├── README.md
├── library
    ├── scan_cron.py
    ├── scan_processes.py
    ├── scan_sudoers.py
    └── scan_user_group.py
└── test
    ├── library
    ├── scan_cron.yml
    ├── scan_processes.yml
    ├── scan_sudoers.yml
    └── scan_user_group.yml


/README.md:
--------------------------------------------------------------------------------
 1 | # ansible-fact
 2 | ## Table of Contents
 3 | <!-- TOC depthFrom:2 depthTo:6 withLinks:1 updateOnSave:1 orderedList:1 -->
 4 | 
 5 | 1. [Table of Contents](#table-of-contents)
 6 | 2. [About](#about)
 7 | 3. [Available Modules](#available-modules)
 8 | 4. [Module Documentation](#module-documentation)
 9 | 5. [Contributions](#contributions)
10 | 	1. [Guidelines](#guidelines)
11 | 6. [Author(s)](#authors)
12 | 
13 | <!-- /TOC -->
14 | 
15 | ## About
16 | The concept of this project is to perform Infrastructure-as-Code in Reverse (i.e. iacir - pronounced: aya sir).  
17 | 
18 | `ansible-fact` consists of a collection of Ansible fact collectors to be able to generate structured data and harvest system configurations.  The goal is to be able to automatically collect all aspects of a system's configuration through modules.
19 | 
20 | ## Available Modules
21 | | Module Name | Description | Test Playbook |
22 | | --- | --- | --- |
23 | | [scan_cron](library/scan_cron.py) | Collects all cron data from a system and converts to structured data | [scan_cron.yml](test/scan_cron.yml) |
24 | | [scan_processes](library/scan_processes.py) | Collects currently running processes from a system and converts to structured data | [scan_processes.yml](test/scan_processes.yml) |
25 | | [scan_sudoers](library/scan_sudoers.py) | Collects all sudoers configurations and converts to structured data | [scan_sudoers.yml](test/scan_sudoers.yml) |
26 | | [scan_user_group](library/scan_user_group.py) | Collects all local user and group data from `/etc/shadow`, `/etc/gshadow`, `/etc/passwd`, and `/etc/group`, and merges into structured data. | [scan_user_group.yml](test/scan_user_group.yml)
27 | 
28 | ## Module Documentation
29 | All module documentation can be found in each respective module, as with any Ansible module.
30 | 
31 | ## Contributions
32 | Please feel free to openly contribute to this project.  All code will be reviewed prior to merging.
33 | 
34 | ### Guidelines
35 | * Please perform all development and pull requests against the `dev` branch of this repository.
36 | * If a particular fact collector can apply to many different Operating Systems, please try and accommodate all Operating System implementations in an attempt to keep this project platform agnostic.
37 | * Please include a test playbook in the [test](test) directory.
38 | * Please place your modules in the [library](library) directory.
39 | * Please document your code and modules thoroughly via comments and by following [Ansible's Module Development Documentation](https://docs.ansible.com/ansible/latest/dev_guide/developing_modules_general.html#starting-a-new-module).
40 | 
41 | ## Author(s)
42 | [Andrew J. Huffman](https://github.com/ahuffman)
43 | 


--------------------------------------------------------------------------------
/library/scan_cron.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | 
  3 | # Copyright: (c) 2019, Andrew J. Huffman <ahuffman@redhat.com>
  4 | # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
  5 | 
  6 | ANSIBLE_METADATA = {'metadata_version': '1.1',
  7 |                     'status': ['preview'],
  8 |                     'supported_by': 'community'}
  9 | 
 10 | DOCUMENTATION = '''
 11 | ---
 12 | module: scan_cron
 13 | short_description: Collects cron job facts
 14 | version_added: "2.8"
 15 | description:
 16 |     - "Collects cron job facts from a system."
 17 |     - "The module can display both parsed and raw cron configurations which is useful when some cron jobs are scripts and others are true schedules."
 18 |     - "The display of either raw configurations or parsed configurations can be limited via the module parameters."
 19 | options:
 20 |     output_raw_configs:
 21 |         description:
 22 |             - Whether or not to output raw configuration lines (excluding comments) from the scanned cron files
 23 |         default: True
 24 |         required: False
 25 |     output_parsed_configs:
 26 |         description:
 27 |             - Whether or not to output parsed data from the scanned cron files
 28 |         default: True
 29 |         required: False
 30 | author:
 31 |     - Andrew J. Huffman (@ahuffman)
 32 | '''
 33 | 
 34 | EXAMPLES = '''
 35 | # Collect all cron data (defaults)
 36 | - name: "Collect all cron data"
 37 |   scan_cron:
 38 | 
 39 | # Collect only raw configurations (minus comments)
 40 | - name: "Collect raw cron configs"
 41 |   scan_cron:
 42 |     output_parsed_configs: False
 43 | 
 44 | # Collect only parsed configuration data
 45 | #     This is only useful if you have no scripting logic in the cron files (i.e. if's, do untils, etc.)
 46 | - name: "Collect parsed cron data"
 47 |   scan_cron:
 48 |     output_raw_configs: False
 49 | '''
 50 | 
 51 | RETURN = '''
 52 | # From a default Fedora configuration
 53 | cron:
 54 |   all_scanned_files:
 55 |     - /etc/crontab
 56 |     - /etc/cron.hourly/0anacron
 57 |     - /etc/cron.weekly/98-zfs-fuse-scrub
 58 |     - /var/spool/cron/root
 59 |     - /etc/cron.d/0hourly
 60 |     - /etc/cron.d/raid-check
 61 |   allow:
 62 |     path: /etc/cron.allow
 63 |     users: []
 64 |   deny:
 65 |     path: /etc/cron.deny
 66 |     users: []
 67 |   files:
 68 |     - configuration:
 69 |         - SHELL=/bin/bash
 70 |         - PATH=/sbin:/bin:/usr/sbin:/usr/bin
 71 |         - MAILTO=root
 72 |       data:
 73 |         schedules: []
 74 |         variables:
 75 |           - name: SHELL
 76 |             value: /bin/bash
 77 |           - name: PATH
 78 |             value: /sbin:/bin:/usr/sbin:/usr/bin
 79 |           - name: MAILTO
 80 |             value: root
 81 |       path: /etc/crontab
 82 |     - configuration:
 83 |         - '#!/usr/bin/sh'
 84 |         - if test -r /var/spool/anacron/cron.daily; then
 85 |         - '    day=`cat /var/spool/anacron/cron.daily`'
 86 |         - fi
 87 |         - if [ `date +%Y%m%d` = "$day" ]; then
 88 |         - '    exit 0'
 89 |         - fi
 90 |         - online=1
 91 |         - for psupply in AC ADP0 ; do
 92 |         - '    sysfile="/sys/class/power_supply/$psupply/online"'
 93 |         - '    if [ -f $sysfile ] ; then'
 94 |         - '        if [ `cat $sysfile 2>/dev/null`x = 1x ]; then'
 95 |         - '            online=1'
 96 |         - '            break'
 97 |         - '        else'
 98 |         - '            online=0'
 99 |         - '        fi'
100 |         - '    fi'
101 |         - done
102 |         - if [ $online = 0 ]; then
103 |         - '    exit 0'
104 |         - fi
105 |         - /usr/sbin/anacron -s
106 |       data:
107 |         schedules: []
108 |         shell: /usr/bin/sh
109 |         variables:
110 |           - name: online
111 |             value: '1'
112 |       path: /etc/cron.hourly/0anacron
113 |     - configuration:
114 |         - '#!/usr/bin/bash'
115 |         - '[ -f /etc/sysconfig/zfs-fuse ] || exit 0'
116 |         - . /etc/sysconfig/zfs-fuse
117 |         - '[ "$ZFS_WEEKLY_SCRUB" != "yes" ] && exit 0'
118 |         - zpool=/usr/sbin/zpool
119 |         - pools=`$zpool list -H | cut -f1`
120 |         - if [ "$pools" != "" ] ; then
121 |         - '    echo Found these pools: $pools'
122 |         - '    for pool in $pools; do'
123 |         - '    echo "Starting scrub of pool $pool"'
124 |         - '    $zpool scrub $pool'
125 |         - '    done'
126 |         - '    echo "ZFS Fuse automatic scrub start done.  Use ''$zpool status'' to see progress."'
127 |         - fi
128 |       data:
129 |         schedules: []
130 |         shell: /usr/bin/bash
131 |         variables:
132 |           - name: zpool
133 |             value: /usr/sbin/zpool
134 |           - name: pools
135 |             value: '`$zpool list -H | cut -f1`'
136 |       path: /etc/cron.weekly/98-zfs-fuse-scrub
137 |     - configuration: []
138 |       data:
139 |         schedules: []
140 |         variables: []
141 |       path: /var/spool/cron/root
142 |     - configuration:
143 |         - SHELL=/bin/bash
144 |         - PATH=/sbin:/bin:/usr/sbin:/usr/bin
145 |         - MAILTO=root
146 |         - 01 * * * * root run-parts /etc/cron.hourly
147 |       data:
148 |         schedules:
149 |           - command: run-parts /etc/cron.hourly
150 |             day_of_month: '*'
151 |             day_of_week: '*'
152 |             hour: '*'
153 |             minute: '01'
154 |             month: '*'
155 |             user: root
156 |         variables:
157 |           - name: SHELL
158 |             value: /bin/bash
159 |           - name: PATH
160 |             value: /sbin:/bin:/usr/sbin:/usr/bin
161 |           - name: MAILTO
162 |             value: root
163 |       path: /etc/cron.d/0hourly
164 |     - configuration:
165 |         - 0 1 * * Sun root /usr/sbin/raid-check
166 |       data:
167 |         schedules:
168 |           - command: /usr/sbin/raid-check
169 |             day_of_month: '*'
170 |             day_of_week: Sun
171 |             hour: '1'
172 |             minute: '0'
173 |             month: '*'
174 |             user: root
175 |         variables: []
176 |       path: /etc/cron.d/raid-check
177 | '''
178 | 
179 | from ansible.module_utils.basic import AnsibleModule
180 | import os
181 | from os.path import isfile, isdir, join
182 | import re
183 | 
184 | def main():
185 |     module_args = dict(
186 |         output_raw_configs=dict(
187 |             type='bool',
188 |             default=True,
189 |             required=False
190 |         ),
191 |         output_parsed_configs=dict(
192 |             type='bool',
193 |             default=True,
194 |             required=False
195 |         )
196 |     )
197 | 
198 |     result = dict(
199 |         changed=False,
200 |         original_message='',
201 |         message=''
202 |     )
203 | 
204 |     module = AnsibleModule(
205 |         argument_spec=module_args,
206 |         supports_check_mode=True
207 |     )
208 | 
209 |     params = module.params
210 | 
211 |     def get_cron_allow():
212 |         allow = dict()
213 |         allow['path'] = '/etc/cron.allow'
214 |         allow['users'] = list()
215 |         try:
216 |             cron_allow = open('/etc/cron.allow', 'r')
217 |             for line in cron_allow:
218 |                 user = line.replace('\n', '')
219 |                 allow['users'].append(user)
220 |             cron_allow.close()
221 |         except:
222 |             pass
223 |         return allow
224 | 
225 |     def get_cron_deny():
226 |         deny = dict()
227 |         deny['path'] = '/etc/cron.deny'
228 |         deny['users'] = list()
229 |         try:
230 |             cron_deny = open('/etc/cron.deny', 'r')
231 |             for line in cron_deny:
232 |                 user = line.replace('\n', '')
233 |                 deny['users'].append(user)
234 |             cron_deny.close()
235 |         except:
236 |             pass
237 |         return deny
238 | 
239 |     def get_cron_files():
240 |         # standard cron locations for cron file discovery
241 |         cron_paths = [
242 |             "/etc/crontab"
243 |         ]
244 |         cron_dirs = [
245 |             "/etc/cron.hourly",
246 |             "/etc/cron.daily",
247 |             "/etc/cron.weekly",
248 |             "/etc/cron.monthly",
249 |             "/var/spool/cron",
250 |             "/etc/cron.d"
251 |         ]
252 | 
253 |         # Look for files in cron directories and append to cron_paths
254 |         for dir in cron_dirs:
255 |             try:
256 |                 cron_paths += [join(dir, filename) for filename in os.listdir(dir) if isfile(join(dir, filename))]
257 |                 # keep digging
258 |                 cron_dirs += [join(dir, filename) for filename in os.listdir(dir) if isdir(join(dir, filename))]
259 |             except:
260 |                 pass
261 |         return cron_paths
262 | 
263 |     def get_cron_data(cron_paths):
264 |         # Output data
265 |         cron_data = list()
266 |         # Regex for parsing data
267 |         variable_re = re.compile(r'^([a-zA-Z0-9_-]*)[ \t]*=[ \t]*(.*)$')
268 |         comment_re = re.compile(r'^#+')
269 |         shebang_re = re.compile(r'^(#!){1}(.*)$')
270 |         schedule_re = re.compile(r'^([0-9a-zA-Z\*\-\,\/]+)[ \t]+([0-9a-zA-Z\*\-\,\/]+)[ \t]+([0-9a-zA-Z\*\-\,\/]+)[ \t]+([0-9a-zA-Z\*\-\,\/]+)[ \t]+([0-9a-zA-Z\*\-\,\/]+)[ \t]+([A-Za-z0-9\-\_]*)[ \t]*(.*)$')
271 | 
272 |         # work on each file that was found
273 |         for cron in cron_paths:
274 |             job = dict()
275 |             job['path'] = cron
276 | 
277 |             if params['output_raw_configs']:
278 |                 job['configuration'] = list()
279 | 
280 |             if params['output_parsed_configs']:
281 |                 job['data'] = dict()
282 |                 job['data']['variables'] = list()
283 |                 job['data']['schedules'] = list()
284 |                 job['data']['shell'] = ''
285 | 
286 |             # make sure we have permission to open the files
287 |             try:
288 |                 config = open(cron, 'r')
289 |                 for l in config:
290 |                     line = l.replace('\n', '').replace('\t', '    ')
291 |                     # raw configuration output
292 |                     if params['output_raw_configs']:
293 |                         # Not a comment line
294 |                         if comment_re.search(line) is None and line != '' and line != None:
295 |                             job['configuration'].append(line)
296 | 
297 |                         # Shebang line
298 |                         elif shebang_re.search(line) and line != '' and line != None:
299 |                             job['configuration'].append(line)
300 | 
301 |                     # parsed data output
302 |                     if params['output_parsed_configs']:
303 |                         variable = dict()
304 |                         sched = dict()
305 | 
306 |                         # Capture script variables
307 |                         if variable_re.search(line) and line != '' and line != None:
308 |                             variable['name'] = variable_re.search(line).group(1)
309 |                             variable['value'] = variable_re.search(line).group(2)
310 |                             job['data']['variables'].append(variable)
311 | 
312 |                         # Capture script shell type
313 |                         if shebang_re.search(line) and line != '' and line != None:
314 |                             job['data']['shell'] = shebang_re.search(line).group(2)
315 | 
316 |                         # Capture cron schedules:
317 |                         ##  don't try if a shell is set on the file, because it's a script at that point
318 |                         if schedule_re.search(line) and line != '' and line != None and job['data']['shell'] == '':
319 |                             sched['minute'] = schedule_re.search(line).group(1)
320 |                             sched['hour'] = schedule_re.search(line).group(2)
321 |                             sched['day_of_month'] = schedule_re.search(line).group(3)
322 |                             sched['month'] = schedule_re.search(line).group(4)
323 |                             sched['day_of_week'] = schedule_re.search(line).group(5)
324 |                             # optional user field in some implementations
325 |                             if schedule_re.search(line).group(6):
326 |                                 sched['user'] = schedule_re.search(line).group(6)
327 |                             sched['command'] = schedule_re.search(line).group(7)
328 |                             job['data']['schedules'].append(sched)
329 |                 config.close()
330 | 
331 |             except:
332 |                 pass
333 | 
334 |             # append each parsed file
335 |             cron_data.append(job)
336 |         return cron_data
337 | 
338 |     # Do work
339 |     cron_allow = get_cron_allow()
340 |     cron_deny = get_cron_deny()
341 |     cron_paths = get_cron_files()
342 |     cron_data = get_cron_data(cron_paths)
343 | 
344 |     # Build output
345 |     cron = dict()
346 |     cron['allow'] = cron_allow
347 |     cron['deny'] = cron_deny
348 |     cron['all_scanned_files'] = cron_paths
349 |     cron['files'] = cron_data
350 |     result = {'ansible_facts': {'cron': cron}}
351 | 
352 |     module.exit_json(**result)
353 | 
354 | 
355 | if __name__ == '__main__':
356 |     main()
357 | 


--------------------------------------------------------------------------------
/library/scan_processes.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | 
  3 | # Copyright: (c) 2019, Andrew J. Huffman <ahuffman@redhat.com>
  4 | # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
  5 | 
  6 | ANSIBLE_METADATA = {'metadata_version': '1.1',
  7 |                     'status': ['preview'],
  8 |                     'supported_by': 'community'}
  9 | 
 10 | DOCUMENTATION = '''
 11 | ---
 12 | module: scan_processes
 13 | short_description: Collects currently running processes on a system
 14 | version_added: "2.8"
 15 | description:
 16 |     - "Collects the currently running processes on a system at the time the module is run."
