Lock Linux users if do not login for 30 days

 Hello Guys,

Few days back a kind of strange requirement come to me where as an they wanted to lock the localuser if he/she do not login into the system for more than 30 days 

1. He/She should not be able to login into the system
2. SSH into the system
3. His/Her account should be lock

---

- name: Lock users who have not logged in the last 30 days (excluding system users)

hosts: linux_servers

become: yes

tasks:

- name: Get list of users who have not logged in within 30 days

ansible.builtin.shell: "lastlog -b 30 | awk 'NR>1 && $3!=\"Never\" {print $1}'"

register: inactive_users

changed_when: false

- name: Get list of system users (UID < 1000)

ansible.builtin.shell: "awk -F: '$3 < 1000 {print $1}' /etc/passwd"

register: system_users

changed_when: false

- name: Display inactive users

ansible.builtin.debug:

var: inactive_users.stdout_lines

- name: Display system users (excluded)

ansible.builtin.debug:

var: system_users.stdout_lines

- name: Lock inactive users (excluding system users)

ansible.builtin.command: "usermod --lock {{ item }}"

loop: "{{ inactive_users.stdout_lines }}"

when: item not in system_users.stdout_lines and item not in ["root", "nrathi", "nobody", "other_imp_user"]

Enjoy...guys

Enable/Disable USB Support on Windows machines using ansible

 Hello Guys,

Couple of months past i was working on a project where i need to write a ansible playbook which can enable or disable the USB storage capability. I mean windows should not detect the USB devices if i connect to a computer and enforce it so i did a google search a found out the registry key for it.Then i started converting it in a playbook which look like this

---

- name: Disable_Enable USB ports on Windows Operating system

hosts: all

gather_facts: true

tasks:

- name: Check if server are reachable or not

ansible.windows.win_ping:

register: ping_result

# - debug:

# msg: "{{ ping_result }}"

- name: Disable USB storage devices

win_regedit:

path: HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR

name: Start

data: 4

type: dword

state: present

register: usb_dis

when:

- usb_disable|default(true)|bool == true

- name: Enable USB storage devices

register: usb_en

win_regedit:

path: HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR

name: Start

data: 3

type: dword

state: present

when:

- usb_disable|default(true)|bool == false

- name: Reboot system after whitelisting USB device (if required)

win_reboot:

reboot_timeout: 120

ignore_errors : true

when: usb_en.changed or usb_dis.changed

 By default it disable the usb on the windows computer

To Disable the USB

ansible-playbook -i inventory usb.yml

To Enable USB

ansible-playbook -i inventory usb.yml -e usb_disable=false

Ansible Lock user after 3 unsuccessful login attempt

 Hello Guys,

How to lock a user after 3 unsuccessful login attempt and after the cooldown time of 10 min the account get reactivated . we its a well establish windows command as well but when you have to do it on the large scale or you need to enforce it so that it never get overwritten we need automation for that and i know wrote a playbook for that which will make sure that.

- name: Set user lockout after 3 attempt

win_command: net accounts /lockoutthreshold:3

register: userLockout

args:

creates: C:\userLockout.lock

- name: Create userLockout.lock

win_copy:

dest: C:\userLockout.lock

content: ""

force: no

when: userLockout

- name: Set lockout duration to 10 min

win_command: net accounts /lockoutduration:10

register: lockduration

args:

creates: C:\lockduration.lock

- name: Create lockduration.lock

win_copy:

dest: C:\lockduration.lock

content: ""

force: no

when: lockduration

- name: Set reset the lockout timeout after 10 min

win_command: net accounts /lockoutwindow:10

register: lockoutwindow

args:

creates: C:\lockoutwindow.lock

- name: Create lockoutwindow.lock

win_copy:

dest: C:\lockoutwindow.lock

content: ""

force: no

when: lockoutwindow

Time Sync Windows machine using Ansible

 Hello Guys,

I know you have been waiting for a automation which can help to sync the time of windows server/Desktop to local NTP server using ansible

    In the previous blog i have shared a playbook how you can use it to setup a NTP server on rhel or centos box in this will be using a playbook to connect with windows client to sync them with local ntp server.

so here is the playbook 

---

- name: Configure NTP server on Windows and synchronize time

hosts: all

#become: yes

force_handlers: True

gather_facts: false

tasks:

# - name: Install NTP service

# win_feature:

# name: NTP

# state: present

##This step is not necessary but added for asthetics so ip is not shown but fqdn looks more appling

- name: Configure NTP server on windows host

ansible.builtin.copy:

dest: C:\Windows\System32\drivers\etc\hosts

content: |

{{ ntp_server }} rhel.ntpserver.local

# notify:

# - restart ntpd

- name: Synchronize time with NTP server

ansible.windows.win_powershell:

script: |

w32tm /config /manualpeerlist:"rhel.ntpserver.local" /syncfromflags:manual /reliable:YES

w32tm /resync

notify:

- restart w32time

ignore_errors: true

handlers:

# - name: restart ntpd

# win_service:

# name: ntpd

# state: restarted

- name: restart w32time

win_service:

name: w32time

state: restarted

to run the ansible playbook 

ansible-playbook -i inventory_file ntp_client.yml -e ntp_server = "ip address of ntpserver"

Enjoy and let me know what automation you want to work on...

