Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ansible 2.0 | "remove suid/sgid" task fails #64

Closed
fitz123 opened this issue Jan 22, 2016 · 3 comments
Closed

ansible 2.0 | "remove suid/sgid" task fails #64

fitz123 opened this issue Jan 22, 2016 · 3 comments

Comments

@fitz123
Copy link
Contributor

fitz123 commented Jan 22, 2016

TASK [ansible-os-hardening : remove suid/sgid bit from all binaries except in system and user whitelist] ***
fatal: [testbuild]: FAILED! => {"failed": true, "msg": "ERROR! 'suid' is undefined"}

Ubuntu 14.04.3 LTS
@fitz123
Copy link
Contributor Author

fitz123 commented Jan 22, 2016

my 'ugly' workaround is:

suid_sgid.yml:

  • name: gather files from which to remove suids/sgids and remove system white-listed files
    set_fact:
    suid: '{{ (sbit_binaries.stdout_lines|default([])) | difference(os_security_suid_sgid_system_whitelist) }}'
    #when: os_security_suid_sgid_remove_from_unknown

at least it works

@rndmh3ro
Copy link
Member

Hi @fitz123, thanks for your suggestion on how to fix this.
There's already a PR pending to fix this, however with a slighty other way. In this other PR suid is ommited, if it is not set before.

@rndmh3ro rndmh3ro mentioned this issue Jan 24, 2016
Merged
@conorsch
Copy link
Contributor

The fix proposed in #63 works well. I'm using a fork for Ansible v2 support until that's merged.

iflowfor8hours pushed a commit to iflowfor8hours/sandcastle that referenced this issue Mar 2, 2016
Ansible 2.0.0.2 broke compatibility with os-hardening
b75b010 
On a fresh pull and dependencies fetch (including ansible itself)
the hardening role was causing ansible to fail to converge due to
a [resolved
issue](dev-sec/ansible-collection-hardening#64)
The requirements file format for ansible-galaxy has been changed to
yaml as well to remove a deprecation warning in ansible 2.
iflowfor8hours pushed a commit to iflowfor8hours/sandcastle that referenced this issue Mar 2, 2016
Ansible 2.0.0.2 broke compatibility with os-hardening
730532e 
On a fresh pull and dependencies fetch (including ansible itself)
the hardening role was causing ansible to fail to converge due to
a [resolved
issue](dev-sec/ansible-collection-hardening#64)
The requirements file format for ansible-galaxy has been changed to
yaml as well to remove a deprecation warning in ansible 2.
rndmh3ro pushed a commit that referenced this issue Jul 24, 2020
add always_run: true to task. fix #64
ba307d7
rndmh3ro pushed a commit that referenced this issue Jul 24, 2020
Merge pull request #69 from dev-sec/always_run_task
3ed179b 
add always_run: true to task. fix #64
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this issue Aug 3, 2022
add always_run: true to task. fix dev-sec#64
6c42c7f
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this issue Aug 3, 2022
Merge pull request dev-sec#69 from dev-sec/always_run_task
6b40cfe 
add always_run: true to task. fix dev-sec#64
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@conorsch @rndmh3ro @fitz123