Forum Discussion

RiverFish's avatar
RiverFish
Icon for Altostratus rankAltostratus
Jan 07, 2022

Ansible bigip - confirm only two local user accounts

Greetings. For security compliance purposes I'm trying to confirm that only two local user accounts exist on each F5 but not having any luck. Below are the two methods I've tried and the error messages. Any help would be greatly appreciated.

Ansible 2.9.1

---
- name: check security compliance on F5s
  hosts: testGroup
  connection: local
  gather_facts: no
  vars:
    providerA:
      password: "{{ password }}"
      server: "{{ ansible_host }}"
      user: "{{ user }}"      
      validate_certs: False  
  
  tasks:
    - name: local users
      bigip_command:
        commands: list auth user
        provider: "{{ providerA }}"
      register: local_users
  
    - name: confirm only two user accounts exist
      debug:
        msg: "only two user accounts exist"
      when: local_users.stdout.find('auth user') == 2

{

  "msg": "The conditional check 'local_users.stdout.find('auth user') == 2' failed. The error was: error while evaluating conditional (local_users.stdout.find('auth user') == 2): 'list object' has no attribute 'find'\n\nThe error appears to be in '/tmp/bwrap_1407122_vqhuv58l/awx_1407122_2ajau8cz/project/ansible-f5-security-compliance/playbooks/main.yml': line 20, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: confirm only two user accounts exist\n   ^ here\n",

  "_ansible_no_log": false

}

---
- name: check security compliance on F5s
  hosts: testGroup
  connection: local
  gather_facts: no
  vars:
    providerA:
      password: "{{ password }}"
      server: "{{ ansible_host }}"
      user: "{{ user }}"      
      validate_certs: False
  
  tasks:
    - name: local users
      bigip_device_info:
        gather_subset:
          - users
        provider: "{{ providerA }}"
      register: local_users
  
    - name: confirm only two user accounts exist
      debug:
        msg: "only two user accounts exist"
      when: local_users.stdout.find('full_path') == 2

{

  "msg": "The conditional check 'local_users.stdout.find('full_path') == 2' failed. The error was: error while evaluating conditional (local_users.stdout.find('full_path') == 2): 'dict object' has no attribute 'stdout'\n\nThe error appears to be in '/tmp/bwrap_1407131_x5we4dg9/awx_1407131_pmwj_q1j/project/ansible-f5-security-compliance/playbooks/main.yml': line 21, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: confirm only two user accounts exist\n   ^ here\n",

  "_ansible_no_log": false

}

  • Well I found one way to do it. Instead of counting the occurrence of a specific string/word in the output, you can just count the length of the output. The length of two local user accounts is 6. So if someone tried to secretly create another user account the length would be greater than 6.

    - name: local users
          bigip_device_info:
            gather_subset:
              - users
            provider: "{{ providerA }}"
          register: user_output
     
        - name: count the length of user_output.users
          debug:
            msg: "User-ouput.users length is: {{ user_output.users | length }}"
          failed_when: user_output.users|length > 2