 17 |     - "This module presents the currently running proceses as ansible_facts"
 18 | output_ps_stdout_lines:
 19 |     description:
 20 |         - Whether or not to output the collected standard out lines from the 'ps auxww' command
 21 |     default: False
 22 |     required: False
 23 | output_parsed_processes:
 24 |     description:
 25 |         - Whether or not to output parsed data from the 'ps auxww' command.
 26 |     default: True
 27 |     required: False
 28 | author:
 29 |     - Andrew J. Huffman (@ahuffman)
 30 | '''
 31 | 
 32 | EXAMPLES = '''
 33 | # Collect running processes and output parsed data
 34 | - name: "Collect current running processes"
 35 |   scan_processes:
 36 | 
 37 | # Collect only standard out lines from the ps auxww command
 38 | - name: "Collect process command output"
 39 |   scan_processes:
 40 |     output_ps_stdout_lines: True
 41 |     output_parsed_processes: False
 42 | 
 43 | # Collect both parsed process data and 'ps auxww' command standard out
 44 | - name: "Collect all process data"
 45 |   scan_processes:
 46 |     output_ps_stdout_lines: True
 47 | '''
 48 | 
 49 | RETURN = '''
 50 | running_processes:
 51 |     processes:
 52 |       - command: /usr/lib/systemd/systemd --switched-root --system --deserialize 33
 53 |         cpu_percentage: '0.0'
 54 |         memory_percentage: '0.0'
 55 |         pid: '1'
 56 |         resident_size: '5036'
 57 |         start: Jul08
 58 |         stat: Ss
 59 |         teletype: '?'
 60 |         time: '3:32'
 61 |         user: root
 62 |       ...
 63 |     ps_stdout_lines:
 64 |       - root         1  0.0  0.0 171628  5056 ?        Ss   Jul08   3:32 /usr/lib/systemd/systemd --switched-root --system --deserialize 33
 65 |       ...
 66 |     total_running_processes: 359
 67 | '''
 68 | 
 69 | from ansible.module_utils.basic import AnsibleModule
 70 | import os, re, subprocess
 71 | from os.path import isfile, isdir, join
 72 | 
 73 | def main():
 74 |     module_args = dict(
 75 |         output_ps_stdout_lines=dict(
 76 |             type='bool',
 77 |             default=False,
 78 |             required=False
 79 |         ),
 80 |         output_parsed_processes=dict(
 81 |             type='bool',
 82 |             default=True,
 83 |             required=False
 84 |         )
 85 |     )
 86 | 
 87 |     result = dict(
 88 |         changed=False,
 89 |         original_message='',
 90 |         message=''
 91 |     )
 92 | 
 93 |     module = AnsibleModule(
 94 |         argument_spec=module_args,
 95 |         supports_check_mode=True
 96 |     )
 97 | 
 98 |     params = module.params
 99 | 
100 |     def get_processes():
101 |         re_header = re.compile(r'^USER+.*')
102 |         proc_stats = dict()
103 |         procs = list()
104 |         count = 0
105 |         running = subprocess.check_output(["ps auxww"], universal_newlines=True, shell=True)
106 |         for l in running.split('\n'):
107 |             if len(l) > 0 and re_header.search(l) is None:
108 |                 procs.append(l.replace('\n', '').replace('\t', '    '))
109 |                 count += 1
110 |         proc_stats['stdout'] = procs
111 |         proc_stats['total_running_processes'] = count
112 |         return proc_stats
113 | 
114 |     def parse_process_data(procs):
115 |         re_ps = re.compile(r'^(?P<user>[\w\+\-\_\$]+)\s+(?P<pid>[0-9]+)\s+(?P<cpu>[0-9\.]+)\s+(?P<mem>[0-9\.]+)\s+(?P<vsz>[0-9]+)\s+(?P<rss>[0-9]+)\s+(?P<tty>[a-zA-Z0-9\?\/]+)\s+(?P<stat>[DIRSTtWXZ\<NLsl\+]+)\s+(?P<start>[A-Za-z0-9\:]+)\s+(?P<time>[0-9\:]+)\s+(?P<command>.*)$')
116 |         processes = list()
117 | 
118 |         for proc in procs:
119 |             process = dict()
120 |             if re_ps.search(proc):
121 |                 process['user'] = re_ps.search(proc).group('user')
122 |                 process['pid'] = re_ps.search(proc).group('pid')
123 |                 process['cpu_percentage'] = re_ps.search(proc).group('cpu')
124 |                 process['memory_percentage'] = re_ps.search(proc).group('mem')
125 |                 process['virtual_memory_size'] = re_ps.search(proc).group('vsz')
126 |                 process['resident_size'] = re_ps.search(proc).group('rss')
127 |                 process['teletype'] = re_ps.search(proc).group('tty')
128 |                 process['stat'] = re_ps.search(proc).group('stat')
129 |                 process['start'] = re_ps.search(proc).group('start')
130 |                 process['time'] = re_ps.search(proc).group('time')
131 |                 process['command'] = re_ps.search(proc).group('command')
132 |                 processes.append(process)
133 |         return processes
134 | 
135 |     # Do work
136 |     raw_procs = get_processes()
137 |     if params['output_parsed_processes']:
138 |         proc_data = parse_process_data(raw_procs['stdout'])
139 | 
140 |     # Build output
141 |     processes = dict()
142 |     if params['output_ps_stdout_lines']:
143 |         processes['ps_stdout_lines'] = raw_procs['stdout']
144 |     if params['output_parsed_processes']:
145 |         processes['total_running_processes'] = raw_procs['total_running_processes']
146 |         processes['processes'] = proc_data
147 |     result = {'ansible_facts': {'running_processes': processes}}
148 | 
149 |     module.exit_json(**result)
150 | 
151 | 
152 | if __name__ == '__main__':
153 |     main()
154 | 


--------------------------------------------------------------------------------
/library/scan_sudoers.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | 
  3 | # Copyright: (c) 2019, Andrew J. Huffman <ahuffman@redhat.com>
  4 | # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
  5 | 
  6 | ANSIBLE_METADATA = {'metadata_version': '1.1',
  7 |                     'status': ['preview'],
  8 |                     'supported_by': 'community'}
  9 | 
 10 | DOCUMENTATION = '''
 11 | ---
 12 | module: "scan_sudoers"
 13 | short_description: "Parses the /etc/sudoers and /etc/sudoers.d/* files."
 14 | version_added: "2.7"
 15 | author:
 16 |     - "Andrew J. Huffman (@ahuffman)"
 17 | description:
 18 |     - "This module is designed to collect information from C(/etc/sudoers).  The #include (files) and #includedir (directories) will be dynamically calculated and all included files will be parsed."
 19 |     - "This module is compatible with Linux and Unix systems."
 20 |     - "You will need to run the playbook as a privileged user or a user with appropriate privilege escalation"
 21 | options:
 22 |     output_raw_configs:
 23 |         description:
 24 |             - Whether or not to output raw configuration lines (excluding comments) from the scanned sudoers files
 25 |         default: True
 26 |         required: False
 27 |     output_parsed_configs:
 28 |         description:
 29 |             - Whether or not to output parsed data from the scanned sudoers files
 30 |         default: True
 31 |         required: False
 32 | '''
 33 | 
 34 | EXAMPLES = '''
 35 | - name: "Scan sudoers files - output everything"
 36 |   scan_sudoers:
 37 | 
 38 | - name: "Scan sudoers files - output raw configuration lines only"
 39 |   scan_sudoers:
 40 |     output_parsed_configs: False
 41 | 
 42 | - name: "Scan sudoers files - output parsed configurations only"
 43 |   scan_sudoers:
 44 |     output_raw_configs: False
 45 | 
 46 | - name: "Scan sudoers files - output only included files and paths (minimal output)"
 47 |   scan_sudoers:
 48 |     output_raw_configs: False
 49 |     output_parsed_configs: False
 50 | '''
 51 | 
 52 | RETURN = '''
 53 | sudoers:
 54 |     description: "List of parsed sudoers data and included sudoers data"
 55 |     returned: "success"
 56 |     type: "list"
 57 |     sample:
 58 |       ansible_facts:
 59 |         sudoers:
 60 |           all_scanned_files:
 61 |             - /etc/sudoers.d/group1
 62 |             - /etc/sudoers.d/group2
 63 |             - /etc/sudoers
 64 |           sudoers_files:
 65 |             - aliases:
 66 |                 cmnd_alias:
 67 |                 host_alias:
 68 |                 runas_alias:
 69 |                 user_alias:
 70 |               configuration:
 71 |                 - 'Host_Alias        SOMEHOSTS = server1, server2'
 72 |                 - ...
 73 |                 - '#includedir /etc/sudoers.d'
 74 |               defaults:
 75 |                 - '!visiblepw'
 76 |                 - env_reset
 77 |                 - secure_path:
 78 |                     - /usr/local/sbin
 79 |                     - /usr/local/bin
 80 |                     - /usr/sbin
 81 |                     - /usr/bin
 82 |                     - /sbin
 83 |                     - /bin
 84 |                 - env_keep:
 85 |                     - COLORS
 86 |                     - DISPLAY
 87 |                     - ...
 88 |                 - ...
 89 |               include_directories:
 90 |                 - /etc/sudoers.d
 91 |               include_files:
 92 |                 - /etc/sudoers.d/file1
 93 |                 - /etc/sudoers.d/file2
 94 |                 - /tmp/some/file
 95 |                 - ...
 96 |               path: /etc/sudoers
 97 |               user_specifications:
 98 |                 - commands:
 99 |                     - ALL
100 |                   hosts:
101 |                     - ALL
102 |                   operators:
103 |                     - ALL
104 |                   tags:
105 |                     - NOPASSWD
106 |                   users:
107 |                     - '%wheel'
108 |                 - defaults:
109 |                     - '!requiretty'
110 |                   type: user
111 |                   users:
112 |                     - STAFF
113 |                     - INTERNS
114 |             - aliases:
115 |                 ...
116 | '''
117 | 
118 | from ansible.module_utils.basic import AnsibleModule
119 | import os
120 | from os.path import isfile, join
121 | import re
122 | 
123 | def main():
124 |     module_args = dict(
125 |         output_raw_configs=dict(
126 |             type='bool',
127 |             default=True,
128 |             required=False
129 |         ),
130 |         output_parsed_configs=dict(
131 |             type='bool',
132 |             default=True,
133 |             required=False
134 |         )
135 |     )
136 | 
137 |     result = dict(
138 |         changed=False,
139 |         original_message='',
140 |         message=''
141 |     )
142 | 
143 |     module = AnsibleModule(
144 |         argument_spec=module_args,
145 |         supports_check_mode=True
146 |     )
147 |     params = module.params
148 | 
149 |     def get_includes(path):
150 |         ## Get includes
151 |         sudoers_file = open(path, 'r')
152 |         includes = dict()
153 |         includes['include_files'] = list()
154 |         include_dir = ""
155 |         includes['include_directories'] = list()
156 | 
157 |         # Regex for "#includedir" and "#include" sudoers options
158 |         includedir_re = re.compile(r'(^#includedir)+\s+(.*$)')
159 |         include_re = re.compile(r'(^#include)+\s+(.*$)')
160 | 
161 |         for l in sudoers_file:
162 |             line = l.replace('\n', '').replace('\t', '    ')
163 |             # Search for '#includedir'
164 |             if includedir_re.search(line):
165 |                 include_dir = includedir_re.search(line).group(2)
166 |             # Search for '#include'
167 |             if include_re.search(line):
168 |                 includes['include_files'].append(include_re.search(line).group(2))
169 | 
170 |         if include_dir:
171 |             # build multi-file output
172 |             includes['include_directories'].append(include_dir)
173 |             # Get list of all included sudoers files
174 |             includes['include_files'] += [join(include_dir, filename) for filename in os.listdir(include_dir) if isfile(join(include_dir, filename))]
175 |         elif not includes['include_files']:
176 |             includes.pop('include_files')
177 | 
178 |         if not includes['include_directories']:
179 |             includes.pop('include_directories')
180 | 
181 |         sudoers_file.close()
182 |         return includes
183 | 
184 |     def get_user_specs(line, path):
185 |         user_spec = dict()
186 |         user_spec_re =  re.compile(r'(^\S+,{1}\s*\S+|^\S+)\s*(\S+,{1}\s*|\S+){1}\s*={1}\s*(\({1}(.*)\){1})*\s*(ROLE\s*=\s*(\S+)|TYPE\s*=\s*(\S+))*\s*(ROLE\s*=\s*(\S+)|TYPE\s*=\s*(\S+))*\s*(PRIVS\s*=\s*(\S+)|LIMITPRIVS\s*=\s*(\S+))*\s*(PRIVS\s*=\s*(\S+)|LIMITPRIVS\s*=\s*(\S+))*\s*(\S+:{1})*\s*(.*$)')
187 |         default_override_re = re.compile(r'(Defaults){1}([@:!>]){1}((\s*\S+,{1})+\s*\S+|\S+)\s*(.*$)')
188 |         spec_fields = user_spec_re.search(line)
189 |         if user_spec_re.search(line):
190 |             user_spec['users'] = list()
191 |             user_spec['hosts'] = list()
192 |             user_spec['operators'] = list()
193 |             user_spec['selinux_role'] = ""
194 |             user_spec['selinux_type'] = ""
195 |             user_spec['solaris_privs'] = ""
196 |             user_spec['solaris_limitprivs'] = ""
197 |             user_spec['tags'] = list()
198 |             user_spec['commands'] = list()
199 |             # users
200 |             users = spec_fields.group(1).split(',')
201 |             for user in users:
202 |                 if user != '' and user != None:
203 |                     user_spec['users'].append(user.lstrip())
204 |             # hosts
205 |             hosts = spec_fields.group(2).split(',')
206 |             for host in hosts:
207 |                 if host != '' and host != None:
208 |                     user_spec['hosts'].append(host.lstrip())
209 |             # operators - optional
210 |             if spec_fields.group(4):
211 |                 operators = spec_fields.group(4).split(',')
212 |                 for op in operators:
213 |                     if op != '' and op != None:
214 |                         user_spec['operators'].append(op.lstrip())
215 |             # SELinux - optional
216 |             if spec_fields.group(5) or spec_fields.group(8):
217 |               ## TYPE
218 |                 type_re = re.compile(r'(^TYPE){1}\s*={1}\s*')
219 |                 if spec_fields.group(5):
220 |                     if type_re.search(spec_fields.group(5)):
221 |                         if type_re.search(spec_fields.group(5)).group(1) == 'TYPE':
222 |                             user_spec['selinux_type'] = spec_fields.group(7)
223 |                 if spec_fields.group(8):
224 |                     if type_re.search(spec_fields.group(8)):
225 |                         if type_re.search(spec_fields.group(8)).group(1) == 'TYPE':
226 |                             user_spec['selinux_type'] = spec_fields.group(10)
227 |               ## ROLE
228 |                 role_re = re.compile(r'(^ROLE){1}\s*={1}\s*')
229 |                 if spec_fields.group(5):
230 |                     if role_re.search(spec_fields.group(5)):
231 |                         if role_re.search(spec_fields.group(5)).group(1) == 'ROLE':
232 |                             user_spec['selinux_role'] = spec_fields.group(6)
233 |                 if spec_fields.group(8):
234 |                     if role_re.search(spec_fields.group(8)):
235 |                         if role_re.search(spec_fields.group(8)).group(1) == 'ROLE':
236 |                             user_spec['selinux_role'] = spec_fields.group(9)
237 |             # Solaris - optional
238 |             if spec_fields.group(11) or spec_fields.group(14):
239 |               ## PRIVS
240 |                 privs_re = re.compile(r'(^PRIVS){1}\s*={1}\s*')
241 |                 if spec_fields.group(11):
242 |                     if privs_re.search(spec_fields.group(11)):
243 |                         if privs_re.search(spec_fields.group(11)).group(1) == 'PRIVS':
244 |                             user_spec['solaris_privs'] = spec_fields.group(12)
245 |                 if spec_fields.group(14):
246 |                     if privs_re.search(spec_fields.group(14)):
247 |                         if privs_re.search(spec_fields.group(14)).group(1) == 'PRIVS':
248 |                             user_spec['solaris_privs'] = spec_fields.group(17)
249 |               ## LIMITPRIVS
250 |                 limitprivs_re = re.compile(r'(^LIMITPRIVS){1}\s*={1}\s*')
251 |                 if spec_fields.group(11):
252 |                     if limitprivs_re.search(spec_fields.group(11)):
253 |                         if limitprivs_re.search(spec_fields.group(11)).group(1) == 'LIMITPRIVS':
254 |                             user_spec['solaris_limitprivs'] = spec_fields.group(13)
255 |                 if spec_fields.group(14):
256 |                     if limitprivs_re.search(spec_fields.group(14)):
257 |                         if limitprivs_re.search(spec_fields.group(14)).group(1) == 'LIMITPRIVS':
258 |                             user_spec['solaris_limitprivs'] = spec_fields.group(16)
259 |             # tags - optional
260 |             if spec_fields.group(17):
261 |                 tags = spec_fields.group(17).split(':')
262 |                 for tag in tags:
263 |                     if tag != '' and tag != None:
264 |                         user_spec['tags'].append(tag)
265 |             # commands
266 |             commands = spec_fields.group(18).split(',')
267 |             for command in commands:
268 |                 if command != '' and command != None:
269 |                     user_spec['commands'].append(command.lstrip())
