运维脚本——9.配置漂移检测
场景:检测服务器配置与基准配置的差异,防止未经授权的修改。
示例:使用Ansible Playbook对比当前配置与标准模板。
- hosts: all
tasks:
- name: Check SSH configuration against baseline
ansible.builtin.diff:
path: /etc/ssh/sshd_config
original_baseline: true
register: ssh_diff
- name: Alert if SSH config has drifted
ansible.builtin.mail:
to: 'ops-team@example.com'
subject: '配置漂移告警 - SSH'
body: 'SSH配置与基准不一致!差异:\n{{ ssh_diff.diff }}'
when: ssh_diff.diff is defined
Shell脚本实现:
#!/bin/bash
# 对比当前配置与基准文件的差异
BASELINE="/opt/baseline/sshd_config.baseline"
CURRENT="/etc/ssh/sshd_config"
if diff $BASELINE $CURRENT > /dev/null; then
echo "配置无差异"
else
echo "配置存在差异!" | mail -s "SSH配置漂移告警" ops-team@example.com
diff $BASELINE $CURRENT >> /var/log/config_drift.log
fi