Day: April 16, 2024

  • Validate the Integrity of a File Backup using Ansible

    Validate the Integrity of a File Backup using Ansible

    Introduction

    Running nightly file backups is a common task for administrators. How do we know the file was copied successfully with no errors? In this post, we will set up an ansible script and it will run a file integrity check using MD5 on both the source and the destination files to verify it was not corrupted during the copy process. In this process the Ansible server is assumed to be a separate server from both the source server and the designation server.

    Specifically, we will tell Ansible to execute a bash script on the source and destination servers, gather the results and store them in a temp text file, then it will output the text file to the body of an email and send it to interested parties for review.

    Create the Ansible Script

    Add comments to the head of the script. I like to include an example of the command, so that it can be easily copied to the command line.

    # Ansible script, validate.yml
# cmd: ansible-playbook -i inventory.ini validate.yml

    Add the variables to the script. All ansible scripts start with three dashes. Also note the Ansible is very sensitive to the placement of the columns. The names, hosts, and tasks columns must be lined up exact or the script will not execute. 

    ---
- name: Verify integrity using md5 checksums 
  hosts: server1.company.com:server2.company.com
  gather_facts: False

    Add the tasks that must be executed.

      tasks:
    - name: Check file integrity
      script: /home/user1/validate.sh   
      ignore_errors: False 
      register: results
    - name: Make a header for the results txt file.
      shell: echo '<-- results -->'
      register: title
      delegate_to: localhost
      run_once: true
    - name: Create new results txt file. 
      local_action: copy content={{ title.stdout }}
      dest=/home/user1/validate.txt
    - name: Append results to txt file. 
      lineinfile:
         dest: /home/user1/validate.txt
         line: "{{ results.stdout }}"
         insertafter: EOF
      delegate_to: localhost
    - name: get the date
      shell: "date +%Y-%m-%d"
      register: tstamp
      delegate_to: localhost

    Finally we will send an email to interested parties. 

    - name: Sending email
      mail:
         host: exchange.company.com
         port: 25
         from: hostname@company.com
         to: 
         - user1@company.com
         - user2@company.com	
         subject: Copied to backup server.
         body: "Date: {{ tstamp.stdout }}\n\n
               NOTE: The below results are for yesterday's files.\n\n
               {{ lookup('file','/home/user1/validate.txt') }}"
      delegate_to: localhost
      run_once: True

    Build the Bash Script

    In Ansible, it will execute the code on all servers simultaneously. So, we don’t know what server’s results will be returned to Ansible first. That is why we need the server hostname.

    Create the headers.

    #!/bin/bash
# validate.sh

    Create the variables.

    date=`date -d yesterday +%Y-%m-%d`
host=`hostname | awk '{print tolower($0)}'`
day=`date -d yesterday +%d`
month=$(date -d yesterday +%b)
year=`date +%Y`

src_dir1="/var/ossec/logs/$year/$month"
dst_dir1="/mnt/storage/logs/$year/$month"
file="filename-$day.log"

    Execute the comamnds, to gather the needed data.

    # Get source file results
results1=$(ls -alhF "$src_dir1/$file")
md5sum1=$(md5sum "$src_dir1/$file" | awk '{ print $1 }' )
# Get destination file results
results2=$(ssh backupserver "ls -alhF $dst_dir1/$file")
md5sum2=$(ssh backupserver "md5sum $dst_dir1/$file" | awk '{ print $1 }')

    Output the results. Remember these results will be returned to Ansible.

    # output results, compare file file size and MD5 hash.
echo " $host File: $results1"
echo "Backup File: $results2"
echo ""
echo " $host MD5_Sum: $md5sum1"
echo "Backup MD5_Sum: $md5sum2"

    This is my own method for verifying files were copied correctly. I hope you find it useful.

  • Update, Reboot, & Get the Health of Remote Servers

    Update, Reboot, & Get the Health of Remote Servers

    Introduction

    Ansible was designed to remotely manage multiple Linux servers simultaneously. Scripts can be used for many common tasks like updating, rebooting, or to the check health of your Linux servers . Ansible scripts are very format sensitive, so be sure that all columns match up, as below, or it will not run.

    Notice that some scripts call sudo and you need the ‘-K’ switch in the command. You can tell if the script calls sudo by the line ‘become: yes’.

    Update & Reboot all Servers

    This will updated, upgrade, remove unnecessary files, and clear the local repository cache. Finally, it will send an email when completed. It will run against all servers, in the ini file, listed in the group called ‘all_servers’. 

