From f891d5d4245963ca1bb1a2c785656077ae9fcced Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 13 Nov 2019 15:36:12 +0100 Subject: [PATCH 1/6] Run the command also in check mode Setting check_mode to False will force to run the command in this task even if the playbook is run in check_mode. This task produces variable `socket_file_exists` which is then used in task "Disable socket ...". In check mode, the command wasn't executed, which caused this error: fatal: [localhost]: FAILED! => {"msg": "The conditional check '\"sshd.socket\" in socket_file_exists.stdout_lines[1]' failed. The error was: error while evaluating conditional (\"sshd.socket\" in socket_file_exi sts.stdout_lines[1]): Unable to look up a name or access an attribute in template string ({% if \"sshd.socket\" in socket_file_exists.stdout_lines[1] %} True {% else %} False {% endif %}).\nMake sure your variab le name does not contain invalid characters like '-': argument of type 'AnsibleUndefined' is not iterable\n\nThe error appears to be in '/home/jcerny/scap-security-guide/build/fedora/playbooks/all/service_sshd_d isabled.yml': line 44, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - name: Disable socket sshd\n ^ here\n"} --- shared/templates/template_ANSIBLE_service_disabled | 1 + 1 file changed, 1 insertion(+) diff --git a/shared/templates/template_ANSIBLE_service_disabled b/shared/templates/template_ANSIBLE_service_disabled index 1faeeeb9b8..cb3d0634af 100644 --- a/shared/templates/template_ANSIBLE_service_disabled +++ b/shared/templates/template_ANSIBLE_service_disabled @@ -26,6 +26,7 @@ register: socket_file_exists changed_when: False ignore_errors: True + check_mode: False - name: Disable socket {{{ SERVICENAME }}} systemd: From 0a5f4fdac9a409e543ff05f2dbb46c78a7fc76b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 13 Nov 2019 15:58:42 +0100 Subject: [PATCH 2/6] Add "check_mode: no" everywhere possible This option forces to run the command also in the check mode. If the command only reads, eg. grep, it should be harmless. It prevents issues that in "check" mode the playbook will terminate because the variable that was expected to be populated by this command is empty. --- .../sssd_ldap_configure_tls_ca_dir/ansible/shared.yml | 1 + .../sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml | 1 + .../services/sssd/sssd_enable_smartcards/ansible/shared.yml | 1 + .../services/sssd/sssd_memcache_timeout/ansible/shared.yml | 1 + .../sssd/sssd_offline_cred_expiration/ansible/shared.yml | 1 + .../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml | 1 + .../integrity/fips/grub2_enable_fips_mode/ansible/shared.yml | 3 +++ .../package_dracut-fips-aesni_installed/ansible/shared.yml | 1 + 8 files changed, 10 insertions(+) diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml index 7ab0904da0..ca7bbf9f4f 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml @@ -10,6 +10,7 @@ register: test_grep_domain ignore_errors: yes changed_when: False + check_mode: no - name: "Add default domain group and set CA directory (if no domain there)" ini_file: diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml index 1aeb2728db..1fd1e7d2c5 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml @@ -16,6 +16,7 @@ register: test_grep_domain ignore_errors: yes changed_when: False + check_mode: no - name: "Add default domain group and use STARTTLS (if no domain there)" ini_file: diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml index 636bc3f65f..1087367dde 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml @@ -8,6 +8,7 @@ register: test_grep_domain ignore_errors: yes changed_when: False + check_mode: no - name: "Add default domain group (if no domain there)" ini_file: diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml index 79dbd9140a..4a146b1008 100644 --- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml @@ -10,6 +10,7 @@ register: test_grep_domain ignore_errors: yes changed_when: False + check_mode: no - name: "Add default domain group (if no domain there)" ini_file: diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml index 614cf5c05e..d79b0e6ca6 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml @@ -8,6 +8,7 @@ register: test_grep_domain ignore_errors: yes changed_when: False + check_mode: no - name: "Add default domain group (if no domain there)" ini_file: diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml index 6284435ec4..6763e27c7e 100644 --- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml @@ -10,6 +10,7 @@ register: test_grep_domain ignore_errors: yes changed_when: False + check_mode: no - name: "Add default domain group (if no domain there)" ini_file: diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml index 5cc5fe0e96..b642b6c3c3 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml @@ -24,6 +24,7 @@ command: grep -q -m1 -o aes /proc/cpuinfo failed_when: aesni_supported.rc > 1 register: aesni_supported + check_mode: no - name: Ensure dracut-fips-aesni is installed package: @@ -45,6 +46,7 @@ command: grep 'GRUB_CMDLINE_LINUX.*fips=' /etc/default/grub failed_when: False register: fipsargcheck + check_mode: no - name: replace existing fips argument replace: @@ -68,6 +70,7 @@ command: grep 'GRUB_CMDLINE_LINUX.