270 |             # Cleanup unused output
271 |             if user_spec['selinux_role'] == '':
272 |                 user_spec.pop('selinux_role')
273 |             if user_spec['selinux_type'] == '':
274 |                 user_spec.pop('selinux_type')
275 |             if user_spec['solaris_privs'] == '':
276 |                 user_spec.pop('solaris_privs')
277 |             if user_spec['solaris_limitprivs'] == '':
278 |                 user_spec.pop('solaris_limitprivs')
279 |             if not user_spec['users']:
280 |                 user_spec.pop('users')
281 |             if not user_spec['hosts']:
282 |                 user_spec.pop('hosts')
283 |             if not user_spec['operators']:
284 |                 user_spec.pop('operators')
285 |             if not user_spec['tags']:
286 |                 user_spec.pop('tags')
287 |             if not user_spec['commands']:
288 |                 user_spec.pop('commands')
289 |         else:
290 |             if default_override_re.search(line):
291 |                 default_override = default_override_re.search(line)
292 |                 # type
293 |                 if default_override.group(2) == '@':
294 |                     user_spec['type'] = 'host'
295 |                     user_spec['hosts'] = list()
296 |                     hosts = default_override.group(3).split(',')
297 |                     for host in hosts:
298 |                         if host != '' and host != None:
299 |                             user_spec['hosts'].append(host.lstrip())
300 |                 elif default_override.group(2) == ':':
301 |                     user_spec['type'] = 'user'
302 |                     user_spec['users'] = list()
303 |                     users = default_override.group(3).split(',')
304 |                     for user in users:
305 |                         if user != '' and user != None:
306 |                             user_spec['users'].append(user.lstrip())
307 |                 elif default_override.group(2) == '!':
308 |                     user_spec['type'] = 'command'
309 |                     user_spec['commands'] = list()
310 |                     commands = default_override.group(3).split(',')
311 |                     for command in commands:
312 |                         if command != '' and command != None:
313 |                             user_spec['commands'].append(command.lstrip(optionals))
314 |                 elif default_override.group(2) == '>':
315 |                     user_spec['type'] = 'runas'
316 |                     user_spec['operators'] = list()
317 |                     operators = default_override.group(3).split(',')
318 |                     for op in operators:
319 |                         if op != '' and op != None:
320 |                             user_spec['operators'].append(op.lstrip())
321 |                 user_spec['defaults'] = list()
322 |                 defaults = default_override.group(5).split(',')
323 |                 for default in defaults:
324 |                     if default != '' and default != None:
325 |                         user_spec['defaults'].append(default.lstrip())
326 |         return user_spec
327 | 
328 |     def get_config_lines(path):
329 |         # Read sudoers file
330 |         all_lines = open(path, 'r')
331 |         # Initialize empty return dict
332 |         sudoer_file = dict()
333 |         # Initialize aliases vars
334 |         sudoer_aliases = dict()
335 |         user_aliases = list()
336 |         runas_aliases = list()
337 |         host_aliases = list()
338 |         command_aliases = list()
339 |         user_specifications = list()
340 |         # Raw config lines output
341 |         config_lines = list()
342 | 
343 |         # Regex for Parsers
344 |         comment_re = re.compile(r'^#+')
345 |         include_re = re.compile(r'^#include')
346 |         defaults_re = re.compile(r'^(Defaults)+\s+(.*$)')
347 |         cmnd_alias_re = re.compile(r'(^Cmnd_Alias)+\s+(\S+)+\s*\={1}\s*((\S+,{1}\s*)+\S+|\S+)\s*(\:)*(.*)*$')
348 |         host_alias_re = re.compile(r'(^Host_Alias)+\s+(\S+)+\s*\={1}\s*((\S+,{1}\s*)+\S+|\S+)\s*(\:)*(.*)*$')
349 |         runas_alias_re = re.compile(r'(^Runas_Alias)+\s+(\S+)+\s*\={1}\s*((\S+,{1}\s*)+\S+|\S+)\s*(\:)*(.*)*$')
350 |         user_alias_re = re.compile(r'(^User_Alias)+\s+(\S+)+\s*\={1}\s*((\S+,{1}\s*)+\S+|\S+)\s*(\:)*(.*)*$')
351 | 
352 |         # Defaults Parsing vars
353 |         config_defaults = list()
354 |         env_keep_opts = list()
355 | 
356 |         # Get includes from file
357 |         includes = get_includes(path)
358 |         # if we have included files add them to the list
359 |         try:
360 |             sudoer_file['include_files'] = includes['include_files']
361 |         except:
362 |             pass
363 |         try:
364 |             sudoer_file['include_directories'] = includes['include_directories']
365 |         except:
366 |             pass
367 |         # Work on each line of sudoers file
368 |         for l in all_lines:
369 |             line = l.replace('\n', '').replace('\t', '    ') #cleaning up chars we don't want
370 |             # only output raw config lines if we ask for them
371 |             if params['output_raw_configs']:
372 |                 # All raw (non-comment) config lines out
373 |                 if comment_re.search(line) is None and line != '' and line != None:
374 |                     config_lines.append(line)
375 |                 if include_re.search(line):
376 |                     config_lines.append(line)
377 | 
378 |             # only output parsed configs if we ask for them
379 |             if params['output_parsed_configs']:
380 |                 # Parser for defaults
381 |                 if defaults_re.search(line):
382 |                     defaults_config_line = defaults_re.search(line).group(2)
383 |                     defaults_env_keep_re = re.compile(r'^(env_keep)+((\s\=)|(\s\+\=))+(\s)+(.*$)')
384 |                     defaults_sec_path_re = re.compile(r'^(secure_path)+(\s)+(\=)+(\s)+(.*$)')
385 |                     # Break up multi-line defaults config lines into single config options
386 |                     if defaults_env_keep_re.search(defaults_config_line):
387 |                         defaults_multi = defaults_env_keep_re.search(defaults_config_line).group(6).split()
388 |                         # env_keep default options
389 |                         for i in defaults_multi:
390 |                             env_keep_opts.append(i.replace('"', ''))
391 |                     # build secure path dict and append to defaults list
392 |                     elif defaults_sec_path_re.search(defaults_config_line):
393 |                         secure_paths = defaults_sec_path_re.search(defaults_config_line).group(5).split(':')
394 |                         config_defaults.append({'secure_path': secure_paths})
395 |                     # single defaults option case
396 |                     else:
397 |                         config_defaults.append(defaults_config_line)
398 |                 # Aliases:
399 |                 # Parser for Command Alias
400 |                 if cmnd_alias_re.search(line):
401 |                     if cmnd_alias_re.search(line).group(5) == ':':
402 |                         # We have a multi line alias
403 |                         cmnd_multi_line_aliases = line.split(':')
404 |                         # Process each alias
405 |                         ca_multi_re = re.compile(r'(^Cmnd_Alias)*\s*(\S+)+\s*\={1}\s*((\S+,{1}\s*)+\S+|\S+).*$')
406 |                         for ca in cmnd_multi_line_aliases:
407 |                             ca_fields = ca_multi_re.search(ca)
408 |                             cmnds_name = ca_fields.group(2)
409 |                             ca_cmnds = list()
410 |                             ca_cmnds_split = ca_fields.group(3).split(',')
411 |                             for cmnd in ca_cmnds_split:
412 |                                 ca_cmnds.append(cmnd.lstrip())
413 |                             cmnd_alias_formatted = {'name': cmnds_name, 'commands': ca_cmnds}
414 |                             command_aliases.append(cmnd_alias_formatted)
415 |                     else:
416 |                         command_name = cmnd_alias_re.search(line).group(2)
417 |                         commands = list()
418 |                         for i in cmnd_alias_re.search(line).group(3).split(','):
419 |                             # Append a space free item to the list
420 |                             commands.append(i.replace(' ', ''))
421 |                         # Build command alias dict
422 |                         cmnd_alias_formatted = {'name': command_name, 'commands': commands}
423 |                         command_aliases.append(cmnd_alias_formatted)
424 | 
425 |                 # Parser for Host Alias
426 |                 if host_alias_re.search(line):
427 |                     if host_alias_re.search(line).group(5) == ':':
428 |                         # We have a multi line alias
429 |                         host_multi_line_aliases = line.split(':')
430 |                         # Process each alias
431 |                         ha_multi_re = re.compile(r'(^Host_Alias)*\s*(\S+)+\s*\={1}\s*((\S+,{1}\s*)+\S+|\S+).*$')
