Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trying to run the os_hardening on Debian 11, but fails on privilege escalation #587

Closed
TooDissing opened this issue Oct 8, 2022 · 2 comments
Closed

Trying to run the os_hardening on Debian 11, but fails on privilege escalation #587

TooDissing opened this issue Oct 8, 2022 · 2 comments

Comments

@TooDissing
Copy link

Describe the bug
Maybe this is more of a question, than a bug, but here goes.
I have installed a headless Debian 11 on a VM, to test out this role. And when running the os_hardening role I get stuck pretty early.

Expected behavior
That it just executes the role without dramas.

Actual behavior

In TASK [devsec.hardening.os_hardening : Install auditd package | package-08] I get the following error:

fatal: [192.168.122.63]: FAILED! => {"cache_update_time": 1665071603, "cache_updated": false, "changed": false, "msg": "'/usr/bin/apt-get -y -o \"Dpkg::Options::=--force-confdef\" -o \"Dpkg::Options::=--force-confold\"       install 'auditd=1:3.0-2'' failed: E: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: Permission denied)\nE: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?\n", "rc": 100, "stderr": "E: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: Permission denied)\nE: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?\n", "stderr_lines": ["E: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: Permission denied)", "E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?"], "stdout": "", "stdout_lines": []}

I assume this is caused by not being root (or with similar access).
In fact there's not even sudo installed per default. Is this expected by this role? Or how am I intended to handle parts of this, which requires privilege escalation?


**OS / Environment**
Debian 11.

`Linux odoo 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64 GNU/Linux`

**Ansible Version**

ansible [core 2.13.4]
config file = /home/tue/.ansible.cfg
configured module search path = ['/home/tue/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/tue/.local/lib/python3.8/site-packages/ansible
ansible collection location = /home/tue/.ansible/collections:/usr/share/ansible/collections
executable location = /home/tue/.local/bin/ansible
python version = 3.8.10 (default, Jun 22 2022, 20:18:18) [GCC 9.4.0]
jinja version = 3.1.2
libyaml = True


**Role Version**

<!--- Paste version of the role between quotes -->

latest
@rndmh3ro
Copy link
Member

Yes, you need to run the role with root (or sudo).

@RollinRolanding
Copy link

For others, running the os_hardening role as root can be accomplished like this:

- hosts: localhost
  roles:
      - name: ssh_hardening
      - ...
      - name: os_hardening
        become: yes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rndmh3ro @TooDissing @RollinRolanding