosts: all
>
> gather_facts: true
>
> tasks:
>
> - group_by: key={{ ansible_os_family }}
>
> - group_by: key={{ ansible_product_name.split()[0] }}
>
>
>
> This creates a group for each OS family (RedHat/Debian/AIX) but you can be
> more specific if you want, and one that lets me detect HP Proliant hardware
> (I have some tasks specifically for that...)
>
>
>
> Then I run some playbooks with generic tasks some of which have
> alternatives for different OSes. Equally I could split these into four
> roles, one for Generic tasks, and one for each of the OS variants...
>
>
>
> If the only difference between two tasks is some parameters (This file
> should be owned by group "sys" on this OS but "root" on that...) then I use
> variables for those differences and set variables for different groups in
> the group_vars directory.
>
>
>
> And I did this for *EVERY SERVICE* (xinetd, vsftpd, httpd, etc….) on my
> hosts. In short, if it didn’t have to be on, it had to be explicitly
> disabled. [If there’s a better form for these types of patterns, PLEASE let
> me know – it’s so verbose and ugly, especially duplicated for every service
> I have on my boxes.]
>
> Much better would be to have a list of services to disable and use
> with_items...
>
>
>
> - name: Ensure servers removed
>
> yum: name={{ item }} state=absent
>
> with_items: remove_server_list
>
>
>
> You can get fancier still, but this should be enough to get you moving
> along cleaner lines...
>
>
>
> I hope that this helps,
>
> Adam
>
>
>
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
>
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/2a1392bc-17c6-42b8-8991-748e9ae24cc8%40googlegroups.com<https://groups.google.com/d/msgid/ansible-project/2a1392bc-17c6-42b8-8991-748e9ae24cc8%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
>
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyAocxjA8uqPWhZC6jxuGGMHPyHJbbHe_hDCttVvcNxOQ%40mail.gmail.com<https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyAocxjA8uqPWhZC6jxuGGMHPyHJbbHe_hDCttVvcNxOQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/BFD6B7398AEB474A9A28B39B9B5D00CB588A7183%40SRAexMBX05.sra.com<https://groups.google.com/d/msgid/ansible-project/BFD6B7398AEB474A9A28B39B9B5D00CB588A7183%40SRAexMBX05.sra.com?utm_medium=email&utm_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzEOiTz%2BKfTVL6sBG4f%3DMm_0%2BSDk0oMhxdGnsKPM1BVvg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
