Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

Ansible bigip - confirm only two local user accounts

RiverFish
Altostratus
Altostratus

Greetings. For security compliance purposes I'm trying to confirm that only two local user accounts exist on each F5 but not having any luck. Below are the two methods I've tried and the error messages. Any help would be greatly appreciated.

Ansible 2.9.1

---
- name: check security compliance on F5s
  hosts: testGroup
  connection: local
  gather_facts: no
  vars:
    providerA:
      password: "{{ password }}"
      server: "{{ ansible_host }}"
      user: "{{ user }}"      
      validate_certs: False  
  
  tasks:
    - name: local users
      bigip_command:
        commands: list auth user
        provider: "{{ providerA }}"
      register: local_users
  
    - name: confirm only two user accounts exist
      debug:
        msg: "only two user accounts exist"
      when: local_users.stdout.find('auth user') == 2

{

  "msg": "The conditional check 'local_users.stdout.find('auth user') == 2' failed. The error was: error while evaluating conditional (local_users.stdout.find('auth user') == 2): 'list object' has no attribute 'find'\n\nThe error appears to be in '/tmp/bwrap_1407122_vqhuv58l/awx_1407122_2ajau8cz/project/ansible-f5-security-compliance/playbooks/main.yml': line 20, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: confirm only two user accounts exist\n   ^ here\n",

  "_ansible_no_log": false

}

---
- name: check security compliance on F5s
  hosts: testGroup
  connection: local
  gather_facts: no
  vars:
    providerA:
      password: "{{ password }}"
      server: "{{ ansible_host }}"
      user: "{{ user }}"      
      validate_certs: False
  
  tasks:
    - name: local users
      bigip_device_info:
        gather_subset:
          - users
        provider: "{{ providerA }}"
      register: local_users
  
    - name: confirm only two user accounts exist
      debug:
        msg: "only two user accounts exist"
      when: local_users.stdout.find('full_path') == 2

{

  "msg": "The conditional check 'local_users.stdout.find('full_path') == 2' failed. The error was: error while evaluating conditional (local_users.stdout.find('full_path') == 2): 'dict object' has no attribute 'stdout'\n\nThe error appears to be in '/tmp/bwrap_1407131_x5we4dg9/awx_1407131_pmwj_q1j/project/ansible-f5-security-compliance/playbooks/main.yml': line 21, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: confirm only two user accounts exist\n   ^ here\n",

  "_ansible_no_log": false

}

1 REPLY 1

RiverFish
Altostratus
Altostratus

Well I found one way to do it. Instead of counting the occurrence of a specific string/word in the output, you can just count the length of the output. The length of two local user accounts is 6. So if someone tried to secretly create another user account the length would be greater than 6.

- name: local users
      bigip_device_info:
        gather_subset:
          - users
        provider: "{{ providerA }}"
      register: user_output
 
    - name: count the length of user_output.users
      debug:
        msg: "User-ouput.users length is: {{ user_output.users | length }}"
      failed_when: user_output.users|length > 2