This playbook is for installing and configuring SNMP on Ubuntu or RedHat machines
Change the snmp_location and snmp_contact etc. variables. Or define them in the inventory file, or pass them in as –extra-vars. –extra-vars=”snmp_location=’location address’ snmpv3_user=incredigeek …etc”
Couple of notes
We check to see if a read only SNMPv3 user has been created. If so, we don’t create a new one.
The snmpd service is stopped and started each time this is run
You will still need to allow SNMP through the firewall. Ubuntu or Fedora
---
- name: Linux SNMP Config
hosts: all
gather_facts: yes
become: yes
# Install SNMPv3 on RHEL or Debian/Ubuntu
# Disable SNMP v1 and v2 on RHEL
# Configure SNMPv3 user
vars:
# Change these!
snmp_location: My SNMP location
snmp_contact: My SNMP contact info
snmpv3_pass: mypassword
snmpv3_user: incredigeek
# These are used to disable the default public community.
cmnt: '#'
cmnt_lines:
- com2sec notConfigUser
- group notConfigGroup
- view systemview
- access notConfigGroup
tasks:
- name: Check if SNMPv3 user exists
ansible.builtin.lineinfile:
path: /etc/snmp/snmpd.conf
regexp: '^rouser'
state: absent
check_mode: yes
changed_when: false
register: snmpv3_user_exists
- name: Stop SNMPD Service
ansible.builtin.service:
name: snmpd
state: stopped
- name: RHEL SNMP Config
block:
- name: Install SNMP RHEL
ansible.builtin.dnf:
name:
- net-snmp
- net-snmp-utils
state: present
- name: Disable public snmp community RHEL
replace:
path: /etc/snmp/snmpd.conf
regexp: '^{{ item }}'
replace: '{{ cmnt }} {{ item }}'
loop: "{{ cmnt_lines }}"
- name: Set SNMP Location
ansible.builtin.lineinfile:
path: /etc/snmp/snmpd.conf
regexp: '^syslocation.*'
line: "syslocation {{ snmp_location }}"
- name: Set SNMP Contact
ansible.builtin.lineinfile:
path: /etc/snmp/snmpd.conf
regexp: '^syscontact.*'
line: "syscontact {{ snmp_contact }}"
- name: Setup SNMPv3 user for RHEL
shell: net-snmp-create-v3-user -ro -a SHA -A '{{ snmpv3_pass }}' -x '{{ snmpv3_pass }}' -X AES {{ snmpv3_user }}
when: not snmpv3_user_exists.found
when: ansible_os_family == "RedHat"
- name: Debian SNMP Config
block:
- name: Install SNMP on Debian
ansible.builtin.apt:
pkg:
- snmp
- snmpd
- libsnmp-dev
- name: Modify available from address
ansible.builtin.lineinfile:
path: /etc/snmp/snmpd.conf
regexp: '^agentAddress udp:127\.0\.0\.1:161'
line: 'agentAddress udp:161,udp6:[::1]:161'
- name: Set SNMP Location
ansible.builtin.lineinfile:
path: /etc/snmp/snmpd.conf
regexp: '^sysLocation.*'
line: "sysLocation {{ snmp_location }}"
- name: Set SNMP Contact
ansible.builtin.lineinfile:
path: /etc/snmp/snmpd.conf
regexp: '^sysContact.*'
line: "sysContact {{ snmp_contact }}"
- name: Setup SNMPv3 user for Debian
shell: net-snmp-config --create-snmpv3-user -ro -a SHA -A '{{ snmpv3_pass }}' -x '{{ snmpv3_pass }}' -X AES {{ snmpv3_user }}
when: not snmpv3_user_exists.found
when: ansible_os_family == "Debian"
- name: Enable SNMPD Service
ansible.builtin.service:
name: snmpd
enabled: true
- name: Start SNMPD Service
ansible.builtin.service:
name: snmpd
state: started
This playbook can be used to report the Linux Distribution, OS Family, Distribution Version, and Distribution Major Version. This can be helpful for verifying all operating systems are up to date, or for working out what to use in other playbooks.
You will need to already have an inventory file.
Playbook yaml file
The playbook is very simple. Copy and paste the following contents into a file named “os_info.yaml”
---
- hosts: all
gather_facts: yes
become: false
tasks:
- name: Distribution
debug: msg=" distribution {{ ansible_distribution }} - os_family {{ ansible_os_family}} - distribution_version {{ansible_distribution_version}} - distribution_major_version {{ ansible_distribution_major_version }}"
If we wanted to, we could break out each Ansible variable in its own debug line. I prefer having them all on a single line.
Running the Playbook
Run the playbook like any other playbook. Change inventory.ini to your inventory file. If your inventory file is encrypted, use the –ask-vault-pass option.
Error Summary
-------------
Disk Requirements:
At least 28MB more space needed on the /boot filesystem.
The above error is due to the /boot partition being out of space. We can fix this issue by removing older unused Linux kernels. You could also increase the disk space, but that is a little more involved.
First we need to list which kernels we have installed.
The first thing we need to do is create an inventory file. This will contain a list of our servers along with the credentials.
touch hosts.txt
Now let’s encrypt the file with Ansible Vault.
ansible-vault encrypt hosts.txt
The file is now encrypted. To edit the file, we need to use `ansible-vault edit`. If you want to, you can configure the hosts.txt file and then encrypt it when you are finished.
ansible-vault edit hosts.txt
Now add some hosts. In this example we add the local Kali machine, because why not. If you have Ubuntu servers, replace debian with ubuntu.
[debian]
kali ansible_host=127.0.0.1 ansible_ssh_user=kali ansible_ssh_port=22 ansible_ssh_password='kali pass' ansible_become_pass='kali sudo pass'
Add as many hosts as you need. For sake of simplicity, we are only adding one, and it is our localhost.
Create Playbook
Create a new playbook.
vi debian_update.yml
Put the following into the playbook. Edit as desired. Change hosts to match the above hosts in the inventory/hosts file.
On the 3rd line it defines which group to run this playbook against. In this case debian.
This will check if a reboot is needed and reboot the machine. Reboots are usually needed when the kernel is updated
The 5th line contains `become: yes` this means that the playbook will use sudo. You can specify the sudo password in the hosts file `ansible_become_pass=sudopass` or with the -k or –ask-become options
The update and reboot are natively built into Ansible. Hence the ansible.builtin.
Run Playbook
Now that we have our inventory and playbook, we can upgrade our machines.
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper sudo: a password is required
To work around this, you can use the -t option. -q is not needed, but makes thing quieter.