Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Ansible bigip - confirm only two local user accounts

RiverFish
Altostratus
Altostratus

‎07-Jan-2022 07:34 - last edited on ‎04-Jun-2023 19:14 by Fog

Greetings. For security compliance purposes I'm trying to confirm that only two local user accounts exist on each F5 but not having any luck. Below are the two methods I've tried and the error messages. Any help would be greatly appreciated.

Ansible 2.9.1

---
- name: check security compliance on F5s
  hosts: testGroup
  connection: local
  gather_facts: no
  vars:
    providerA:
      password: "{{ password }}"
      server: "{{ ansible_host }}"
      user: "{{ user }}"      
      validate_certs: False  
  
  tasks:
    - name: local users
      bigip_command:
        commands: list auth user
        provider: "{{ providerA }}"
      register: local_users
  
    - name: confirm only two user accounts exist
      debug:
        msg: "only two user accounts exist"
      when: local_users.stdout.find('auth user') == 2

{

  "msg": "The conditional check 'local_users.stdout.find('auth user') == 2' failed. The error was: error while evaluating conditional (local_users.stdout.find('auth user') == 2): 'list object' has no attribute 'find'\n\nThe error appears to be in '/tmp/bwrap_1407122_vqhuv58l/awx_1407122_2ajau8cz/project/ansible-f5-security-compliance/playbooks/main.yml': line 20, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: confirm only two user accounts exist\n   ^ here\n",

  "_ansible_no_log": false

}

---
- name: check security compliance on F5s
  hosts: testGroup
  connection: local
  gather_facts: no
  vars:
    providerA:
      password: "{{ password }}"
      server: "{{ ansible_host }}"
      user: "{{ user }}"      
      validate_certs: False
  
  tasks:
    - name: local users
      bigip_device_info:
        gather_subset:
          - users
        provider: "{{ providerA }}"
      register: local_users
  
    - name: confirm only two user accounts exist
      debug:
        msg: "only two user accounts exist"
      when: local_users.stdout.find('full_path') == 2

{

  "msg": "The conditional check 'local_users.stdout.find('full_path') == 2' failed. The error was: error while evaluating conditional (local_users.stdout.find('full_path') == 2): 'dict object' has no attribute 'stdout'\n\nThe error appears to be in '/tmp/bwrap_1407131_x5we4dg9/awx_1407131_pmwj_q1j/project/ansible-f5-security-compliance/playbooks/main.yml': line 21, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: confirm only two user accounts exist\n   ^ here\n",

  "_ansible_no_log": false

}

Labels:
0 Kudos
1 REPLY 1

RiverFish
Altostratus
Altostratus

‎10-Jan-2022 19:44 - last edited on ‎04-Jun-2023 19:13 by Fog

Well I found one way to do it. Instead of counting the occurrence of a specific string/word in the output, you can just count the length of the output. The length of two local user accounts is 6. So if someone tried to secretly create another user account the length would be greater than 6.

- name: local users
      bigip_device_info:
        gather_subset:
          - users
        provider: "{{ providerA }}"
      register: user_output
 
    - name: count the length of user_output.users
      debug:
        msg: "User-ouput.users length is: {{ user_output.users | length }}"
      failed_when: user_output.users|length > 2
0 Kudos
Copyright © 2023 Khoros, LLC