*boot=' /etc/default/grub failed_when: False register: bootargcheck + check_mode: no - name: replace existing boot argument replace: diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml index 28a9dd71c4..8ed524fc75 100644 --- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml @@ -7,6 +7,7 @@ command: grep -q -m1 -o aes /proc/cpuinfo failed_when: aesni_supported.rc > 1 register: aesni_supported + check_mode: no - name: Ensure dracut-fips-aesni is installed package: From 7b669bf3d9e30e842095693456109c38d82f94a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 13 Nov 2019 16:51:04 +0100 Subject: [PATCH 3/6] Prevent fails in check mode Addressing: fatal: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'stdout'\n\nThe error appears to be in '/home/jcerny/scap-security-gu ide/build/rhel7/playbooks/all/grub2_enable_fips_mode.yml': line 134, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - name: add b oot argument\n ^ here\n"} --- .../integrity/fips/grub2_enable_fips_mode/ansible/shared.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml index b642b6c3c3..0dd7dea18d 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml @@ -65,6 +65,7 @@ - name: get boot device uuid command: findmnt --noheadings --output uuid --target /boot register: bootuuid + check_mode: no - name: check boot argument exists command: grep 'GRUB_CMDLINE_LINUX.*boot=' /etc/default/grub From 309946d9ae49847bdb922ac5e0ba3657afa787a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 13 Nov 2019 17:14:06 +0100 Subject: [PATCH 4/6] Prevent fails in check mode --- .../rpm_verification/rpm_verify_hashes/ansible/shared.yml | 2 ++ .../rpm_verification/rpm_verify_ownership/ansible/shared.yml | 2 ++ .../rpm_verification/rpm_verify_permissions/ansible/shared.yml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml index 0dc09339f4..991d637853 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml @@ -20,6 +20,7 @@ register: files_with_incorrect_hash changed_when: False failed_when: files_with_incorrect_hash.rc > 1 + check_mode: False when: (package_manager_reinstall_cmd is defined) - name: Create list of packages @@ -29,6 +30,7 @@ with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" register: list_of_packages changed_when: False + check_mode: False when: - files_with_incorrect_hash.stdout_lines is defined - (files_with_incorrect_hash.stdout_lines | length > 0) diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml index d02508808c..d0d52e7c76 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml @@ -10,6 +10,7 @@ register: files_with_incorrect_ownership failed_when: files_with_incorrect_ownership.rc > 1 changed_when: False + check_mode: False - name: Create list of packages command: rpm -qf "{{ item }}" @@ -18,6 +19,7 @@ with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" register: list_of_packages changed_when: False + check_mode: False when: (files_with_incorrect_ownership.stdout_lines | length > 0) - name: "Correct file ownership with RPM" diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml index 55a37a4235..517cc38af2 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml @@ -10,6 +10,7 @@ register: files_with_incorrect_permissions failed_when: files_with_incorrect_permissions.rc > 1 changed_when: False + check_mode: False - name: Create list of packages command: rpm -qf "{{ item }}" @@ -18,6 +19,7 @@ with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" register: list_of_packages changed_when: False + check_mode: False when: (files_with_incorrect_permissions.stdout_lines | length > 0) - name: "Correct file permissions with RPM" From d410766260716cf974fba04dfd3710b9bfd72323 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 13 Nov 2019 17:26:42 +0100 Subject: [PATCH 5/6] Fix template_ANSIBLE_mount_option_remote_filesystems "item" was not defined. Also, `findmnt` command can return 1 if there is no nfs entry in /etc/fstab. The MOUNTOPTION variable is a complete mount option, eg. `nosuid`. --- .../ansible/shared.yml | 1 + .../template_ANSIBLE_mount_option_remote_filesystems | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml index 6982ce293e..1c318715cf 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml @@ -18,3 +18,4 @@ state: mounted opts: "{{ item.split()[3] }},sec=krb5:krb5i:krb5p" when: (points_register.stdout | length > 0) + with_items: "{{ points_register.stdout_lines }}" diff --git a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems index a58d7729ec..c82201d507 100644 --- a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems +++ b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems @@ -5,10 +5,13 @@ # disruption = medium - name: "Get nfs and nfs4 mount points, that don't have {{{ MOUNTOPTION }}}" + # 'no' before MOUNTOPTION isn't omission, it means a negation command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }}} -n register: points_register check_mode: no changed_when: False + # if no nfs/nfs4 entries are in /etc/fstab, findmnt command returns 1 + failed_when: False - name: "Add {{{ MOUNTOPTION }}} to nfs and nfs4 mount points" mount: @@ -18,3 +21,4 @@ state: mounted opts: "{{ item.split()[3] }},{{{ MOUNTOPTION }}}" when: (points_register.stdout | length > 0) + with_items: "{{ points_register.stdout_lines }}" commit 924ac061a1e044213f838ac5a15f26b451f35352 Author: Gabriel Becker Date: Fri Nov 15 17:27:15 2019 +0100 Fix mount_option_krb_sec_remote_filesystems ansible content. diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml index 1c31871..befa06e 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml @@ -5,10 +5,11 @@ # disruption = medium - name: "Get nfs and nfs4 mount points, that don't have Kerberos security option" - command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n -o TARGET + command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n register: points_register check_mode: no changed_when: False + failed_when: False - name: "Add Kerberos security to nfs and nfs4 mount points" mount: