From f891d5d4245963ca1bb1a2c785656077ae9fcced Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 13 Nov 2019 15:36:12 +0100
Subject: [PATCH 1/6] Run the command also in check mode
Setting check_mode to False will force to run the command in
this task even if the playbook is run in check_mode. This task
produces variable `socket_file_exists` which is then used
in task "Disable socket ...". In check mode, the command wasn't
executed, which caused this error:
fatal: [localhost]: FAILED! => {"msg": "The conditional check
'\"sshd.socket\" in socket_file_exists.stdout_lines[1]' failed. The
error was: error while evaluating conditional (\"sshd.socket\" in
socket_file_exi
sts.stdout_lines[1]): Unable to look up a name or access an attribute in
template string ({% if \"sshd.socket\" in
socket_file_exists.stdout_lines[1] %} True {% else %} False {% endif
%}).\nMake sure your variab
le name does not contain invalid characters like '-': argument of type
'AnsibleUndefined' is not iterable\n\nThe error appears to be in
'/home/jcerny/scap-security-guide/build/fedora/playbooks/all/service_sshd_d
isabled.yml': line 44, column 7, but may\nbe elsewhere in the file
depending on the exact syntax problem.\n\nThe offending line appears to
be:\n\n\n - name: Disable socket sshd\n ^ here\n"}
---
shared/templates/template_ANSIBLE_service_disabled | 1 +
1 file changed, 1 insertion(+)
diff --git a/shared/templates/template_ANSIBLE_service_disabled b/shared/templates/template_ANSIBLE_service_disabled
index 1faeeeb9b8..cb3d0634af 100644
--- a/shared/templates/template_ANSIBLE_service_disabled
+++ b/shared/templates/template_ANSIBLE_service_disabled
@@ -26,6 +26,7 @@
register: socket_file_exists
changed_when: False
ignore_errors: True
+ check_mode: False
- name: Disable socket {{{ SERVICENAME }}}
systemd:
From 0a5f4fdac9a409e543ff05f2dbb46c78a7fc76b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 13 Nov 2019 15:58:42 +0100
Subject: [PATCH 2/6] Add "check_mode: no" everywhere possible
This option forces to run the command also in the check mode.
If the command only reads, eg. grep, it should be harmless.
It prevents issues that in "check" mode the playbook will terminate
because the variable that was expected to be populated by this
command is empty.
---
.../sssd_ldap_configure_tls_ca_dir/ansible/shared.yml | 1 +
.../sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml | 1 +
.../services/sssd/sssd_enable_smartcards/ansible/shared.yml | 1 +
.../services/sssd/sssd_memcache_timeout/ansible/shared.yml | 1 +
.../sssd/sssd_offline_cred_expiration/ansible/shared.yml | 1 +
.../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml | 1 +
.../integrity/fips/grub2_enable_fips_mode/ansible/shared.yml | 3 +++
.../package_dracut-fips-aesni_installed/ansible/shared.yml | 1 +
8 files changed, 10 insertions(+)
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
index 7ab0904da0..ca7bbf9f4f 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
@@ -10,6 +10,7 @@
register: test_grep_domain
ignore_errors: yes
changed_when: False
+ check_mode: no
- name: "Add default domain group and set CA directory (if no domain there)"
ini_file:
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
index 1aeb2728db..1fd1e7d2c5 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
@@ -16,6 +16,7 @@
register: test_grep_domain
ignore_errors: yes
changed_when: False
+ check_mode: no
- name: "Add default domain group and use STARTTLS (if no domain there)"
ini_file:
diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
index 636bc3f65f..1087367dde 100644
--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
@@ -8,6 +8,7 @@
register: test_grep_domain
ignore_errors: yes
changed_when: False
+ check_mode: no
- name: "Add default domain group (if no domain there)"
ini_file:
diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
index 79dbd9140a..4a146b1008 100644
--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
@@ -10,6 +10,7 @@
register: test_grep_domain
ignore_errors: yes
changed_when: False
+ check_mode: no
- name: "Add default domain group (if no domain there)"
ini_file:
diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
index 614cf5c05e..d79b0e6ca6 100644
--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
@@ -8,6 +8,7 @@
register: test_grep_domain
ignore_errors: yes
changed_when: False
+ check_mode: no
- name: "Add default domain group (if no domain there)"
ini_file:
diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
index 6284435ec4..6763e27c7e 100644
--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
@@ -10,6 +10,7 @@
register: test_grep_domain
ignore_errors: yes
changed_when: False
+ check_mode: no
- name: "Add default domain group (if no domain there)"
ini_file:
diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml
index 5cc5fe0e96..b642b6c3c3 100644
--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml
@@ -24,6 +24,7 @@
command: grep -q -m1 -o aes /proc/cpuinfo
failed_when: aesni_supported.rc > 1
register: aesni_supported
+ check_mode: no
- name: Ensure dracut-fips-aesni is installed
package:
@@ -45,6 +46,7 @@
command: grep 'GRUB_CMDLINE_LINUX.*fips=' /etc/default/grub
failed_when: False
register: fipsargcheck
+ check_mode: no
- name: replace existing fips argument
replace:
@@ -68,6 +70,7 @@
command: grep 'GRUB_CMDLINE_LINUX.*boot=' /etc/default/grub
failed_when: False
register: bootargcheck
+ check_mode: no
- name: replace existing boot argument
replace:
diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml
index 28a9dd71c4..8ed524fc75 100644
--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml
@@ -7,6 +7,7 @@
command: grep -q -m1 -o aes /proc/cpuinfo
failed_when: aesni_supported.rc > 1
register: aesni_supported
+ check_mode: no
- name: Ensure dracut-fips-aesni is installed