432 |                         for ha in host_multi_line_aliases:
433 |                             ha_fields = ha_multi_re.search(ha)
434 |                             hosts_name = ha_fields.group(2)
435 |                             ha_hosts = list()
436 |                             ha_hosts_split = ha_fields.group(3).split(',')
437 |                             for host in ha_hosts_split:
438 |                                 ha_hosts.append(host.lstrip())
439 |                             host_alias_formatted = {'name': hosts_name, 'hosts': ha_hosts}
440 |                             host_aliases.append(host_alias_formatted)
441 |                     else:
442 |                         host_name = host_alias_re.search(line).group(2)
443 |                         hosts = list()
444 |                         for i in host_alias_re.search(line).group(3).split(','):
445 |                             # Append a space free item to the list
446 |                             hosts.append(i.replace(' ', ''))
447 |                         # Build command alias dict
448 |                         host_alias_formatted = {'name': host_name, 'hosts': hosts}
449 |                         host_aliases.append(host_alias_formatted)
450 | 
451 |                 # Parser for RunAs Alias
452 |                 if runas_alias_re.search(line):
453 |                     if runas_alias_re.search(line).group(5) == ':':
454 |                         # We have a multi line alias
455 |                         runas_multi_line_aliases = line.split(':')
456 |                         # Process each alias
457 |                         ra_multi_re = re.compile(r'(^Runas_Alias)*\s*(\S+)+\s*\={1}\s*((\S+,{1}\s*)+\S+|\S+).*$')
458 |                         for ra in user_multi_line_aliases:
459 |                             ra_fields = ra_multi_re.search(ra)
460 |                             runas_name = ra_fields.group(2)
461 |                             ra_users = list()
462 |                             ra_users_split = ra_fields.group(3).split(',')
463 |                             for user in ra_users_split:
464 |                                 ra_users.append(user.lstrip())
465 |                             runas_alias_formatted = {'name': runas_name, 'users': ra_users}
466 |                             runas_aliases.append(runas_alias_formatted)
467 |                     else:
468 |                         runas_name = runas_alias_re.search(line).group(2)
469 |                         ra_users = list()
470 |                         for i in runas_alias_re.search(line).group(3).split(','):
471 |                             # Append a space free item to the list
472 |                             ra_users.append(i.replace(' ', ''))
473 |                         # Build command alias dict
474 |                         runas_alias_formatted = {'name': runas_name, 'users': ra_users}
475 |                         runas_aliases.append(runas_alias_formatted)
476 | 
477 |                 # Parser for User Alias
478 |                 if user_alias_re.search(line):
479 |                     if user_alias_re.search(line).group(5) == ':':
480 |                         # We have a multi line alias
481 |                         user_multi_line_aliases = line.split(':')
482 |                         # Process each alias
483 |                         ua_multi_re = re.compile(r'(^User_Alias)*\s*(\S+)+\s*\={1}\s*((\S+,{1}\s*)+\S+|\S+).*$')
484 |                         for ua in user_multi_line_aliases:
485 |                             ua_fields = ua_multi_re.search(ua)
486 |                             users_name = ua_fields.group(2)
487 |                             ua_users = list()
488 |                             ua_users_split = ua_fields.group(3).split(',')
489 |                             for user in ua_users_split:
490 |                                 ua_users.append(user.lstrip())
491 |                             user_alias_formatted = {'name': users_name, 'users': ua_users}
492 |                             user_aliases.append(user_alias_formatted)
493 |                     else:
494 |                         users_name = user_alias_re.search(line).group(2)
495 |                         ua_users = list()
496 |                         for i in user_alias_re.search(line).group(3).split(','):
497 |                             # Append a space free item to the list
498 |                             ua_users.append(i.lstrip())
499 |                         # Build command alias dict
500 |                         user_alias_formatted = {'name': users_name, 'users': ua_users}
501 |                         user_aliases.append(user_alias_formatted)
502 | 
503 |                 # Parser for user_specs
504 |                 if not user_alias_re.search(line) and not runas_alias_re.search(line) and \
505 |                    not host_alias_re.search(line) and not cmnd_alias_re.search(line) and \
506 |                    not include_re.search(line) and not comment_re.search(line) and \
507 |                    not defaults_re.search(line) and line != '' and \
508 |                    line != None:
509 |                     user_spec = get_user_specs(line, path)
510 |                     user_specifications.append(user_spec)
511 |         # Build the sudoer file's dict output
512 |         sudoer_file['path'] = path
513 | 
514 |         # only output raw configs if we ask for it
515 |         if params['output_raw_configs']:
516 |             sudoer_file['configuration'] = config_lines
517 | 
518 |         if params['output_parsed_configs']:
519 |             # Build defaults env_keep dict and append to the rest of the config_defaults list
520 |             if env_keep_opts:
521 |                 config_defaults.append({'env_keep': env_keep_opts})
522 |             if config_defaults:
523 |                 sudoer_file['defaults'] = config_defaults
524 |             # Build aliases output dictionary
525 |             sudoer_aliases = {'user_alias': user_aliases, 'runas_alias': runas_aliases, 'cmnd_alias': command_aliases, 'host_alias': host_aliases}
526 |             # cleanup unused outputs
527 |             if not sudoer_aliases['user_alias']:
528 |                 sudoer_aliases.pop('user_alias')
529 |             if not sudoer_aliases['runas_alias']:
530 |                 sudoer_aliases.pop('runas_alias')
531 |             if not sudoer_aliases['cmnd_alias']:
532 |                 sudoer_aliases.pop('cmnd_alias')
533 |             if not sudoer_aliases['host_alias']:
534 |                 sudoer_aliases.pop('host_alias')
535 |             if sudoer_aliases:
536 |                 sudoer_file['aliases'] = sudoer_aliases
537 |             sudoer_file['user_specifications'] = user_specifications
538 |         # done working on the file
539 |         all_lines.close()
540 |         return sudoer_file
541 | 
542 |     def get_sudoers_configs(path):
543 |         sudoers = dict()
544 |         include_files = list()
545 | 
546 |         # Get parsed values from default sudoers file
547 |         sudoers['sudoers_files'] = list()
548 |         default = get_config_lines(path)
549 |         if default:
550 |             sudoers['sudoers_files'].append(default)
551 |             try:
552 |                 include_files += default['include_files']
553 |             except:
554 |                 pass
555 |         # Capture each included sudoer file
556 |         for file in include_files:
557 |             include_file = get_config_lines(file)
558 |             if include_file:
559 |                 sudoers['sudoers_files'].append(include_file)
560 |             # append even more included files as we parse deeper
561 |             try:
562 |                 include_files += include_file['include_files']
563 |             except:
564 |                 pass
565 |         # return back everything that was included off of the default sudoers file
566 |         include_files.append(default_sudoers)
567 |         sudoers['all_scanned_files'] = include_files
568 |         return sudoers
569 | 
570 | 
571 |     default_sudoers = '/etc/sudoers'
572 |     sudoers = get_sudoers_configs(default_sudoers)
573 |     result = {'ansible_facts': {'sudoers': sudoers}}
574 | 
575 |     module.exit_json(**result)
576 | 
577 | 
578 | if __name__ == '__main__':
579 |     main()
580 | 


--------------------------------------------------------------------------------
/library/scan_user_group.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | 
  3 | # Copyright: (c) 2019, Andrew J. Huffman <ahuffman@redhat.com>
  4 | # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
  5 | 
  6 | ANSIBLE_METADATA = {'metadata_version': '1.1',
  7 |                     'status': ['preview'],
  8 |                     'supported_by': 'community'}
  9 | 
 10 | DOCUMENTATION = '''
 11 | ---
 12 | module: scan_user_group
 13 | short_description: "Parses the local users and groups on a system"
 14 | version_added: "2.7"
 15 | author:
 16 |     - "Andrew J. Huffman (@ahuffman)"
 17 | description:
 18 |     - "This module is designed to collect information from C(/etc/passwd), C(/etc/shadow), C(/etc/group), and C(/etc/gshadow) files and returns a set of Ansible facts based on the collected data."
 19 |     - "This module is compatible with Linux and Unix systems."
 20 | options:
 21 |     passwd_path:
 22 |         description:
 23 |             - "To override where this module collects its C(/etc/passwd) data from on a system"
 24 |         default: "/etc/passwd"
 25 |         required: false
 26 |         version_added: "2.7"
 27 |     shadow_path:
 28 |         description:
 29 |             - "To override where this module collects its C(/etc/shadow) data from on a system"
 30 |         default: "/etc/shadow"
 31 |         required: false
 32 |         version_added: "2.7"
 33 |     group_path:
 34 |         description:
 35 |             - "To override where this module collects its C(/etc/group) data from on a system"
 36 |         default: "/etc/group"
 37 |         required: false
 38 |         version_added: "2.7"
 39 |     gshadow_path:
 40 |         description:
 41 |             - "To override where this module collects its C(/etc/gshadow) data from on a system"
 42 |         default: "/etc/gshadow"
 43 |         required: false
 44 |         version_added: "2.7"
 45 | '''
 46 | 
 47 | EXAMPLES = '''
 48 | - name: "Scan Users and Groups with defaults"
 49 |   scan_user_group:
 50 | 
 51 | - name: "Scan Users and Groups with path overrides"
 52 |   scan_user_group:
 53 |     passwd_path: "/etc/passwd2"
 54 |     shadow_path: "/etc/shadow-"
 55 |     group_path: "/etc/group2"
 56 |     gshadow_path: "/etc/gshadow2"
 57 | 
 58 | - name: "Parse backed up shadow file"
 59 |   scan_user_group:
 60 |     shadow_path: "/etc/shadow-"
 61 | '''
 62 | 
 63 | RETURN = '''
 64 | local_users:
 65 |     description: "List of parsed local user data.  This is a merged list of data from /etc/passwd and /etc/shadow by default."
 66 |     returned: "success"
 67 |     type: "list"
 68 |     sample: "[{'account_expiration': '', 'comment': 'Account comment', 'encrypted_password': '$AdfaRdak/.serSrA', 'gid': '24', 'home': '/home/myuser', 'last_pw_change': '17621', 'max_pw_age': '', 'min_pw_age': '', 'pw_inactive_days': '', 'pw_warning_days': '', 'reserved': '', 'shadow': True, 'shell': '/sbin/nologin', 'uid': '24', 'user': 'ahuffman'}]"
 69 | local_groups:
 70 |     description: "List of parsed local group data.  This is a merged list of data from /etc/group and /etc/gshadow by default."
 71 |     returned: "success"
 72 |     type: "list"
 73 |     sample: "[{'administrators': [], 'encrypted_password': '', 'gid': '0', 'group': 'root', 'gshadow': True, 'members': []}]"
 74 | '''
 75 | 
 76 | from ansible.module_utils.basic import AnsibleModule
 77 | import os
 78 | 
 79 | def main():
 80 |     module_args = dict(
 81 |         passwd_path=dict(type='str', required=False, default='/etc/passwd'),
 82 |         shadow_path=dict(type='str', required=False, default='/etc/shadow'),
 83 |         group_path=dict(type='str', required=False, default='/etc/group'),
 84 |         gshadow_path=dict(type='str', required=False, default='/etc/gshadow')
 85 |     )
 86 | 
 87 |     result = dict(
 88 |         changed=False,
 89 |         original_message='',
 90 |         message=''
 91 |     )
 92 | 
 93 |     module = AnsibleModule(
 94 |         argument_spec=module_args,
 95 |         supports_check_mode=True
 96 |     )
 97 | 
 98 |     def get_passwd(path):
 99 |         # conditional for OS type and set path if diverges from Linux
100 |         passwd_file = open(path, 'rt')
101 |         users = list()
102 |         for u in passwd_file:
103 |             user = dict()
104 |             field = u.replace('\n', '').split(':')
105 |             if len(field) > 0:
106 |                 user['user'] = field[0]
107 |                 if field[1] == 'x':
108 |                     user['shadow'] = True
109 |                 else:
110 |                     user['shadow'] = False
111 |                     user['encrypted_password'] = field[1]
112 |                 user['uid'] = field[2]
113 |                 user['gid'] = field[3]
114 |                 user['comment'] = field[4]
115 |                 user['home'] = field[5]
116 |                 user['shell'] = field[6]
117 |             users.append(user)
118 |         passwd_file.close()
119 |         return users
120 | 
121 |     def get_shadow(path):
122 |         # conditional for OS type and set path if diverges from Linux
123 |         shadow_file = open(path, 'rt')
124 |         susers = list()
125 |         for u in shadow_file:
126 |             user = dict()
127 |             field = u.replace('\n', '').split(':')
128 |             if len(field) > 0:
129 |                 user['user'] = field[0]
130 |                 user['encrypted_password'] = field[1]
131 |                 user['last_pw_change'] = field[2]
132 |                 user['min_pw_age'] = field[3]
133 |                 user['max_pw_age'] = field[4]
134 |                 user['pw_warning_days'] = field[5]
135 |                 user['pw_inactive_days'] = field[6]
136 |                 user['account_expiration'] = field[7]
137 |                 user['reserved'] = field[8]
138 |             susers.append(user)
139 |         shadow_file.close()
140 |         return susers
141 | 
142 |     def get_group(path):
143 |         # conditional for OS type and set path if diverges from Linux
144 |         group_file = open(path, 'rt')
145 |         groups = list()
146 |         for g in group_file:
147 |             group = dict()
148 |             field = g.replace('\n', '').split(':')
149 |             if len(field) > 0:
150 |                 group['group'] = field[0]
151 |                 if field[1] == 'x' or field[1] == '!':
152 |                     group['gshadow'] = True
153 |                 else:
154 |                     group['encrypted_password'] = field[1]
155 |                     group['gshadow'] = False
156 |                 group['gid'] = field[2]
157 |                 if field[3] != '':
158 |                     members = field[3].split(',')
159 |                 else:
160 |                     members = list()
161 |                 group['members'] = members
162 |             groups.append(group)
163 |         group_file.close()
164 |         return groups
165 | 
166 |     def get_gshadow(path):
167 |         # conditional for OS type and set path if diverges from Linux
168 |         gshadow_file = open(path, 'rt')
169 |         sgroups = list()
170 |         for g in gshadow_file:
171 |             sgroup = dict()
172 |             field = g.replace('\n', '').split(':')
173 |             if len(field) > 0:
174 |                 sgroup['group'] = field[0]
175 |                 sgroup['encrypted_password'] = field[1]
176 |                 if field[2] != '':
177 |                     administrators = field[2].split(',')
178 |                 else:
179 |                     administrators = list()
180 |                 sgroup['administrators'] = administrators
181 |                 if field[3] != '':
182 |                     members = field[3].split(',')
183 |                 else:
184 |                     members = list()
185 |                 sgroup['members'] = members
186 |             sgroups.append(sgroup)
187 |         gshadow_file.close()
188 |         return sgroups
189 | 
190 |     def merge_group_data(groups, gshadow):
191 |         # takes list of group dictionaries (groups) and
192 |         #   list of shadow group dictionaries (gshadow)
193 |         groups_merged = list()
194 |         for g in groups:
195 |             key = g['group']
196 |             for s in gshadow:
197 |                 if s['group'] == key:
198 |                     s.update(g)
199 |                     groups_merged.append(s)
200 |         return groups_merged
201 | 
202 |     def merge_user_data(users, shadow):
203 |         # takes list of user dictionaries (users) and
204 |         #   list of shadow user dictionaries (shadow)
205 |         users_merged = list()
206 |         for u in users:
207 |             key = u['user']
208 |             for s in shadow:
209 |                 if s['user'] == key:
210 |                     s.update(u)
211 |                     users_merged.append(s)
212 |         return users_merged
213 | 
214 |     groups = merge_group_data(get_group(module.params['group_path']), get_gshadow(module.params['gshadow_path']))
215 |     users = merge_user_data(get_passwd(module.params['passwd_path']),get_shadow(module.params['shadow_path']))
216 | 
217 |     output = {'local_users': users, 'local_groups': groups}
218 |     result = {'ansible_facts': output}
219 | 
220 |     module.exit_json(**result)
221 | 
222 | 
223 | if __name__ == '__main__':
224 |     main()
225 | 


--------------------------------------------------------------------------------
/test/library:
--------------------------------------------------------------------------------
1 | ../library


--------------------------------------------------------------------------------
/test/scan_cron.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: "Test scan_cron - Python 2.7"
 3 |   hosts: "localhost"
 4 |   gather_facts: False
 5 |   vars:
 6 |     ansible_python_interpreter: "/usr/bin/python2.7"
 7 |   tasks:
 8 |     - name: "Scan Cron - all data"
 9 |       scan_cron:
10 |       become: True
11 | 
12 |     - name: "Display all cron data"
13 |       debug:
14 |         var: "cron"
15 | 
16 |     - name: "Scan Cron - no parsed data"
17 |       scan_cron:
18 |         output_parsed_configs: False
19 |       become: True
20 | 
21 |     - name: "Display only cron raw configs"
22 |       debug:
23 |         var: "cron"
24 | 
25 |     - name: "Scan Cron - no raw configuration data"
26 |       scan_cron:
27 |         output_raw_configs: False
28 |       become: True
29 | 
30 |     - name: "Display only cron parsed data"
31 |       debug:
32 |         var: "cron"
33 | 
34 | - name: "Test scan_cron - Python 3.7"
35 |   hosts: "localhost"
36 |   gather_facts: False
37 |   vars:
38 |     ansible_python_interpreter: "/usr/bin/python3.7"
39 |   tasks:
40 |     - name: "Scan Cron - all data"
41 |       scan_cron:
42 |       become: True
43 | 
44 |     - name: "Display all cron data"
45 |       debug:
46 |         var: "cron"
47 | 
48 |     - name: "Scan Cron - no parsed data"
49 |       scan_cron:
50 |         output_parsed_configs: False
51 |       become: True
52 | 
53 |     - name: "Display only cron raw configs"
54 |       debug:
55 |         var: "cron"
56 | 
57 |     - name: "Scan Cron - no raw configuration data"
58 |       scan_cron:
59 |         output_raw_configs: False
60 |       become: True
61 | 
62 |     - name: "Display only cron parsed data"
63 |       debug:
64 |         var: "cron"
65 | 


--------------------------------------------------------------------------------
/test/scan_processes.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: "Test scan_processes - Python 2.7"
 3 |   hosts: "localhost"
 4 |   gather_facts: False
 5 |   vars:
 6 |     ansible_python_interpreter: "/usr/bin/python2.7"
 7 |   tasks:
 8 |     - name: "Scan Processes - Show Everything"
 9 |       scan_processes:
10 |         output_ps_stdout_lines: True
11 |       become: True
12 | 
13 |     - name: "Display Processes"
14 |       debug:
15 |         var: "running_processes"
16 | 
17 |     - name: "Collect only process standard out lines"
18 |       scan_processes:
19 |         output_ps_stdout_lines: True
20 |         output_parsed_processes: False
21 |       become: True
22 | 
23 |     - name: "Display Processes - only stdout lines"
24 |       debug:
25 |         var: "running_processes"
26 | 
27 |     - name: "Collect only parsed process data"
28 |       scan_processes:
29 |       become: True
30 | 
31 |     - name: "Display Parsed Processes only"
32 |       debug:
33 |         var: "running_processes"
34 | 
35 | - name: "Test scan_processes - Python 3.7"
36 |   hosts: "localhost"
37 |   gather_facts: False
38 |   vars:
39 |     ansible_python_interpreter: "/usr/bin/python3.7"
40 |   tasks:
41 |     - name: "Scan Processes - Show Everything"
42 |       scan_processes:
43 |         output_ps_stdout_lines: True
44 |       become: True
45 | 
46 |     - name: "Display Processes"
47 |       debug:
48 |         var: "running_processes"
49 | 
50 |     - name: "Collect only process standard out lines"
51 |       scan_processes:
52 |         output_ps_stdout_lines: True
53 |         output_parsed_processes: False
54 |       become: True
55 | 
56 |     - name: "Display Processes - only stdout lines"
57 |       debug:
58 |         var: "running_processes"
59 | 
60 |     - name: "Collect only parsed process data"
61 |       scan_processes:
62 |       become: True
63 | 
64 |     - name: "Display Parsed Processes only"
65 |       debug:
66 |         var: "running_processes"
67 | 


--------------------------------------------------------------------------------
/test/scan_sudoers.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: "Test scan_sudoers - Python 2.7"
 3 |   hosts: "localhost"
 4 |   gather_facts: False
 5 |   vars:
 6 |     ansible_python_interpreter: "/usr/bin/python2.7"
 7 |   tasks:
 8 |     - name: "Scan Sudoers"
 9 |       scan_sudoers:
10 |       become: True
11 | 
12 |     - name: "Display all sudoers data"
13 |       debug:
14 |         var: "sudoers"
15 | 
16 |     - name: "Scan Sudoers - no parsed data"
17 |       scan_sudoers:
18 |         output_parsed_configs: False
19 |       become: True
20 | 
21 |     - name: "Display only sudoers raw configs"
22 |       debug:
23 |         var: "sudoers"
24 | 
25 |     - name: "Scan Sudoers - no raw configuration data"
26 |       scan_sudoers:
27 |         output_raw_configs: False
28 |       become: True
29 | 
30 |     - name: "Display only sudoers parsed configs"
31 |       debug:
32 |         var: "sudoers"
33 | 
34 | - name: "Test scan_sudoers - Python 3.7"
35 |   hosts: "localhost"
36 |   gather_facts: False
37 |   vars:
38 |     ansible_python_interpreter: "/usr/bin/python3.7"
39 |   tasks:
40 |     - name: "Scan Sudoers - all data"
41 |       scan_sudoers:
42 |       become: True
43 | 
44 |     - name: "Display all sudoers data"
45 |       debug:
46 |         var: "sudoers"
47 | 
48 |     - name: "Scan Sudoers - no parsed data"
49 |       scan_sudoers:
50 |         output_parsed_configs: False
51 |       become: True
52 | 
53 |     - name: "Display only sudoers raw configs"
54 |       debug:
55 |         var: "sudoers"
56 | 
57 |     - name: "Scan Sudoers - no raw configuration data"
58 |       scan_sudoers:
59 |         output_raw_configs: False
60 |       become: True
61 | 
62 |     - name: "Display only sudoers parsed configs"
63 |       debug:
64 |         var: "sudoers"
65 | 


--------------------------------------------------------------------------------
/test/scan_user_group.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: "Test scan_user_group - Python 2.7"
 3 |   hosts: "localhost"
 4 |   gather_facts: False
 5 |   vars:3
 6 |     ansible_python_interpreter: "/usr/bin/python2.7"
 7 |   tasks:
 8 |     - name: "Scan users and groups"
 9 |       scan_user_group:
10 |       become: True
11 | 
12 |     - name: "Display local user facts"
13 |       debug:
14 |         var: "local_users"
15 | 
16 |     - name: "Display local group facts"
17 |       debug:
18 |         var: "local_groups"
19 | 
20 | 
21 | - name: "Test scan_user_group - Python 3.7"
22 |   hosts: "localhost"
23 |   gather_facts: False
24 |   vars:
25 |     ansible_python_interpreter: "/usr/bin/python3.7"
26 |   tasks:
27 |     - name: "Scan users and groups"
28 |       scan_user_group:
29 |       become: True
30 | 
31 |     - name: "Display local user facts"
32 |       debug:
33 |         var: "local_users"
34 | 
35 |     - name: "Display local group facts"
36 |       debug:
37 |         var: "local_groups"
38 | 


--------------------------------------------------------------------------------