ebarrere's questions

I have a server configured with AIDE and I'm trying to tune out false positives. I received an alert this morning that a file had been added to a folder that I believe should only alert on ACL changes, unless I'm misunderstanding something.

Here are the relevant parts of the config file:

...
# Access control only.
PERMS = p+u+g+acl+selinux+xattrs
...
/var/run/faillock/ PERMS

And the alert generated when I run aide --check:

AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2020-01-30 09:37:22

Summary:
  Total number of files:    69687
  Added files:          1
  Removed files:        0
  Changed files:        0


---------------------------------------------------
Added files:
---------------------------------------------------

added: /var/run/faillock/testfile

OS is CentOS 7, if that's relevant.

I am looking for a way to securely handle passwords in ansible. Basically I'd like to avoid typing my password every time root or administrator access is required on a remote machine, but maintain some semblance of security (I know any solution will reduce security slightly, but that's an okay tradeoff when doing lots of development work).

Something akin to ssh-agent would be perfect, where I can type my password once (when beginning dev work or at login) and then it will not prompt again while I remain logged in. Ideally the solution would support both Linux & Windows.

I know I can set ansible_password in a configuration file, or set NOPASSWD on Linux machines, but neither of those options are very secure, and the latter doesn't work for Windows.

Maybe some kind of encrypted vault that can be decrypted once and stored in a secure(ish) place in memory that ansible can access?

I am trying to restart the vsftpd service using a handler, based on changes to the config file. I have the following code in tasks/main.yaml:

- name: copy vsftpd.conf
  template: src=vsftpd.conf.j2 dest={{vsftpd_config_file}} backup=yes
  become: yes
  notify: restart vsftpd
  tags: [ 'configuration', 'package', 'vsftpd' ]

and this in handlers/main.yaml:

---
- name: restart vsftpd
  service: name={{ vsftpd_service_name }} state=restarted

the variables are defined as such, in defaults/main.yaml:

vsftpd_config_file: '/etc/vsftpd/vsftpd.conf'
vsftpd_service_name: 'vsftpd'

The handler gets called when I run the playbook:

...
TASK [linux-vsftpd : copy vsftpd.conf] **********************************************************************************************************************
changed: [ftp_host]
...
RUNNING HANDLER [linux-vsftpd : restart vsftpd] *************************************************************************************************************
changed: [ftp_host]

but the service doesn't get restarted:

[elliott.barrere@ftp_host ~]$ ps aux | grep vsftpd
248003150 10437 0.0  0.0 103304   896 pts/0    S+   14:23   0:00 grep vsftpd
root     51182  0.0  0.0  52120   852 ?        Ss   12:25   0:01 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

I can restart the service manually using the service script and the timestamp updates like I would expect:

[elliott.barrere@ftp_host ~]$ sudo service vsftpd restart
[sudo] password for elliott.barrere: 
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]
[elliott.barrere@ftp_host ~]$ ps aux | grep vsftpd
root     38995  0.0  0.0  52120   852 ?        Ss   14:23   0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
248003150 46878 0.0  0.0 103300   884 pts/0    S+   14:23   0:00 grep vsftpd
[elliott.barrere@ftp_host ~]$ 

Any ideas why Ansible isn't restarting the service, or worse, why it isn't reporting a failure?

I'm trying to create a set of users in Ansible using with_dict. The problem is sometimes the user already exists and I don't have the password. In that case I'd like to simply skip setting the password, but manage the rest of the user attributes. Here is an ugly workaround, but there must be a better way to do this:

- name: create FTP users (password known)
  user:
    name: "{{ item.key }}"
    comment: "{{ item.value.comment | default('') }}"
    password: "{{ item.value.password }}"
    shell: "{{ item.value.shell | default('/sbin/nologin') }}"
    home: "{{ item.value.home | default('/var/ftp/' + item.key) }}"
    createhome: "{{ item.value.createhome | default('no') }}"
  with_dict: "{{ ftp_users }}"
  when: item.value and item.value.password is defined

- name: create FTP users (password unknown)
  user:
    name: "{{ item.key }}"
    comment: "{{ item.value.comment | default('') }}"
    shell: "{{ item.value.shell | default('/sbin/nologin') }}"
    home: "{{ item.value.home | default('/var/ftp/' + item.key) }}"
    createhome: "{{ item.value.createhome | default('no') }}"
  with_dict: "{{ ftp_users }}"
  when: item.value.password is not defined

I've also found I can just pull the password for every user in to ansible from /etc/shadow, but that is kind of ugly as well. Is there a way to simply not try to manage the password attribute if the dict value is unset?

I'm looking at implementing Office365 Message Encryption for our organization. My question is this: is it actually more secure than regular (unencrypted) email for messages sent to users outside the organization?

According to this page, external users can receive a one-time passcode in order to view encrypted messages. However, this one-time passcode is also sent via email, so assuming a MITM attack, couldn't the attacker simply intercept the one-time passcode and decrypt the message?

Let me know if I'm missing something or if this is just more marketing hype from MS...

I'd like to download a large OS install ISO directly to my datastore. I used to be able to SSH to the ESXi terminal and use wget to download large files directly to the datastore, but it seems that wget can't handle https links anymore (wget: not an http or ftp url).

I'm wondering how others handle this. I know I can download the file to my laptop and use the datastore browser to upload it, but that's a two-step process (not to mention horribly inefficient when I'm offsite and accessing ESX through a VPN).

Thanks in advance for any suggestions!