package:
From 7b669bf3d9e30e842095693456109c38d82f94a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 13 Nov 2019 16:51:04 +0100
Subject: [PATCH 3/6] Prevent fails in check mode
Addressing:
fatal: [localhost]: FAILED! => {"msg": "The task includes an option with
an undefined variable. The error was: 'dict object' has no attribute
'stdout'\n\nThe error appears to be in '/home/jcerny/scap-security-gu
ide/build/rhel7/playbooks/all/grub2_enable_fips_mode.yml': line 134,
column 7, but may\nbe elsewhere in the file depending on the exact
syntax problem.\n\nThe offending line appears to be:\n\n\n - name:
add b
oot argument\n ^ here\n"}
---
.../integrity/fips/grub2_enable_fips_mode/ansible/shared.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml
index b642b6c3c3..0dd7dea18d 100644
--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml
@@ -65,6 +65,7 @@
- name: get boot device uuid
command: findmnt --noheadings --output uuid --target /boot
register: bootuuid
+ check_mode: no
- name: check boot argument exists
command: grep 'GRUB_CMDLINE_LINUX.*boot=' /etc/default/grub
From 309946d9ae49847bdb922ac5e0ba3657afa787a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 13 Nov 2019 17:14:06 +0100
Subject: [PATCH 4/6] Prevent fails in check mode
---
.../rpm_verification/rpm_verify_hashes/ansible/shared.yml | 2 ++
.../rpm_verification/rpm_verify_ownership/ansible/shared.yml | 2 ++
.../rpm_verification/rpm_verify_permissions/ansible/shared.yml | 2 ++
3 files changed, 6 insertions(+)
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
index 0dc09339f4..991d637853 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
@@ -20,6 +20,7 @@
register: files_with_incorrect_hash
changed_when: False
failed_when: files_with_incorrect_hash.rc > 1
+ check_mode: False
when: (package_manager_reinstall_cmd is defined)
- name: Create list of packages
@@ -29,6 +30,7 @@
with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
register: list_of_packages
changed_when: False
+ check_mode: False
when:
- files_with_incorrect_hash.stdout_lines is defined
- (files_with_incorrect_hash.stdout_lines | length > 0)
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
index d02508808c..d0d52e7c76 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
@@ -10,6 +10,7 @@
register: files_with_incorrect_ownership
failed_when: files_with_incorrect_ownership.rc > 1
changed_when: False
+ check_mode: False
- name: Create list of packages
command: rpm -qf "{{ item }}"
@@ -18,6 +19,7 @@
with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
register: list_of_packages
changed_when: False
+ check_mode: False
when: (files_with_incorrect_ownership.stdout_lines | length > 0)
- name: "Correct file ownership with RPM"
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
index 55a37a4235..517cc38af2 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
@@ -10,6 +10,7 @@
register: files_with_incorrect_permissions
failed_when: files_with_incorrect_permissions.rc > 1
changed_when: False
+ check_mode: False
- name: Create list of packages
command: rpm -qf "{{ item }}"
@@ -18,6 +19,7 @@
with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
register: list_of_packages
changed_when: False
+ check_mode: False
when: (files_with_incorrect_permissions.stdout_lines | length > 0)
- name: "Correct file permissions with RPM"
From d410766260716cf974fba04dfd3710b9bfd72323 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 13 Nov 2019 17:26:42 +0100
Subject: [PATCH 5/6] Fix template_ANSIBLE_mount_option_remote_filesystems
"item" was not defined. Also, `findmnt` command can return 1 if there
is no nfs entry in /etc/fstab. The MOUNTOPTION variable is a complete
mount option, eg. `nosuid`.
---
.../ansible/shared.yml | 1 +
.../template_ANSIBLE_mount_option_remote_filesystems | 4 ++++
2 files changed, 5 insertions(+)
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml
index 6982ce293e..1c318715cf 100644
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml
@@ -18,3 +18,4 @@
state: mounted
opts: "{{ item.split()[3] }},sec=krb5:krb5i:krb5p"
when: (points_register.stdout | length > 0)
+ with_items: "{{ points_register.stdout_lines }}"
diff --git a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems
index a58d7729ec..c82201d507 100644
--- a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems
+++ b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems
@@ -5,10 +5,13 @@
# disruption = medium
- name: "Get nfs and nfs4 mount points, that don't have {{{ MOUNTOPTION }}}"
+ # 'no' before MOUNTOPTION isn't omission, it means a negation
command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }}} -n
register: points_register
check_mode: no
changed_when: False
+ # if no nfs/nfs4 entries are in /etc/fstab, findmnt command returns 1
+ failed_when: False
- name: "Add {{{ MOUNTOPTION }}} to nfs and nfs4 mount points"
mount:
@@ -18,3 +21,4 @@
state: mounted
opts: "{{ item.split()[3] }},{{{ MOUNTOPTION }}}"
when: (points_register.stdout | length > 0)
+ with_items: "{{ points_register.stdout_lines }}"
commit 924ac061a1e044213f838ac5a15f26b451f35352
Author: Gabriel Becker <ggasparb@redhat.com>
Date: Fri Nov 15 17:27:15 2019 +0100
Fix mount_option_krb_sec_remote_filesystems ansible content.
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml
index 1c31871..befa06e 100644
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml
@@ -5,10 +5,11 @@
# disruption = medium
- name: "Get nfs and nfs4 mount points, that don't have Kerberos security option"
- command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n -o TARGET
+ command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n
register: points_register
check_mode: no
changed_when: False
+ failed_when: False
- name: "Add Kerberos security to nfs and nfs4 mount points"
mount: