Unable to re-run role
Kreeblah opened this issue · comments
I'm looking at this Ansible role to enforce hardening standards on a fleet of hosts, but I'm having some trouble when it comes to re-running it on the same host. Ideally, I'd like to be able to in order to make sure things are being enforced.
However, when I try to do so, I get a permissions error when it gets to RHEL-07-010300 and attempts to access /etc/sshd/sshd_config, which halts the Ansible run. This doesn't make a lot of sense to me, as I'm running this as a user with sudo privileges (the same user that ran the role on the target in the first place) and /etc/sshd/sshd_config is owned by root with permissions of 600. I'm guessing it's failing during an attempt to read from the file (as it does already have PermitEmptyPasswords no in it). This was run against a fresh CentOS 7.7 install, so it shouldn't have anything conflicting here.
Am I missing something with this? The lines from that STIG ID during a -vvv run are in the file I've attached, but I'm not seeing a whole lot there that's illuminating. My permissions look alright, too:
[testuser@localhost ~]$ sudo ls -al /etc/ssh/sshd_config
[sudo] password for testuser:
-rw-------. 1 root root 3969 Jan 14 14:12 /etc/ssh/sshd_config
Are you on 2.8.6? There was a bug: ansible/ansible#63684
More likely, you haven't requested to become root:
<10.10.10.178> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="testuser"' -o ConnectTimeout=10 -o ControlPath=/Users/myuser/.ansible/cp/b7add26a9a -tt 10.10.10.178 '/bin/sh -c '"'"'/usr/bin/python /home/testuser/.ansible/tmp/ansible-tmp-1579209255.402522-207165063187391/AnsiballZ_lineinfile.py && sleep 0'"'"''`
I'm on 3.8.1. I should be requesting to become root, though. Here's what I'm running:
ansible-playbook -u testuser --become-user root -vvv -K -i 10.10.10.178, centos7_stig.yml
For the playbook, I've got a pretty simple one:
- name: Apply STIG to CentOS 7
hosts: all
roles:
- role: rhel7-stig
when:
- ansible_os_family == 'RedHat'
- ansible_distribution_major_version is version('7', '=')
You need become: yes
Argh. I completely spaced on that. You're absolutely right.