Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Ansible bigip - confirm only two local user accounts

RiverFish
Altostratus
Altostratus

‎07-Jan-2022 07:34

Greetings. For security compliance purposes I'm trying to confirm that only two local user accounts exist on each F5 but not having any luck. Below are the two methods I've tried and the error messages. Any help would be greatly appreciated.

 

Ansible 2.9.1

 

--- - name: check security compliance on F5s   hosts: testGroup   connection: local   gather_facts: no   vars:     providerA:       password: "{{ password }}"       server: "{{ ansible_host }}"       user: "{{ user }}"             validate_certs: False     tasks:     - name: local users       bigip_command:         commands: list auth user         provider: "{{ providerA }}"       register: local_users     - name: confirm only two user accounts exist       debug:         msg: "only two user accounts exist"       when: local_users.stdout.find('auth user') == 2

 

{

  "msg": "The conditional check 'local_users.stdout.find('auth user') == 2' failed. The error was: error while evaluating conditional (local_users.stdout.find('auth user') == 2): 'list object' has no attribute 'find'\n\nThe error appears to be in '/tmp/bwrap_1407122_vqhuv58l/awx_1407122_2ajau8cz/project/ansible-f5-security-compliance/playbooks/main.yml': line 20, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: confirm only two user accounts exist\n   ^ here\n",

  "_ansible_no_log": false

}

 

--- - name: check security compliance on F5s   hosts: testGroup   connection: local   gather_facts: no   vars:     providerA:       password: "{{ password }}"       server: "{{ ansible_host }}"       user: "{{ user }}"             validate_certs: False   tasks:     - name: local users       bigip_device_info:         gather_subset:           - users         provider: "{{ providerA }}"       register: local_users     - name: confirm only two user accounts exist       debug:         msg: "only two user accounts exist"       when: local_users.stdout.find('full_path') == 2

 

{

  "msg": "The conditional check 'local_users.stdout.find('full_path') == 2' failed. The error was: error while evaluating conditional (local_users.stdout.find('full_path') == 2): 'dict object' has no attribute 'stdout'\n\nThe error appears to be in '/tmp/bwrap_1407131_x5we4dg9/awx_1407131_pmwj_q1j/project/ansible-f5-security-compliance/playbooks/main.yml': line 21, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: confirm only two user accounts exist\n   ^ here\n",

  "_ansible_no_log": false

}

Labels:
0 Kudos
1 REPLY 1

RiverFish
Altostratus
Altostratus

‎10-Jan-2022 19:44

Well I found one way to do it. Instead of counting the occurrence of a specific string/word in the output, you can just count the length of the output. The length of two local user accounts is 6. So if someone tried to secretly create another user account the length would be greater than 6.

- name: local users bigip_device_info: gather_subset: - users provider: "{{ providerA }}" register: user_output   - name: count the length of user_output.users debug: msg: "User-ouput.users length is: {{ user_output.users | length }}" failed_when: user_output.users|length > 2

 

0 Kudos
Copyright © 2023 Khoros, LLC