From 4995c390a22020454be6625f2bd63c1a04302043 Mon Sep 17 00:00:00 2001 From: Gabe Date: Fri, 30 Aug 2019 11:15:22 -0600 Subject: [PATCH 1/5] Remove usage of the SHELL module or get rid of pipe usage --- .../no_direct_root_logins/ansible/shared.yml | 10 ++++----- .../ansible/shared.yml | 22 +++++++++---------- .../ansible/shared.yml | 4 +--- .../template_ANSIBLE_service_disabled | 14 +++++++----- 4 files changed, 25 insertions(+), 25 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml index 9049733c64..e9a29a24d5 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml @@ -3,13 +3,13 @@ # strategy = restrict # complexity = low # disruption = low -- name: Test for existence /etc/cron.allow +- name: Test for existence of /etc/securetty stat: path: /etc/securetty register: securetty_empty - name: "Direct root Logins Not Allowed" - shell: echo > /etc/securetty - args: - warn: False - changed_when: securetty_empty.stat.size > 1 + copy: + dest: /etc/securetty + content: "" + when: securetty_empty.stat.size > 1 diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml index 3ec812835f..cee947e8cc 100644 --- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml @@ -3,27 +3,27 @@ # strategy = restrict # complexity = low # disruption = medium -- name: "Fail if user is not root" +- name: "Print error message if user is not root" fail: msg: 'Root account required to read root $PATH' when: ansible_user != "root" + ignore_errors: true - name: "Get root paths which are not symbolic links" - shell: | - set -o pipefail - tr ":" "\n" <<< "$PATH" | xargs -I% find % -maxdepth 0 -type d - args: - warn: False - executable: /bin/bash + stat: + path: "{{ item }}" changed_when: False failed_when: False register: root_paths + with_items: "{{ ansible_env.PATH.split(':') }}" when: ansible_user == "root" - check_mode: no - name: "Disable writability to root directories" file: - path: "{{ item }}" + path: "{{ item.item }}" mode: "g-w,o-w" - with_items: "{{ root_paths.stdout_lines }}" - when: root_paths.stdout_lines is defined + with_items: "{{ root_paths.results }}" + when: + - root_paths.results is defined + - item.stat.exists + - not item.stat.islnk diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml index 7f958e0af5..9a8f91020c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml @@ -5,9 +5,7 @@ # disruption = low - name: Search for privileged commands - shell: | - set -o pipefail - find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null | cat + shell: find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null args: warn: False executable: /bin/bash diff --git a/shared/templates/template_ANSIBLE_service_disabled b/shared/templates/template_ANSIBLE_service_disabled index 69bf69aaea..07bb8fff0c 100644 --- a/shared/templates/template_ANSIBLE_service_disabled +++ b/shared/templates/template_ANSIBLE_service_disabled @@ -4,9 +4,10 @@ # complexity = low # disruption = low {{%- if init_system == "systemd" %}} -- name: "Unit Service Exists" - shell: systemctl list-unit-files | grep -q '^{{{ DAEMONNAME }}}.service' +- name: "Unit Service Exists - {{{ DAEMONNAME }}}.service" + command: systemctl list-unit-files {{{ DAEMONNAME }}}.service register: service_file_exists + changed_when: False ignore_errors: True - name: Disable service {{{ SERVICENAME }}} @@ -17,11 +18,12 @@ {{%- if MASK_SERVICE %}} masked: "yes" {{%- endif %}} - when: service_file_exists.rc == 0 + when: '"{{{ DAEMONNAME }}}.service" in service_file_exists.stdout_lines[1]' -- name: "Unit Socket Exists" - shell: systemctl list-unit-files | grep -q '^{{{ DAEMONNAME }}}.socket' +- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket" + command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket register: socket_file_exists + changed_when: False ignore_errors: True - name: Disable socket {{{ SERVICENAME }}} @@ -32,7 +34,7 @@ {{%- if MASK_SERVICE %}} masked: "yes" {{%- endif %}} - when: socket_file_exists.rc == 0 + when: '"{{{ DAEMONNAME }}}.socket" in socket_file_exists.stdout_lines[1]' {{% elif init_system == "upstart" %}} - name: Stop {{{ SERVICENAME }}} From e268f1e07192a5cf343b6ac36053553d1074bd3b Mon Sep 17 00:00:00 2001 From: Gabe Date: Fri, 30 Aug 2019 12:53:40 -0600 Subject: [PATCH 2/5] Use command and mount module instead of shell - Fixes #4783 --- .../ansible/shared.yml | 20 ++++++++----------- ...te_ANSIBLE_mount_option_remote_filesystems | 19 ++++++++---------- 2 files changed, 16 insertions(+), 23 deletions(-) diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml index 506c3dee31..6982ce293e 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml @@ -5,20 +5,16 @@ # disruption = medium - name: "Get nfs and nfs4 mount points, that don't have Kerberos security option" - shell: | - set -o pipefail - grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | grep -v "sec=krb5:krb5i:krb5p" | awk '{print $2}' - args: - warn: False - executable: /bin/bash + command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n -o TARGET register: points_register check_mode: no changed_when: False -- name: "Add Kerberos security to mount points" - shell: awk '$2=="{{ item }}"{$4=$4",sec=krb5:krb5i:krb5p"}1' /etc/fstab > fstab.tmp && mv fstab.tmp /etc/fstab - args: - warn: False - with_items: - - "{{ points_register.stdout_lines }}" +- name: "Add Kerberos security to nfs and nfs4 mount points" + mount: + path: "{{ item.split()[0] }}" + src: "{{ item.split()[1] }}" + fstype: "{{ item.split()[2] }}" + state: mounted + opts: "{{ item.split()[3] }},sec=krb5:krb5i:krb5p" when: (points_register.stdout | length > 0) diff --git a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems index f89c1d7285..f3d6f02d82 100644 --- a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems +++ b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems @@ -5,19 +5,16 @@ # disruption = medium - name: "Get nfs and nfs4 mount points, that don't have {{{ MOUNTOPTION }}}" - shell: | - set -o pipefail - grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | grep -v "{{{ MOUNTOPTION }}}" | awk '{print $2}' - args: - executable: /bin/bash + command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }} -n register: points_register check_mode: no changed_when: False -- name: "Add {{{ MOUNTOPTION }}} to mount points" - shell: awk '$2=="{{ item }}"{$4=$4",{{{ MOUNTOPTION }}}"}1' /etc/fstab > fstab.tmp && mv fstab.tmp /etc/fstab - args: - executable: /bin/bash - with_items: - - "{{ points_register.stdout_lines }}" +- name: "Add {{{ MOUNTOPTION }}} to nfs and nfs4 mount points" + mount: + path: "{{ item.split()[0] }}" + src: "{{ item.split()[1] }}" + fstype: "{{ item.split()[2] }}" + state: mounted + opts: "{{ item.split()[3] }},{{{ MOUNTOPTION }}}" when: (points_register.stdout | length > 0) From 189a8962ddfc35a516eb468f7df1b66a55d874a6 Mon Sep 17 00:00:00 2001 From: Gabe Date: Fri, 30 Aug 2019 15:18:02 -0600 Subject: [PATCH 3/5] Remove usage of shell module in gpgkey install Ansible snippet --- .../ansible/shared.yml | 18 +++++++++--------- ...ate_ANSIBLE_mount_option_remote_filesystems | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml index 079020f8cd..91a98640ad 100644 --- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml +++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml @@ -14,13 +14,9 @@ - name: Read signatures in GPG key # According to /usr/share/doc/gnupg2/DETAILS fingerprints are in "fpr" record in field 10 {{% if product == "rhel8" -%}} - shell: | - set -o pipefail - gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10 + command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" {{%- else -%}} - shell: | - set -o pipefail - gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" | grep "^fpr" | cut -d ":" -f 10 + command: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" {{%- endif %}} args: warn: False @@ -29,9 +25,13 @@ register: gpg_fingerprints check_mode: no +- name: Set Fact - Installed GPG Fingerprints + set_fact: + gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('^pub.*\n(?:^fpr[:]*)([0-9A-Fa-f]*)', '\\1') | list }}" + - name: Set Fact - Valid fingerprints set_fact: - gpg_valid_fingerprints: ("{{{ release_key_fingerprint }}}" "{{{ auxiliary_key_fingerprint }}}") + gpg_valid_fingerprints: ("{{{ release_key_fingerprint }}}" "{{{ auxiliary_key_fingerprint }}}") - name: Import RedHat GPG key rpm_key: @@ -39,6 +39,6 @@ key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release when: - gpg_key_directory_permission.stat.mode <= '0755' - - ( gpg_fingerprints.stdout_lines | difference(gpg_valid_fingerprints)) | length == 0 - - gpg_fingerprints.stdout_lines | length > 0 + - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0 + - gpg_installed_fingerprints | length > 0 - ansible_distribution == "RedHat" diff --git a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems index f3d6f02d82..a58d7729ec 100644 --- a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems +++ b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems @@ -5,7 +5,7 @@ # disruption = medium - name: "Get nfs and nfs4 mount points, that don't have {{{ MOUNTOPTION }}}" - command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }} -n + command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }}} -n register: points_register check_mode: no changed_when: False From 047c5d342860745dcc2f80a9f00d30cf25e76348 Mon Sep 17 00:00:00 2001 From: Gabe Date: Tue, 3 Sep 2019 14:18:54 -0600 Subject: [PATCH 4/5] Remove shell module usage for rpm verification tasks - Fixes #4617 --- .../rpm_verify_hashes/ansible/shared.yml | 27 ++++++++++++------- .../rpm_verify_ownership/ansible/shared.yml | 11 +++----- .../rpm_verify_permissions/ansible/shared.yml | 19 ++++++++----- 3 files changed, 34 insertions(+), 23 deletions(-) diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml index 2a38e43c3b..1ba29992ab 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml @@ -1,6 +1,6 @@ # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false -# strategy = unknown +# strategy = restrict # complexity = high # disruption = medium - name: "Set fact: Package manager reinstall command (dnf)" @@ -14,21 +14,30 @@ when: (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux") - name: "Read files with incorrect hash" - shell: | - set -o pipefail - rpm -Va | grep -E '^..5.* /(bin|sbin|lib|lib64|usr)/' | awk '{print $NF}' + command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noconfig --noghost args: warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect hash using rpm module - executable: /bin/bash register: files_with_incorrect_hash changed_when: False failed_when: files_with_incorrect_hash.rc > 1 when: (package_manager_reinstall_cmd is defined) - check_mode: no + +- name: Create list of packages + command: rpm -qf "{{ item }}" + args: + warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect hash using rpm module + with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}" + register: list_of_packages + changed_when: False + when: + - files_with_incorrect_hash.stdout_lines is defined + - (files_with_incorrect_hash.stdout_lines | length > 0) - name: "Reinstall packages of files with incorrect hash" - shell: "{{ package_manager_reinstall_cmd }} $(rpm -qf '{{ item }}')" + command: "{{ package_manager_reinstall_cmd }} '{{ item }}'" args: warn: False # Ignore ANSIBLE0006, this task is flexible with regards to package manager - with_items: "{{ files_with_incorrect_hash.stdout_lines }}" - when: (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0)) + with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}" + when: + - files_with_incorrect_hash.stdout_lines is defined + - (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0)) diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml index 9fd07f8da2..1d9720cb82 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml @@ -4,27 +4,24 @@ # complexity = high # disruption = medium - name: "Read list of files with incorrect ownership" - shell: | - set -o pipefail - rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }' + command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nomode args: warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect ownership using rpm module - executable: /bin/bash register: files_with_incorrect_ownership failed_when: files_with_incorrect_ownership.rc > 1 changed_when: False - check_mode: no - name: Create list of packages command: rpm -qf "{{ item }}" args: warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module - with_items: "{{ files_with_incorrect_ownership.stdout_lines | unique }}" + with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}" register: list_of_packages + changed_when: False when: (files_with_incorrect_ownership.stdout_lines | length > 0) - name: "Correct file ownership with RPM" - command: "rpm --quiet --setugids '{{ item }}'" + command: "rpm --setperms '{{ item }}'" args: warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}" diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml index a22f03a987..149dbf9fb7 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml @@ -4,20 +4,25 @@ # complexity = high # disruption = medium - name: "Read list of files with incorrect permissions" - shell: | - set -o pipefail - rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }' + command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup args: warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect permissions using rpm module - executable: /bin/bash register: files_with_incorrect_permissions failed_when: files_with_incorrect_permissions.rc > 1 changed_when: False - check_mode: no + +- name: Create list of packages + command: rpm -qf "{{ item }}" + args: + warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect permissions using rpm module + with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}" + register: list_of_packages + changed_when: False + when: (files_with_incorrect_permissions.stdout_lines | length > 0) - name: "Correct file permissions with RPM" - shell: "rpm --setperms $(rpm -qf '{{ item }}')" + command: "rpm --setperms '{{ item }}'" args: warn: False # Ignore ANSIBLE0006, we can't correct permissions using rpm module - with_items: "{{ files_with_incorrect_permissions.stdout_lines }}" + with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}" when: (files_with_incorrect_permissions.stdout_lines | length > 0) From 83d241dceafb1b8d8829655b0cdeb44af1b01d2a Mon Sep 17 00:00:00 2001 From: Gabe Date: Fri, 6 Sep 2019 11:55:18 -0600 Subject: [PATCH 5/5] Fix regex and escape correctly --- .../rpm_verification/rpm_verify_hashes/ansible/shared.yml | 2 +- .../rpm_verification/rpm_verify_ownership/ansible/shared.yml | 4 ++-- .../rpm_verify_permissions/ansible/shared.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml index 1ba29992ab..0dc09339f4 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml @@ -26,7 +26,7 @@ command: rpm -qf "{{ item }}" args: warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect hash using rpm module - with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}" + with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" register: list_of_packages changed_when: False when: diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml index 1d9720cb82..d02508808c 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml @@ -15,13 +15,13 @@ command: rpm -qf "{{ item }}" args: warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module - with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}" + with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" register: list_of_packages changed_when: False when: (files_with_incorrect_ownership.stdout_lines | length > 0) - name: "Correct file ownership with RPM" - command: "rpm --setperms '{{ item }}'" + command: "rpm --quiet --setugids '{{ item }}'" args: warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}" diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml index 149dbf9fb7..55a37a4235 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml @@ -15,7 +15,7 @@ command: rpm -qf "{{ item }}" args: warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect permissions using rpm module - with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}" + with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" register: list_of_packages changed_when: False when: (files_with_incorrect_permissions.stdout_lines | length > 0)