From f891d5d4245963ca1bb1a2c785656077ae9fcced Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>

Date: Wed, 13 Nov 2019 15:36:12 +0100

Subject: [PATCH 1/6] Run the command also in check mode

Setting check_mode to False will force to run the command in

this task even if the playbook is run in check_mode. This task

produces variable `socket_file_exists` which is then used

in task "Disable socket ...". In check mode, the command wasn't

executed, which caused this error:

fatal: [localhost]: FAILED! => {"msg": "The conditional check

'\"sshd.socket\" in socket_file_exists.stdout_lines[1]' failed. The

error was: error while evaluating conditional (\"sshd.socket\" in

socket_file_exi

sts.stdout_lines[1]): Unable to look up a name or access an attribute in

template string ({% if \"sshd.socket\" in

socket_file_exists.stdout_lines[1] %} True {% else %} False {% endif

%}).\nMake sure your variab

le name does not contain invalid characters like '-': argument of type

'AnsibleUndefined' is not iterable\n\nThe error appears to be in

'/home/jcerny/scap-security-guide/build/fedora/playbooks/all/service_sshd_d

isabled.yml': line 44, column 7, but may\nbe elsewhere in the file

depending on the exact syntax problem.\n\nThe offending line appears to

be:\n\n\n    - name: Disable socket sshd\n      ^ here\n"}

---

 shared/templates/template_ANSIBLE_service_disabled | 1 +

 1 file changed, 1 insertion(+)

diff --git a/shared/templates/template_ANSIBLE_service_disabled b/shared/templates/template_ANSIBLE_service_disabled

index 1faeeeb9b8..cb3d0634af 100644

--- a/shared/templates/template_ANSIBLE_service_disabled

+++ b/shared/templates/template_ANSIBLE_service_disabled

@@ -26,6 +26,7 @@

   register: socket_file_exists

   changed_when: False

   ignore_errors: True

+  check_mode: False

 - name: Disable socket {{{ SERVICENAME }}}

   systemd:

From 0a5f4fdac9a409e543ff05f2dbb46c78a7fc76b3 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>

Date: Wed, 13 Nov 2019 15:58:42 +0100

Subject: [PATCH 2/6] Add "check_mode: no" everywhere possible

This option forces to run the command also in the check mode.

If the command only reads, eg. grep, it should be harmless.

It prevents issues that in "check" mode the playbook will terminate

because the variable that was expected to be populated by this

command is empty.

---

 .../sssd_ldap_configure_tls_ca_dir/ansible/shared.yml          | 1 +

 .../sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml      | 1 +

 .../services/sssd/sssd_enable_smartcards/ansible/shared.yml    | 1 +

 .../services/sssd/sssd_memcache_timeout/ansible/shared.yml     | 1 +

 .../sssd/sssd_offline_cred_expiration/ansible/shared.yml       | 1 +

 .../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml       | 1 +

 .../integrity/fips/grub2_enable_fips_mode/ansible/shared.yml   | 3 +++

 .../package_dracut-fips-aesni_installed/ansible/shared.yml     | 1 +

 8 files changed, 10 insertions(+)

diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml

index 7ab0904da0..ca7bbf9f4f 100644

--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml

+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml

@@ -10,6 +10,7 @@

   register: test_grep_domain

   ignore_errors: yes

   changed_when: False

+  check_mode: no

 - name: "Add default domain group and set CA directory (if no domain there)"

   ini_file:

diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml

index 1aeb2728db..1fd1e7d2c5 100644

--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml

+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml

@@ -16,6 +16,7 @@

   register: test_grep_domain

   ignore_errors: yes

   changed_when: False

+  check_mode: no

 - name: "Add default domain group and use STARTTLS (if no domain there)"

   ini_file:

diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml

index 636bc3f65f..1087367dde 100644

--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml

+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml

@@ -8,6 +8,7 @@

   register: test_grep_domain

   ignore_errors: yes

   changed_when: False

+  check_mode: no

 - name: "Add default domain group (if no domain there)"

   ini_file:

diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml

index 79dbd9140a..4a146b1008 100644

--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml

+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml

@@ -10,6 +10,7 @@

   register: test_grep_domain

   ignore_errors: yes

   changed_when: False

+  check_mode: no

 - name: "Add default domain group (if no domain there)"

   ini_file:

diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml

index 614cf5c05e..d79b0e6ca6 100644

--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml

+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml

@@ -8,6 +8,7 @@

   register: test_grep_domain

   ignore_errors: yes

   changed_when: False

+  check_mode: no

 - name: "Add default domain group (if no domain there)"

   ini_file:

diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml

index 6284435ec4..6763e27c7e 100644

--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml

+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml

@@ -10,6 +10,7 @@

   register: test_grep_domain

   ignore_errors: yes

   changed_when: False

+  check_mode: no

 - name: "Add default domain group (if no domain there)"

   ini_file:

diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml

index 5cc5fe0e96..b642b6c3c3 100644

--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml

@@ -24,6 +24,7 @@

   command: grep -q -m1 -o aes /proc/cpuinfo

   failed_when: aesni_supported.rc > 1

   register: aesni_supported

+  check_mode: no

 - name: Ensure dracut-fips-aesni is installed

   package:

@@ -45,6 +46,7 @@

   command: grep 'GRUB_CMDLINE_LINUX.*fips=' /etc/default/grub

   failed_when: False

   register: fipsargcheck

+  check_mode: no

 - name: replace existing fips argument

   replace:

@@ -68,6 +70,7 @@

   command: grep 'GRUB_CMDLINE_LINUX.*boot=' /etc/default/grub

   failed_when: False

   register: bootargcheck

+  check_mode: no

 - name: replace existing boot argument

   replace:

diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml

index 28a9dd71c4..8ed524fc75 100644

--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml

@@ -7,6 +7,7 @@

   command: grep -q -m1 -o aes /proc/cpuinfo

   failed_when: aesni_supported.rc > 1

   register: aesni_supported

+  check_mode: no

 - name: Ensure dracut-fips-aesni is installed

   package:

From 7b669bf3d9e30e842095693456109c38d82f94a6 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>

Date: Wed, 13 Nov 2019 16:51:04 +0100

Subject: [PATCH 3/6] Prevent fails in check mode

Addressing:

fatal: [localhost]: FAILED! => {"msg": "The task includes an option with

an undefined variable. The error was: 'dict object' has no attribute

'stdout'\n\nThe error appears to be in '/home/jcerny/scap-security-gu

ide/build/rhel7/playbooks/all/grub2_enable_fips_mode.yml': line 134,

column 7, but may\nbe elsewhere in the file depending on the exact

syntax problem.\n\nThe offending line appears to be:\n\n\n    - name:

add b

oot argument\n      ^ here\n"}

---

 .../integrity/fips/grub2_enable_fips_mode/ansible/shared.yml     | 1 +

 1 file changed, 1 insertion(+)

diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml

index b642b6c3c3..0dd7dea18d 100644

--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml

@@ -65,6 +65,7 @@

 - name: get boot device uuid

   command: findmnt --noheadings --output uuid --target /boot

   register: bootuuid

+  check_mode: no

 - name: check boot argument exists

   command: grep 'GRUB_CMDLINE_LINUX.*boot=' /etc/default/grub

From 309946d9ae49847bdb922ac5e0ba3657afa787a3 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>

Date: Wed, 13 Nov 2019 17:14:06 +0100

Subject: [PATCH 4/6] Prevent fails in check mode

---

 .../rpm_verification/rpm_verify_hashes/ansible/shared.yml       | 2 ++

 .../rpm_verification/rpm_verify_ownership/ansible/shared.yml    | 2 ++

 .../rpm_verification/rpm_verify_permissions/ansible/shared.yml  | 2 ++

 3 files changed, 6 insertions(+)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml

index 0dc09339f4..991d637853 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml

@@ -20,6 +20,7 @@

   register: files_with_incorrect_hash

   changed_when: False

   failed_when: files_with_incorrect_hash.rc > 1

+  check_mode: False

   when: (package_manager_reinstall_cmd is defined)

 - name: Create list of packages

@@ -29,6 +30,7 @@

   with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"

   register: list_of_packages

   changed_when: False

+  check_mode: False

   when:

     - files_with_incorrect_hash.stdout_lines is defined

     - (files_with_incorrect_hash.stdout_lines | length > 0)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml

index d02508808c..d0d52e7c76 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml

@@ -10,6 +10,7 @@

   register: files_with_incorrect_ownership

   failed_when: files_with_incorrect_ownership.rc > 1

   changed_when: False

+  check_mode: False

 - name: Create list of packages

   command: rpm -qf "{{ item }}"

@@ -18,6 +19,7 @@

   with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"

   register: list_of_packages

   changed_when: False

+  check_mode: False

   when: (files_with_incorrect_ownership.stdout_lines | length > 0)

 - name: "Correct file ownership with RPM"

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml

index 55a37a4235..517cc38af2 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml

@@ -10,6 +10,7 @@

   register: files_with_incorrect_permissions

   failed_when: files_with_incorrect_permissions.rc > 1

   changed_when: False

+  check_mode: False

 - name: Create list of packages

   command: rpm -qf "{{ item }}"

@@ -18,6 +19,7 @@

   with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"

   register: list_of_packages

   changed_when: False

+  check_mode: False

   when: (files_with_incorrect_permissions.stdout_lines | length > 0)

 - name: "Correct file permissions with RPM"

From d410766260716cf974fba04dfd3710b9bfd72323 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>

Date: Wed, 13 Nov 2019 17:26:42 +0100

Subject: [PATCH 5/6] Fix template_ANSIBLE_mount_option_remote_filesystems

"item" was not defined.  Also, `findmnt` command can return 1 if there

is no nfs entry in /etc/fstab.  The MOUNTOPTION variable is a complete

mount option, eg. `nosuid`.

---

 .../ansible/shared.yml                                        | 1 +

 .../template_ANSIBLE_mount_option_remote_filesystems          | 4 ++++

 2 files changed, 5 insertions(+)

diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml

index 6982ce293e..1c318715cf 100644

--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml

+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml

@@ -18,3 +18,4 @@

     state: mounted

     opts: "{{ item.split()[3] }},sec=krb5:krb5i:krb5p"

   when: (points_register.stdout | length > 0)

+  with_items: "{{ points_register.stdout_lines }}"

diff --git a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems

index a58d7729ec..c82201d507 100644

--- a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems

+++ b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems

@@ -5,10 +5,13 @@

 # disruption = medium

 - name: "Get nfs and nfs4 mount points, that don't have {{{ MOUNTOPTION }}}"

+  # 'no' before MOUNTOPTION isn't omission, it means a negation

   command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }}} -n

   register: points_register

   check_mode: no

   changed_when: False

+  # if no nfs/nfs4 entries are in /etc/fstab, findmnt command returns 1

+  failed_when: False

 - name: "Add {{{ MOUNTOPTION }}} to nfs and nfs4 mount points"

   mount:

@@ -18,3 +21,4 @@

     state: mounted

     opts: "{{ item.split()[3] }},{{{ MOUNTOPTION }}}"

   when: (points_register.stdout | length > 0)

+  with_items: "{{ points_register.stdout_lines }}"

commit 924ac061a1e044213f838ac5a15f26b451f35352

Author: Gabriel Becker <ggasparb@redhat.com>

Date:   Fri Nov 15 17:27:15 2019 +0100

    Fix mount_option_krb_sec_remote_filesystems ansible content.

diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml

index 1c31871..befa06e 100644

--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml

+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml

@@ -5,10 +5,11 @@

 # disruption = medium

 - name: "Get nfs and nfs4 mount points, that don't have Kerberos security option"

-  command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n -o TARGET

+  command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n

   register: points_register

   check_mode: no

   changed_when: False

+  failed_when: False

 - name: "Add Kerberos security to nfs and nfs4 mount points"

   mount: