Unable to re-run role

Question

Unable to re-run role

Kreeblah opened this issue 5 years ago · comments

I'm looking at this Ansible role to enforce hardening standards on a fleet of hosts, but I'm having some trouble when it comes to re-running it on the same host. Ideally, I'd like to be able to in order to make sure things are being enforced.

However, when I try to do so, I get a permissions error when it gets to RHEL-07-010300 and attempts to access /etc/sshd/sshd_config, which halts the Ansible run. This doesn't make a lot of sense to me, as I'm running this as a user with sudo privileges (the same user that ran the role on the target in the first place) and /etc/sshd/sshd_config is owned by root with permissions of 600. I'm guessing it's failing during an attempt to read from the file (as it does already have PermitEmptyPasswords no in it). This was run against a fresh CentOS 7.7 install, so it shouldn't have anything conflicting here.

Am I missing something with this? The lines from that STIG ID during a -vvv run are in the file I've attached, but I'm not seeing a whole lot there that's illuminating. My permissions look alright, too:

[testuser@localhost ~]$ sudo ls -al /etc/ssh/sshd_config
[sudo] password for testuser:
-rw-------. 1 root root 3969 Jan 14 14:12 /etc/ssh/sshd_config

STIG_Error.txt

James Cassell · Answer 1 · Fri Jan 17 2020 09:08:08 GMT+0800 (China Standard Time)

Are you on 2.8.6? There was a bug: ansible/ansible#63684

More likely, you haven't requested to become root:
<10.10.10.178> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="testuser"' -o ConnectTimeout=10 -o ControlPath=/Users/myuser/.ansible/cp/b7add26a9a -tt 10.10.10.178 '/bin/sh -c '"'"'/usr/bin/python /home/testuser/.ansible/tmp/ansible-tmp-1579209255.402522-207165063187391/AnsiballZ_lineinfile.py && sleep 0'"'"''`

Kreeblah · Answer 2 · Fri Jan 17 2020 09:25:18 GMT+0800 (China Standard Time)

I'm on 3.8.1. I should be requesting to become root, though. Here's what I'm running:

ansible-playbook -u testuser --become-user root -vvv -K -i 10.10.10.178, centos7_stig.yml

For the playbook, I've got a pretty simple one:

- name: Apply STIG to CentOS 7
  hosts: all
  roles:
    - role: rhel7-stig
      when:
        - ansible_os_family == 'RedHat'
        - ansible_distribution_major_version is version('7', '=')

James Cassell · Answer 3 · Fri Jan 17 2020 09:32:29 GMT+0800 (China Standard Time)

You need become: yes

Kreeblah · Answer 4 · Fri Jan 17 2020 09:43:09 GMT+0800 (China Standard Time)

Argh. I completely spaced on that. You're absolutely right.