cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Ansible bigip - confirm only two local user accounts

RiverFish
Altostratus
Altostratus

Greetings. For security compliance purposes I'm trying to confirm that only two local user accounts exist on each F5 but not having any luck. Below are the two methods I've tried and the error messages. Any help would be greatly appreciated.

 

Ansible 2.9.1

 

--- - name: check security compliance on F5s   hosts: testGroup   connection: local   gather_facts: no   vars:     providerA:       password: "{{ password }}"       server: "{{ ansible_host }}"       user: "{{ user }}"             validate_certs: False     tasks:     - name: local users       bigip_command:         commands: list auth user         provider: "{{ providerA }}"       register: local_users     - name: confirm only two user accounts exist       debug:         msg: "only two user accounts exist"       when: local_users.stdout.find('auth user') == 2

 

{

  "msg": "The conditional check 'local_users.stdout.find('auth user') == 2' failed. The error was: error while evaluating conditional (local_users.stdout.find('auth user') == 2): 'list object' has no attribute 'find'\n\nThe error appears to be in '/tmp/bwrap_1407122_vqhuv58l/awx_1407122_2ajau8cz/project/ansible-f5-security-compliance/playbooks/main.yml': line 20, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: confirm only two user accounts exist\n   ^ here\n",

  "_ansible_no_log": false

}

 

--- - name: check security compliance on F5s   hosts: testGroup   connection: local   gather_facts: no   vars:     providerA:       password: "{{ password }}"       server: "{{ ansible_host }}"       user: "{{ user }}"             validate_certs: False   tasks:     - name: local users       bigip_device_info:         gather_subset:           - users         provider: "{{ providerA }}"       register: local_users     - name: confirm only two user accounts exist       debug:         msg: "only two user accounts exist"       when: local_users.stdout.find('full_path') == 2

 

{

  "msg": "The conditional check 'local_users.stdout.find('full_path') == 2' failed. The error was: error while evaluating conditional (local_users.stdout.find('full_path') == 2): 'dict object' has no attribute 'stdout'\n\nThe error appears to be in '/tmp/bwrap_1407131_x5we4dg9/awx_1407131_pmwj_q1j/project/ansible-f5-security-compliance/playbooks/main.yml': line 21, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: confirm only two user accounts exist\n   ^ here\n",

  "_ansible_no_log": false

}

1 REPLY 1

RiverFish
Altostratus
Altostratus

Well I found one way to do it. Instead of counting the occurrence of a specific string/word in the output, you can just count the length of the output. The length of two local user accounts is 6. So if someone tried to secretly create another user account the length would be greater than 6.

- name: local users bigip_device_info: gather_subset: - users provider: "{{ providerA }}" register: user_output   - name: count the length of user_output.users debug: msg: "User-ouput.users length is: {{ user_output.users | length }}" failed_when: user_output.users|length > 2