    # Ansible script, update.yml
# Update all servers. 
# cmd: ansible-playbook -K -i inventory.ini update.yml

---
- name: Update Servers
  hosts: all_servers
  gather_facts: no
  become: true
  tasks:
  - name: Run apt update
    apt:
       update_cache: yes
  - name: Run apt upgrade.
    apt:
       name: "*"
       state: latest
  - name: Run apt autoremove.
    apt:
       autoremove: yes 
  - name: Run apt autoclean. Clean the /var/cache/apt/archive file
    apt:
       autoclean: yes
  - name: Reboot servers.
    reboot:
 - name: Send email that task was completed.
   hosts: localhost 
   gather_facts: false
   become: false

   tasks:
     - mail:
         host: exchange.company.com
         port: 25
         from: hostname@company.com
         to: user1@company.com
         subject: Servers have been updated
         body: All servers have been successfully updated and rebooted.
       delegate_to: localhost
       run_once: True

    Reboot Specific Servers

    # Ansible script, reboot.yml
# Use to reboot multiple specific servers.
# cmd: ansible-playbook -K -i inventory.ini reboot.yml

---
- name: Reboot specified servers
  hosts: server01.company.com:server02.company.com:server03company.com
  gather_facts: no
  become: true

  tasks:
   - name: Reboot servers.
     reboot:

    Check the Health of the Remote Servers

    The check health script gathers basic information about the remote servers. Is the hard disk drive full? Does the server need a reboot? How long has the server been up?

    The ansible script calls a bash script, that is then executed on all remote hosts. The results are returned and printed to a text file. An email copies the contents of the text file to the body of the email and results are emailed. Be sure to save the inventory.ini, bash scripts, and the ansible scripts in the same directory.

    # Ansible script, health.yml
# Get hostname, uptime, reboot state, & disc space of each server.
# cmd: ansible-playbook -i inventory.ini health.yml 
---
- name: Run health check of servers.
  hosts: all_servers
  gather_facts: false

  tasks:
    - name: Get health of security servers
      script: /home/user1/svr_health.sh 
      ignore_errors: False
      register: results      
    - name: Make a header for a txt file.
      shell: echo '<--- SERVERS DAILY REPORT --->'
      register: title
      delegate_to: localhost
      run_once: true
    - name: Create a new txt file.
      local_action: copy content={{ title.stdout }} dest=/home/user1/svr_health.txt
    - name: Append results to txt file.
      lineinfile:
        dest: /home/user1/svr_health.txt
        line: "{{ results.stdout }}" 
        insertafter: EOF
      delegate_to: localhost      
    - name: Sending email.
      mail:
         host: exchange.company.com
         port: 25
         from: hostname@company.com
         to:
         - user1@company.com
         - user2@company.com
         subject: Servers Health Status
         body: "Expected Server Cnt: 18 \nActual Total Cnt: {{ ansible_play_hosts | length }}\n\n {{ lookup('file','/home/user1/svr_health.txt') }}"
      delegate_to: localhost
      run_once: True
    #!/bin/bash

date=`date`
uptime=`uptime | grep -ohe 'up .*' | sed 's/,//g' | awk '{ print $2" "$3 }'`
hostname=`hostname`
file="/var/run/reboot-required"
# Note: Assumes all servers have a logical volume drive.
diskspace=`df -h | grep /dev/mapper/`

echo
echo "Date:     $date"
echo "Hostname: $hostname"
echo "Space:    $diskspace"
echo "Uptime:   $uptime"

if [[ -f $file ]];then
	echo "Reboot:   *** Reboot Required ***"
else
	echo "Reboot:   No Reboot Required"
fi
  • Managing User Accounts with Ansible

    Managing User Accounts with Ansible

    Introduction

    Ansible is a program designed to manage Linux servers. See blog post on setting up Ansible, creating a script, creating an inventory file, and calling a script from the command line. You can call a single server or multiple servers by separating then with a colon on the ‘hosts’ line. If a large number of hosts needs to be called, create a group in the inventory.ini file and call the group on the ‘hosts’ line.

    Create a New User’s Account on Multiple Servers

    When a new hire comes onboard, rather than log into each server directly and manually create their accounts, run this script and it will create the accounts on all servers simultaneously. 

    # Ansible script, newuser.yml
# Create a user, home directory, add user to a group, and set password.
# cmd: ansible-playbook -K -i inventory.ini newuser.yml --extra-vars newpassword=P@$$w0rd
---
- name: Create user 
  hosts: server1.company.com:server2.company.com:server3.company.com
  become: yes

  tasks:
    - name: create user
      ansible.builtin.user:
        name: User1
        password: "{{ newpassword|password_hash('sha512') }}"
        groups: sudo
        state: present
        shell: /bin/bash
        create_home: yes
        system: no
        append: yes

    Get a List of Servers that have a Specific User’s Account

    If a user leaves the company, you can never be sure what Linux servers they were given access to, so I run this to get a list of what servers they have accounts. It outputs the results to a text file, which the results can be easily be viewed. This script calls a host group called “all_servers” in the inventory.ini file.

    # Ansible script, finduser.yml
# Identify the servers that have an account and put results into a txt file.
# cmd: ansible-playbook -K -i inventory.ini finduser.yml 
---
- name: Find user accounts
  hosts: all_servers
  gather_facts: false
  become: True 

  tasks:
    - name: Make a new file
      shell:
         cmd: echo "New file results" > /home/user1/finduser.txt
      delegate_to: localhost
      run_once: True

    - name: Run finduser.sh script
      script: /home/user1/finduser.sh
      ignore_errors: True
      register: results
    
    - name: append results to file
      lineinfile:
        dest: /home/user1/finduser.txt
        line: "{{ results.stdout }}"
        insertafter: EOF
      delegate_to: localhost

    Remove A User’s Account

    Once you have identified which servers the user has an account on, add the username to the script and specify the target hosts. As before, you can list multiple servers, separated by a colon, or create a group in the *ini file and then add the group name to the ‘hosts’ line. 