Setup A NTP Server to sync the windows machines locally

 Hello Guys,

I have working on a problem where i need to sync the windows machines in isolated network.So I have suggested that we need to have a local NTP server and keep syncing to it periodically. I have wrote a ansible playbook to setup NTP/chrony  server but it can be achive manually as well.

For syncing the windows machines as well we can do it locally but i have sestup a playbook which login on windows machine and syncup the time using the timeserver which we have setup.

---

- name: Set up NTP server on RHEL 9 using Chrony

hosts: all

become: yes

tasks:

- name: check if chrony is installed

shell: rpm -qa | grep chrony

register: chrony_installed

ignore_errors: True

check_mode: False

changed_when: False

- name: print

debug:

msg: "chrony is installed"

when: chrony_installed.rc == 0

- name: Install chrony package

yum:

name: chrony

state: present

when: chrony_installed.rc != 0

- name: Configure chrony as an NTP server

copy:

dest: /etc/chrony.conf

content: |

# Use the default CentOS pool servers

pool 2.centos.pool.ntp.org iburst

# Allow NTP client access from the local network

allow 192.168.1.0/24

#Allow NTP client to access from local network hostonly

allow 192.168.56.0/24

# Serve time even if not synchronized to any NTP server

local stratum 10

# Specify log file

logdir /var/log/chrony

# Dump measurements when chronyd exits

dumpdir /var/lib/chrony

# Save drift file

driftfile /var/lib/chrony/drift

notify:

- restart chronyd

- name: Enable and start chronyd service

systemd:

name: chronyd

enabled: yes

state: started

- name: Ensure firewalld is running

ansible.builtin.service:

name: firewalld

state: started

enabled: yes

- name: Open UDP port 123 for NTP (Chrony) on the server

ansible.posix.firewalld:

port: "{{ item }}/udp"

permanent: true

state: enabled

immediate: true

loop:

- 123

- 323

notify:

- Reload firewalld

handlers:

- name: restart chronyd

systemd:

name: chronyd

state: restarted

- name: Reload firewalld

ansible.builtin.service:

name: firewalld

state: reloaded

For syncing the we can go to time and date setting and  enter the IP address of the NTP server in the internet time section and click sync now. Alternatively we can also write a playbook if we want to do it in bulk which i will cover in the next article. Cheers and enjoy...!   

Check Validity of SSL certificate using notify if expiring in 30 days

 Hello Guys,

I was working on a use case where i need to write a playbook if the SSL cert is expiring in nexy 30 days.I should get a email alert that the ssl cert for the site will expire and reminding me to renew the same.

    So i have wrote a playbook and schedule to execute it every week So i keep on getting reminders that i need to renew the ssl cert. the playbook looks like this   

---

- name: check the certs for site

hosts: localhost

# connection: local

vars:

worn: 30

user_email: vijay9867206455@gmail.com

site_url: www.google.com

tasks:

- name: Get a cert from an https port

community.crypto.get_certificate:

host: "{{ site_url }}"

port: 443

delegate_to: localhost

register: cert

- name: How many days until cert expires

ansible.builtin.debug:

msg: "cert expires in: {{ expire_days }} days."

when: expire_days | int <= "{{ worn }}"| int

vars:

expire_days: "{{ (( cert.not_after | to_datetime('%Y%m%d%H%M%SZ')) - (ansible_date_time.iso8601 | to_datetime('%Y-%m-%dT%H:%M:%SZ')) ).days }}"

- name: Include Jinja template for email body

template:

src: alert_email.html.j2

dest: /tmp/alert_email.html

vars:

expire_days: "{{ (( cert.not_after | to_datetime('%Y%m%d%H%M%SZ')) - (ansible_date_time.iso8601 | to_datetime('%Y-%m-%dT%H:%M:%SZ')) ).days }}"

when: expire_days | int <= "{{ worn }}"| int

- name: Send email Alert

mail:

host: smtp.gmail.com

port: 587

subtype: html

to:

- "vijay9867206455@gmail.com"

subject: "Alert: cert is failing on"

subtype: html

body: "{{ lookup('file', '/tmp/alert_email.html') }}"

username:

password:

when: expire_days | int <= "{{ worn }}"

vars:

expire_days: "{{ (( cert.not_after | to_datetime('%Y%m%d%H%M%SZ')) - (ansible_date_time.iso8601 | to_datetime('%Y-%m-%dT%H:%M:%SZ')) ).days }}"

when: expire_days | int <= "{{ worn }}"| int

replace the email id with your own email id and also update the username and password for the email and you write a nice email template for it and that should be it.

Ansible Lockout User in WIndows

 Hello Guys,

As i have already told you i am recently extensively working with windows systems.I have come across one more use case where i need to lock the users after 3 unsuccessfully login attempt ans the user is local and not connected to Ad environment 

I have written the playbook which work without AD

---

- hosts: windows

  tasks:

- name: Set user lockout after 3 attempt 

  win_command: net accounts /lockoutthreshold:3

  register: userLockout

  args:

    creates: C:\userLockout.lock

- name: Create userLockout.lock 

  win_copy:

    dest: C:\userLockout.lock

    content: ""

    force: no

  when: userLockout

- name: Set lockout duration to 10 min  

  win_command: net accounts /lockoutduration:10

  register: lockduration

  args:

    creates: C:\lockduration.lock

- name: Create lockduration.lock 

  win_copy:

    dest: C:\lockduration.lock

    content: ""

    force: no

  when: lockduration

- name: Set reset the lockout timeout adter 

  win_command: net accounts /lockoutwindow:10

  register: lockoutwindow

  args:

    creates: C:\lockoutwindow.lock

- name: Create lockoutwindow.lock 

  win_copy:

    dest: C:\lockoutwindow.lock

    content: ""

    force: no

  Enjoy ..! Let me know if you stuck with Automation with Ansible

Ansible To setup Banner on Windows Host

 Hello Guys,

I am recently working on a project where I am working mostly on windows system, I got a requirement where i need to setup a banner on a windows machines. I did some google for manual steps as i don't have much understanding of windows but i was able to get the required steps

its basically i need to make some registry entries and that should take care of it

so i have started writing playbook.You can use this playbook and modify as you see feet for your use case

---

- name: Set Windows Login Banner

  hosts: all

  vars:

    title: "Company Name Authorised Access Only..!"

    body: ""This is a secure system of Company Name. Unauthorised access is prohibited.This system is under the surveillance and any authorised access will be reported. Powered by Ansible Automation  and Written by Navneet N. Rathi.""

  tasks:

    - name: Set banner caption (title) for Windows

      ansible.windows.win_regedit:

        path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

        name: LegalNoticeCaption

        data: "{{ title }}"

        type: String

      register: title

    - name: Set banner text (body) for Windows

      ansible.windows.win_regedit:

        path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

        name: LegalNoticeText

        data: "{{ body }}"

        type: String

      register: content

    - name: Reboot the machine

      ansible.windows.win_reboot:

        reboot_timeout: 120

      when: title.changed or content.changed

      ignore_errors : true

- hosts: all

  tasks:

   - name: check if win server is up or not

     ansible.builtin.win_ping:

     register: ping_status

   - name: Display the status

     ansible.builtin.debug:

       msg: "{{ ping_status }}"   

You can use this play to set it up..!

Enjoy..! Let me know if you have any automation use case for which you need help..!

Enable and Disable USB support on Linux servers without reboot

 Hello Guys,

In past couple of weeks i was working on a small project with very specific objective where i need to enable and disable the usb support on linux based edge device. I have use raspberry pi 4 as i don't have any  other supported industrial controller with me.

I have started with installing the default available os on the rasberry pi and i was able to login on the system which looks like 

after doing it i need to enable and disable the usb support on lets say hundreds of devices so its automation is the way cant do it manually at the same time i need to make sure that system should not required reboot other wise it will beat the purpose. so i can not go with conventional way of disabling the usb support at kernel level.

so after much google i have come across a utility in linux called usbguard which can be helpful. once the approach is finalised then i have moved into the  write a playbook the playbook looks as 

---

- name: enable disable USB

  hosts: "{{target}}"

  become: true

  vars:

    enable_usb: allow

  tasks:

    - name: Install usb guard on redhat family os

      ansible.builtin.yum:

        name: usbguard

        state: present

      when: ansible_facts['os_family'] == 'RedHat'

    - name: Install usb guard on others

      ansible.builtin.apt:

        name: usbguard

        state: present

      when: ansible_facts['os_family'] == 'Debian'

    - name: Install usb guard on the edge devices

      ansible.builtin.template:

        src: usbguard-daemon.conf.j2

        dest:  /etc/usbguard/usbguard-daemon.conf

        owner: root

        group: root

        mode: '0600'

    - name: restart usb guard service to {{ enable_usb }}

      ansible.builtin.service:

        name: usbguard

        state: restarted

        enabled: true

and template look like 

RuleFile=/etc/usbguard/rules.conf

RuleFolder=/etc/usbguard/rules.d/

ImplicitPolicyTarget={{ enable_usb }}

PresentDevicePolicy={{ enable_usb}}

PresentControllerPolicy={{enable_usb}}

InsertedDevicePolicy=apply-policy

RestoreControllerDeviceState=false

DeviceManagerBackend=uevent

IPCAllowedUsers=root

IPCAllowedGroups=wheel

IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/

DeviceRulesWithPort=false

AuditBackend=FileAudit

AuditFilePath=/var/log/usbguard/usbguard-audit.log

using above automation i can enable and disable the usb support with the redhat aap with a one click

with This one job i can get my job done