diff --git a/src/docs.html b/src/docs.html
index 64f9943..ba13b91 100644
--- a/src/docs.html
+++ b/src/docs.html
@@ -96,7 +96,7 @@
Detect installed packages and services
Collect config that deviates from packaged defaults (where possible)
Grab relevant custom/unowned files in service dirs
- Capture non-system users & SSH public keys
+ Capture non-system users & SSH public keys, .bashrc files etc
@@ -136,9 +136,10 @@
For each package, it tries to detect files in /etc that have been modified from the default that get shipped with the package.
It detects running/enabled services and timers via systemd. For each of these, it looks for the unit files, any 'drop-in' files, environment variable files, etc, as well as what executable it executes, and tries to map those systemd services to the packages it's already learned about earlier (that way, those 'packages' or future Ansible roles, can also be associated with 'handlers' in Ansible, to handle restart of the services if/when the configs change)
Aside from known packages already learned, it optimistically tries to capture extra system configuration in /etc that is common for config management. This is stuff like the apt or dnf configuration, crons, logrotate configs, networking settings, hosts files, etc.
+ For applications that commonly make use of symlinks (think Apache2 or Nginx's sites-enabled or mods-enabled, it notes what symlinks exist so that it can capture those in Ansible
It also looks for other snowflake stuff in /etc not associated with packages/services or other typical system config, and will put these into an etc_custom role.
Likewise, it looks in /usr/local for stuff, on the assumption that this is an area that custom apps/configs might've been placed in. These go into a usr_local_custom role.
- It captures non-system user accounts, their group memberships and their .ssh/authorized_keys
+ It captures non-system user accounts, their group memberships and files such as their .ssh/authorized_keys, and .bashrc, .profile, .bash_aliases, .bash_logout if these files differ from the skel defaults
It takes into account anything the user set with --exclude-path or --include-path. For anything extra that is included, it will put these into an 'extra_paths' role. The location could be anywhere e.g something in /opt, /srv, whatever you want.
It writes the state.json and captures the artifacts.
@@ -146,7 +147,7 @@
Other things to be aware of:
- You can use multiple invocations of
--exclude-path to skip the bits you don't want. You also can always comment out from the playbook.yml or delete certain roles it generates once you've run the enroll manifest.
- - In terms of safety measures: it doesn't traverse symlinks, and it has an 'IgnorePolicy' that makes it ignore most binary files (except GPG binary keys used with apt) - though if you specify certain paths with
--include-path and use --dangerous, it will skip some policy statements such as what types of content to ignore.
+ - In terms of safety measures: it doesn't traverse into symlinks, and it has an 'IgnorePolicy' that makes it ignore most binary files (except GPG binary keys used with apt) - though if you specify certain paths with
--include-path and use --dangerous, it will skip some policy statements such as what types of content to ignore.
- It will skip files that are too large, and it also currently has a hardcoded cap of the number of files that it will harvest (4000 for
/etc, /usr/local/etc and /usr/local/bin, and 500 files per 'role'), to avoid unintentional 'runaway' situations.
- If you are using the 'remote' mode to harvest, and your remote user requires a password for sudo, you can pass in
--ask-become-pass (or -K) and it will prompt for the password. If you forget, and remote requires password for sudo, it'll still fall back to prompting for a password, but will be a bit slower to do so.
diff --git a/src/schema/state.schema.json b/src/schema/state.schema.json
index bdca824..083f90f 100644
--- a/src/schema/state.schema.json
+++ b/src/schema/state.schema.json
@@ -60,10 +60,12 @@
"enum": [
"user_excluded",
"unreadable",
+ "backup_file",
"log_file",
"denied_path",
"too_large",
"not_regular_file",
+ "not_symlink",
"binary_like",
"sensitive_content"
],
@@ -212,6 +214,10 @@
"systemd_dropin",
"systemd_envfile",
"user_include",
+ "user_profile",
+ "user_shell_aliases",
+ "user_shell_logout",
+ "user_shell_rc",
"usr_local_bin_script",
"usr_local_etc_custom",
"yum_conf",
@@ -236,6 +242,32 @@
],
"type": "object"
},
+ "ManagedLink": {
+ "additionalProperties": false,
+ "type": "object",
+ "properties": {
+ "path": {
+ "type": "string",
+ "minLength": 1,
+ "pattern": "^/.*"
+ },
+ "target": {
+ "type": "string",
+ "minLength": 1
+ },
+ "reason": {
+ "type": "string",
+ "enum": [
+ "enabled_symlink"
+ ]
+ }
+ },
+ "required": [
+ "path",
+ "target",
+ "reason"
+ ]
+ },
"ObservedVia": {
"oneOf": [
{
@@ -371,6 +403,12 @@
},
"type": "array"
},
+ "managed_links": {
+ "items": {
+ "$ref": "#/$defs/ManagedLink"
+ },
+ "type": "array"
+ },
"notes": {
"items": {
"type": "string"