    # Ansible script, deleteuser.yml
# Remove user account and remove /home folder
# cmd: ansible-playbook -K -i inventory.ini deleteuser.yml
---
- name: Remove user
  hosts: server01.company.com:server02.company.com
  become: true
  gather_facts: false

  tasks:
    - name: remove user
      ansible.builtin.user: 
        name: User1
        state: absent
        remove: yes

    Push a Key to Multiple Servers

    It is recommended that users login using public and private keys. It is easy to push a users public key to multiple servers at same time. Replace the ‘key’, with the user’s actual public key surrounded by double quotes.

    The authorized key command handles creating the directors and setting permissions on all files. 

    # Ansible script, pushpublickeys.yml
# Push a users public key to the servers. 
# cmd: ansible-playbook -K -i inventory.ini pushpublickey.yml
---
- name: Push public keys to all servers.
  hosts: all_servers
  become: true
  gather_facts: false

  tasks:
    - name: Push public key. 
      authorized_key:
        user: user1
        state: present
        key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3AZEUvLo5/plnlDsIPRNp0Zx1Is9mZ3NqfmQUj6pDV6wEPtl7jbY12SY243/O7h+rqfkRJEyHgHnmBU9PewsENSXR6asdfgh3cFDJIuZWUMovkS3PehIIvqUFDN9/G5xV1nmz2e41IX/vAqsHw6nP4WvescHIUXPhRmUK4MbLSBvGgLOQa3f+UMAIque3nVfh0ZxWzE1YyMH7lpXMbdTIBcr/LZwdZXmPQpdnaEavAuKKQZiSylcGuThXp1ciPXK7x9RRBje3MN5N5lQRNI6amZz+zPh9CTZShvP6PWNGeNkMysAYPpB90KwGg/JN+GJn6mws/I58I/C22uxFDGRoiZiwJZDZZ3SJyuenEZ6w4oYLN8c8llo5D01ecoUUZjV/3lx6Drm68sVe/rOajFtLbIoHy0lZEp1kM/Hv5nGf9ISDwLyNLD91aG747buPrPIm4yqea2+Pcv1p1VspCc= user123@xxxxxxxx"
        manage_dir: true

    Change a User’s Password

    Perhaps a user forgot their password, or they have left the company. You may need to change their password. Again, modify the ‘hosts’ line as necessary, with a single, multiple, or a group of servers. 

    # Ansible script, chpassword.yml
# Change a user's password.
# cmd: ansible-playbook -K -i inventory.ini chpassword.yml --extra-vars newpassword=P@$$w0rd

---
- hosts: all_servers
  become: yes
  tasks:
    - name: Change users password
      user:
        name: deeznuts
        update_password: always
        password: "{{ newpassword|password_hash('sha512') }}"
  • Make a Batch Script to Map Your Drives

    Make a Batch Script to Map Your Drives

    Introduction

    Although Microsoft calls it mapping a drive, in truth, you are just mapping the location of a specific local or remote folder. You are not technically mapping an entire hard drive.

    There are several reasons it is worthwhile to write a batch script that can auto connect your frequently used folders. A common reason is that enterprise users frequently get their network folders disconnected. Problems arise from VPN disconnects, power fluctuations, or other concerns.

    We can make a batch script and save it on their desktop (or in their startup folder) to quickly get their folders re-connected. The user’s just need to double click the script file and it will quickly restore their network folders.

    Map the folders (aka. drives)

    Let’s create a script called ‘mapdrives.bat’ using notepad.

    Add information to the headers. Anything with REM or :: will not be executed.

    REM mapdrives.bat
REM Place this file on your desktop, in your startup folder, or create a task.
TITLE MAP NETWORK & LOCAL FOLDERS

    Use ‘echo off’, at the top of the script. This tells the script to not display the commands or results to the screen, as they are executed. Use ‘echo.’ to print a blank line, and use just ‘echo’ to print data to the screen.

    @echo off
cls
echo ******************************************
date /t
echo.
echo Mapping folders . . .
echo.

    Comment your code using descriptors and use ‘net use’ to map the folder paths. Be sure to put quotes around the file path if there is a space somewhere in the path.

    REM Map a Network Folder.
net use S: \\server_name\folder\folder
net use H: \\website.com\folder\folder
REM Map a local folder called scripts.
net use N: "\\localhost\c$\Users\<username>\Cool Stuff\scripts"
echo.

    Let’s create a short delay and exit the program. We can add the command ‘pause’ and it will hold the command prompt open until a key is struck or use ‘ping’ and it will wait three seconds and exit automatically. 

    echo All folders are mapped - End of Task
:: This will create a 3 sec delay before exiting.
:: ping 127.0.0.1 -n 3 -w 1000 > NUL
pause
echo.
exit

    Finally, save the file with ‘.bat’ file extension and then double click the file to execute it.

    Open File Explorer and you will see your newly mapped folders.