hosts
[centos]
192.168.174.129 ansible_ssh_port=22
192.168.174.130 ansible_ssh_port=22
192.168.174.131 ansible_ssh_port=22
Ansible Vault 文件
创建 Ansible Vault 文件
# ansible-vault create passwords.yml
New Vault password: # 12345678
Confirm New Vault password:
编辑 Ansible Vault 文件
# ansible-vault edit passwords.yml
Vault password:
passwords.yml
hosts_passwords:
192.168.174.129:
yunwei_password: "5'_9R*aS6^8Q&&3o"
192.168.174.130:
yunwei_password: "yunwei_130"
192.168.174.131:
yunwei_password: "yunwei_131"
check_expir_user-playbook.yaml
- hosts: centos
remote_user: yunwei
become: yes
become_method: sudo
gather_facts: no
vars_files:
- passwords.yml
vars:
ansible_ssh_pass: "{{ hosts_passwords[inventory_hostname].yunwei_password }}"
ansible_become_pass: "{{ hosts_passwords[inventory_hostname].yunwei_password }}"
excluded_users: "root|yunwei|sreuser|wgs|autodevops"
tasks:
- name: chattr -i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
ansible.builtin.shell:
cmd: |
chattr -i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
- name: Get users with /bin/bash shell excluding specified users
ansible.builtin.shell: |
cmd: |
awk -F: -v excluded="{{ excluded_users }}" '$7 == "/bin/bash" && !($1 ~ "^("excluded")$") {print $1}' /etc/passwd
register: bash_users
changed_when: false
- name: Check if user passwords are expired and compile list of expired users
ansible.builtin.shell:
cmd: |
CURRENT_DATE=$(date +%Y-%m-%d)
EXPIRY_DATE_STR=$(chage -l {{ item }} | grep 'Password expires' | cut -d: -f2 | xargs);
EXPIRY_DATE=$(date -d "$EXPIRY_DATE_STR" +%Y-%m-%d)
# 检查每个用户的密码是否过期,转换日期格式后进行比较
if [[ "$EXPIRY_DATE_STR" == "password must be changed" ]]; then
echo "{{ item }}";
elif [[ $EXPIRY_DATE < $CURRENT_DATE ]]; then
echo "{{ item }}";
fi
loop: "{{ bash_users.stdout_lines }}"
when:
- bash_users.stdout_lines | default([]) | length > 0
register: expired_users
changed_when: false
- name: Delete expired users
ansible.builtin.user:
name: "{{ item }}"
state: absent
loop: "{{ expired_users.results | selectattr('stdout', 'defined') | map(attribute='stdout') | list }}"
when: expired_users.results | selectattr('stdout', 'defined') | list
register: delete_users
- name: Display removed users
ansible.builtin.debug:
msg: "Removed expired users: {{ delete_users.results | map(attribute='item') | list }}"
when:
- delete_users.results | default([]) | length > 0
- name: chattr +i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
ansible.builtin.shell:
cmd: |
chattr +i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
测试 playbook
# ansible-playbook -i hosts check_expir_user-playbook.yaml --ask-vault-pass
Vault password:
PLAY [centos] ******************************************************************************************************************************************************************
TASK [chattr -i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile] *****************************************************************************
changed: [192.168.174.130]
changed: [192.168.174.131]
changed: [192.168.174.129]
TASK [Get users with /bin/bash shell excluding specified users] ****************************************************************************************************************
ok: [192.168.174.131]
ok: [192.168.174.129]
ok: [192.168.174.130]
TASK [Check if user passwords are expired and compile list of expired users] ***************************************************************************************************
ok: [192.168.174.130] => (item=user1)
ok: [192.168.174.131] => (item=user1)
ok: [192.168.174.129] => (item=user1)
ok: [192.168.174.131] => (item=user2)
ok: [192.168.174.130] => (item=user2)
ok: [192.168.174.129] => (item=user2)
ok: [192.168.174.131] => (item=user3)
ok: [192.168.174.130] => (item=user3)
ok: [192.168.174.129] => (item=user3)
ok: [192.168.174.131] => (item=user4)
ok: [192.168.174.129] => (item=user4)
ok: [192.168.174.130] => (item=user4)
TASK [Delete expired users] ****************************************************************************************************************************************************
changed: [192.168.174.130] => (item=user1)
changed: [192.168.174.129] => (item=user1)
changed: [192.168.174.131] => (item=user1)
changed: [192.168.174.129] => (item=user2)
changed: [192.168.174.130] => (item=user2)
changed: [192.168.174.131] => (item=user2)
changed: [192.168.174.129] => (item=user3)
changed: [192.168.174.131] => (item=user3)
changed: [192.168.174.130] => (item=user3)
changed: [192.168.174.131] => (item=user4)
changed: [192.168.174.129] => (item=user4)
changed: [192.168.174.130] => (item=user4)
TASK [Display removed users] ***************************************************************************************************************************************************
ok: [192.168.174.129] => {
"msg": "Removed expired users: [u'user1', u'user2', u'user3', u'user4']"
}
ok: [192.168.174.130] => {
"msg": "Removed expired users: [u'user1', u'user2', u'user3', u'user4']"
}
ok: [192.168.174.131] => {
"msg": "Removed expired users: [u'user1', u'user2', u'user3', u'user4']"
}
TASK [chattr +i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile] *****************************************************************************
changed: [192.168.174.129]
changed: [192.168.174.131]
changed: [192.168.174.130]
PLAY RECAP *********************************************************************************************************************************************************************
192.168.174.129 : ok=6 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
192.168.174.130 : ok=6 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
192.168.174.131 : ok=6 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
