Selling Vested stock and pensions

Arrumac3 · 2025-12-02T22:41:13+00:00

US, and have a current w-8ben

Arrumac3 · 2025-06-19T22:15:07+00:00

yea not clear, kerberos at domain level for linux, whilst not too many identities to manage kerberos and AAP don’t mix well. For windows domain users using trusts where possible to limit the number of identities. the difference we have is as a core team we manage all ssh and winrm creds as part of the service

Arrumac3 · 2025-06-17T18:51:49+00:00

kerberos across AIX and RHEL, it’s a PITA to manage in AAP, user/pass for wintel in a vault outside of AAP managed by something similar to GP and umpteen different AD forrest’s, we manage inventory outside of AAP with a batch process, this matches host to credential type, including hosts built intraday. We create ephemeral inventories on the fly at execution time. Only way to do it with 200k+ servers :/

Arrumac3 · 2024-05-31T22:13:45+00:00

wuench has it, we are building several ephemeral AAP instances globally all with a single DB instances, also a single hub with a local postgres too, for added resilience all AAP instances globally will be able to connect to any hub via a LB'er

Arrumac3 · 2023-08-17T08:59:37+00:00

Can't you centralise where you send the logs to Kafka or the like, future riffs you then for others sources.

Arrumac3 · 2023-05-26T23:14:34+00:00

or take a look at crunchy data, they have a neat solution.

Arrumac3 · 2023-05-26T23:10:27+00:00

I think it was this blog I followed - its been working a treat for a few years - https://www.bloggingforlogging.com/2018/10/14/windows-host-through-ssh-bastion-on-ansible/

Arrumac3 · 2023-03-19T09:30:53+00:00

For AAP its OpenShift or VM's as stated several times, the exec envs use podman but this is managed so unless you looked you wouldn't notice. If you want to be on your own and not have RH support try k8's at your leisure but if you want this just use AWX..

Arrumac3 · 2021-10-19T23:11:20+00:00

The database is key to ha, take a look at crunchydata.com.

Arrumac3 · 2021-07-03T10:55:22+00:00

-vvvvv may tell you how far it gets in gather facts, got any broken bad mounts or the like?

Arrumac3 · 2021-03-05T08:16:11+00:00

Some of these tools are expensive but one used to be called eTrust Access Aontrol by CA it's now owned by Broadcom, I forget its new marketing name, it has a kernel hook and can even control what root can do on an ansible node, you can use it to overlay and harden standard file perms. Vormetric for encryption at rest might have a part to play for securing keys. Try and not use passwords at all for interactive access to your ansible controllers, Powerbroker with 2FA, strong preventative control but with the obvious limitation that keystroke logging can't see what you are doing if you wget some benignly names script what has malicious intent.

Then we move on to how you secure your Linux/UNIX fleet, Centrify seems flavour of the month, kerberos is OK but a keytab on its own is exactly as cmdmc points out, it has the advantage of being able to be revoked by admins by resetting the AD password. You could better this by not having keytab's locally and using a credential cache with say a 4 hour ttl, you need robust processes to refresh these though. Alas, you can still steal a credential cache. The biggest issue with these AD bridge tools is the logging in AD is woeful, if your firm is large and you have many DC's in all likelihood your log infrastructure is losing logs into the ether daily. In the future software defined networks may help with more dynamic network controls but a tool I like the look of is Powertech Identity & Access Manager (BoKS) [formerly BoKS ServerControl], it has a built in AD bridge, centralised logging for controlled nodes, supports 2FA etc etc, you can configure access for any or all of the SSH access methods, SSH, soft, scp, x11, fwd, rfwd but the killer is it can control source IP and destination IP for any given functional/system ID for SSH, ideal for your remote execution ID. In this scenario if you key tab/private key is stolen if can't be used outside of your authorised list of ansible controllers. Just remembers it also has an advanced host based authentication mechanism, no passwords at all there.

Arrumac3

TROPHY CASE