Additional Ansible Scripts

[shawndwells]

Beginning:
*** rules of 'ospp-rhel7' profile missing a ansible fix script: 193 of 357 [45% complete]

After:
*** rules of 'ospp-rhel7' profile missing a ansible fix script: 171 of 357 [52% complete]

[mpreisler]

@shawndwells I am 99% sure it's because that fix is getting pulled into RHEL5 and RHEL5 doesn't have the Value that that script is using.

[mpreisler]

will this work as is or do we need ansible handlers defined for this?

[shawndwells]

@mpreisler: shoot, you're right. I can take the notify out for now... how would we create handles?

[mpreisler]

let's comment it or something so that we can grep for it when we implement handlers

[shawndwells]

@mpreisler - Done! Thanks.

[mpreisler]

@shawndwells

$ sudo ansible-playbook --check ./ssg-rhel7-role-ospp-rhel7.yml 
 [WARNING]: provided hosts list is empty, only localhost is available

ERROR! Syntax Error while loading YAML.


The error appears to have been in '/home/mpreisle/d/scap-security-guide/build/roles/ssg-rhel7-role-ospp-rhel7.yml': line 2801, column 9, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

      #notify:
        - reload ssh
        ^ here

    - name: "Allow Only SSH Protocol 2"
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "^Protocol [0-9]"
        line: "Protocol 2"
        validate: sshd -t -f %s
2801->      #notify:
        - reload ssh

[mpreisler]

needs to be commented as well

[shawndwells]

On 7/13/17 3:14 PM, Martin Preisler wrote: @shawndwells <https://github.com/shawndwells> |$ sudo ansible-playbook --check ./ssg-rhel7-role-ospp-rhel7.yml [WARNING]: provided hosts list is empty, only localhost is available ERROR! Syntax Error while loading YAML. The error appears to have been in '/home/mpreisle/d/scap-security-guide/build/roles/ssg-rhel7-role-ospp-rhel7.yml': line 2801, column 9, but may be elsewhere in the file depending on the exact syntax problem. The offending line appears to be: #notify: - reload ssh ^ here |

Ugh. I did a sed s/notify/#notify/r thinking I had everything on one line. Looks like I missed sshd_allow_only_protocol2.

[mpreisler]

Thx, the conflict is very minor, I will merge this manually.

[mpreisler]

Can't merge this, still get issues:

ERROR! Syntax Error while loading YAML.


The error appears to have been in '/home/mpreisle/d/scap-security-guide/build/roles/ssg-rhel7-role-ospp-rhel7.yml': line 3118, column 17, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

        line="ClientAliveInterval 600"
        validate: sshd -t -f %s
                ^ here

There are a bunch of syntax errors. Is key=value allowed in your version of ansible, @shawndwells ? It isn't on the ansible shipping on Fedora. Probably also disallowed on RHEL.

[mpreisler]

@shawndwells very briefly looked into this and the issue is that you are mixing 2 syntaxes together. They are both allowed but you can't mix them in one item.

[shawndwells]

I'm getting an error on the playbooks:

 [WARNING]: provided hosts list is empty, only localhost is available

ERROR! 'stat' is not a valid attribute for a Play

The error appears to have been in '/tmp/playbook.yml': line 1, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:


- name: Read permission of GPG key directory
  ^ here

Which is from ensure_redhat_gpgkey_installed.yml:6:

# platform=multi_platform_rhel
# reboot = false
# strategy = restrict
# complexity = medium
# disruption = medium
- name: Read permission of GPG key directory
  stat:
    path: /etc/pki/rpm-gpg/
  register: gpg_key_directory_permission
  check_mode: no
  tags:
    @ANSIBLE_TAGS@

However there is another use of stat that follows the same format and appears fine in require_smb_client_signing.yml:7:

- name: Check if /etc/samba/smb.conf exists
  stat:
    path: /etc/samba/smb.conf
  register: st_smb
  tags:
    @ANSIBLE_TAGS@

I'm staring at these. Attempted to remove check_mode: no, and still get errors. Anyone have an idea on what I'm missing?

[mpreisler]

@shawndwells did you uncomment the "hosts" line in the .yml? That really isn't intuitive but is required to make the playbook valid.

[mpreisler]

@shawndwells I don't get syntax errors here.

$ ansible-playbook --version
ansible-playbook 2.3.1.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = Default w/o overrides
  python version = 2.7.13 (default, Jun 26 2017, 10:20:05) [GCC 7.1.1 20170622 (Red Hat 7.1.1-3)]

I would merge this if you didn't mention you get the stat error :-)

[mpreisler]

Merging this, we can improve it further with other PRs.