Error running devsec.hardening.os_hardening role

[fernando-eickhoff]

Description

Recently I started having error when executing my playbook that is reusing these 2 roles:

- devsec.hardening.ssh_hardening
- devsec.hardening.os_hardening

I updated the collection to 8.6.0 but the error remains. I am not overriding any variable, only executing the roles with the default values.

Specifically the error is with the os_hardening. I am attaching the execution logs below.

Reproduction steps

1. Create a playbook importing the role devsec.hardening.os_hardening
2. Run it using AWX with custom execution environment

Here is the content of my custom execution-environment.yml

...
version: 1
dependencies:
  galaxy: requirements.yml
  python: requirements.txt
  system: bindep.txt
additional_build_steps:
  append:
    - RUN alternatives --set python /usr/bin/python3
    - RUN pip3 uninstall --yes ansible-runner && pip3 install ansible-runner
    - COPY --from=<my-internal-artifactory>/project-receptor/receptor:0.9.7 /usr/bin/receptor /usr/bin/receptor
    - RUN mkdir -p /var/run/receptor
    - ADD run.sh /run.sh
    - CMD /run.sh
    - USER 1000
    - RUN git lfs install

Here is the content of my requirements.yml

---
collections:
- awx.awx
- amazon.aws
- ansible.posix
- ansible.windows
- awx.awx
- community.aws
- community.general
- chocolatey.chocolatey
- devsec.hardening

Current Behavior

...
The playbook execution is abruptly canceled. This is the end part of the ansible runner log

skipping: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_home_dir_mode', 'value': '0755'})
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_home_group', 'value': 'root'})
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_home_owner', 'value': 'root'})
skipping: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_run_dir_mode', 'value': '0755'})
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_run_group', 'value': 'root'}) 
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_run_owner', 'value': 'root'})
skipping: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_tmp_dir_mode', 'value': '1777'})
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_tmp_group', 'value': 'root'})
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_tmp_owner', 'value': 'root'})
skipping: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_var_dir_mode', 'value': '0755'})
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_var_group', 'value': 'root'})
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_var_owner', 'value': 'root'})
skipping: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_var_log_dir_mode', 'value': '0755'})
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_var_log_group', 'value': 'root'})
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_var_log_owner', 'value': 'root'}) 
skipping: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_var_log_audit_dir_mode', 'value': '0700'})
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_var_log_audit_group', 'value': 'root'})
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_var_log_audit_owner', 'value': 'root'}) 
skipping: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_var_tmp_dir_mode', 'value': '1777'})
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_var_tmp_group', 'value': 'root'})
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'os_mnt_var_tmp_owner', 'value': 'root'})
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'os_useradd_mail_dir', 'value': '/var/spool/mail'})
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'os_useradd_create_home', 'value': True}) 
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'modprobe_package', 'value': 'module-init-tools'})
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'auditd_package', 'value': 'audit'}) 
skipping: [ansible-test-2_172.21.27.9] => (item={'key': 'os_always_ignore_users', 'value': ['root', 'sync', 'shutdo
ok: [ansible-test-2_172.21.27.9] => (item={'key': 'hidepid_option', 'value': '2'})
TASK [devsec.hardening.os_hardening : Install auditd package | package-08] *****", "start_line": 189, "end_line": 191, "run │
ok: [ansible-test-2_172.21.27.9] => {\"changed\": false, \"msg\": \"\", \"rc\": 0, \"results\": [\"audit-2.8.1-3.am │
TASK [devsec.hardening.os_hardening : Configure auditd | package-08] ***********", "start_line": 192, "end_line": 194, "run │ │
ok: [ansible-test-2_172.21.27.9] => {\"changed\": false, \"checksum\": \"f4956bf8f97a4d49b308512e58f9aceb6a6be579\" │
TASK [devsec.hardening.os_hardening : Find cron files and directories] *********", "start_line": 195, "end_line": 197, "run │
ok: [ansible-test-2_172.21.27.9] => {\"changed\": false, \"examined\": 190, \"files\": [{\"atime\": 1671141308.7053 │
TASK [devsec.hardening.os_hardening : Ensure permissions on cron files and directories are configured] ***", "start_line":  │
│ {"uuid": "1896bec7-de2d-4be3-8d51-1e6bd5e740d4", "counter": 210, "stdout": "", "start_line": 200, "end_line": 200, "runner_ident": "236", "event": "runner_on_start", "job_id": 236, "pid": 20, "created":  │
│ {"status": "canceled", "runner_ident": "236"}                                                                                                                                                               │
│ {"zipfile": 1390}                                                                                                                                                                                           │
│ UEsDBBQAAAAIAFuCYVYw0Oar5QMAADgLAAAHAAAAY29tbWFuZK1WbXOaShT+K4wf2i8X0WgM8VMR1kiDwMBq49y5s7PAJtLw4gVM43R6f3vP8mLEGpve1hlX2fOc55zz7Nllv3b8NI5pEnTGwt+dPF+L9IElRecvoZOv+Sj6                                            

Expected Behavior

...
The role finishes its execution with no errors.

OS / Environment

ansible-inventory [core 2.12.5.post0]
config file = None
configured module search path = ['/home/runner/.ansible/plugins/modules'
ansible python module location = /usr/local/lib/python3.8/site-packages/ansibl
ansible collection location = /home/runner/.ansible/collections:/usr/share/ans
executable location = /usr/local/bin/ansible-inventory
python version = 3.8.13 (default, Jun 24 2022, 15:27:57)
libyaml = True
No config file found; using default
redirecting (type: inventory)
Parsed /runner/inventory/aws_ec2.yml inventory source with auto plugin    

Collection Version

  - name: devsec.hardening
    version: 8.4.0 and 8.6.0

Additional information

...

[rndmh3ro]

I cannot see any error in you rlogs, excep tthat it seems to happen in the task devsec.hardening.os_hardening : Ensure permissions on cron files and directories are configured

Do you have any more information? Can you maybe run the playbook without awx to get more info?

[fernando-eickhoff]

I updated the description with more information and improved the log output with more complete information and cleaning it up.
Weird is that always the executions is abruptly interrupted in the same point:
devsec.hardening.os_hardening : Ensure permissions on cron files and directories are configured

[fernando-eickhoff]

Running in debug mode, this is the output. No errors, just abruptly cancelled.

[rndmh3ro]

I still don't have a clue what the problem is.

Can you maybe run the playbook without awx to get more info?

This would definitely help

[fernando-eickhoff]

I solved the previous issue with the following variable value override:

sysctl_overwrite:
  hidepid_option: 0

Now the role execution progressed and failed in another point with the following message:

  "path": "/usr/lib/mc/cons.saver",
  "state": "absent",
  "msg": "file (/usr/lib/mc/cons.saver) is absent, cannot continue"

I am pasting a bigger log portion below:

TASK [devsec.hardening.os_hardening : Create securetty] ************************
ok: [ansible-test-2_172.21.27.9] => {"changed": false, "checksum": "c961f8fdeac1dd81b2041198808c8b85caed7816", "dest": "/etc/securetty", "gid": 0, "group": "root", "mode": "0400", "owner": "root", "path": "/etc/securetty", "size": 200, "state": "file", "uid": 0}

TASK [devsec.hardening.os_hardening : Remove suid/sgid bit from binaries in blacklist | os-06] ***
ok: [ansible-test-2_172.21.27.9] => (item=/usr/bin/rcp) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "item": "/usr/bin/rcp", "msg": "file (/usr/bin/rcp) is absent, cannot continue", "path": "/usr/bin/rcp", "state": "absent"}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/bin/rlogin) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "item": "/usr/bin/rlogin", "msg": "file (/usr/bin/rlogin) is absent, cannot continue", "path": "/usr/bin/rlogin", "state": "absent"}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/bin/rsh) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "item": "/usr/bin/rsh", "msg": "file (/usr/bin/rsh) is absent, cannot continue", "path": "/usr/bin/rsh", "state": "absent"}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/libexec/openssh/ssh-keysign) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "gid": 998, "group": "ssh_keys", "item": "/usr/libexec/openssh/ssh-keysign", "mode": "0111", "owner": "root", "path": "/usr/libexec/openssh/ssh-keysign", "size": 453392, "state": "file", "uid": 0}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/lib/openssh/ssh-keysign) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "item": "/usr/lib/openssh/ssh-keysign", "msg": "file (/usr/lib/openssh/ssh-keysign) is absent, cannot continue", "path": "/usr/lib/openssh/ssh-keysign", "state": "absent"}
ok: [ansible-test-2_172.21.27.9] => (item=/sbin/netreport) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "gid": 0, "group": "root", "item": "/sbin/netreport", "mode": "0755", "owner": "root", "path": "/sbin/netreport", "size": 7040, "state": "file", "uid": 0}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/sbin/usernetctl) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "gid": 0, "group": "root", "item": "/usr/sbin/usernetctl", "mode": "0755", "owner": "root", "path": "/usr/sbin/usernetctl", "size": 11200, "state": "file", "uid": 0}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/sbin/userisdnctl) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "item": "/usr/sbin/userisdnctl", "msg": "file (/usr/sbin/userisdnctl) is absent, cannot continue", "path": "/usr/sbin/userisdnctl", "state": "absent"}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/sbin/pppd) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "item": "/usr/sbin/pppd", "msg": "file (/usr/sbin/pppd) is absent, cannot continue", "path": "/usr/sbin/pppd", "state": "absent"}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/bin/lockfile) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "item": "/usr/bin/lockfile", "msg": "file (/usr/bin/lockfile) is absent, cannot continue", "path": "/usr/bin/lockfile", "state": "absent"}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/bin/mail-lock) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "item": "/usr/bin/mail-lock", "msg": "file (/usr/bin/mail-lock) is absent, cannot continue", "path": "/usr/bin/mail-lock", "state": "absent"}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/bin/mail-unlock) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "item": "/usr/bin/mail-unlock", "msg": "file (/usr/bin/mail-unlock) is absent, cannot continue", "path": "/usr/bin/mail-unlock", "state": "absent"}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/bin/mail-touchlock) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "item": "/usr/bin/mail-touchlock", "msg": "file (/usr/bin/mail-touchlock) is absent, cannot continue", "path": "/usr/bin/mail-touchlock", "state": "absent"}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/bin/dotlockfile) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "item": "/usr/bin/dotlockfile", "msg": "file (/usr/bin/dotlockfile) is absent, cannot continue", "path": "/usr/bin/dotlockfile", "state": "absent"}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/bin/arping) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "item": "/usr/bin/arping", "msg": "file (/usr/bin/arping) is absent, cannot continue", "path": "/usr/bin/arping", "state": "absent"}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/sbin/uuidd) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "item": "/usr/sbin/uuidd", "msg": "file (/usr/sbin/uuidd) is absent, cannot continue", "path": "/usr/sbin/uuidd", "state": "absent"}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/bin/mtr) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "item": "/usr/bin/mtr", "msg": "file (/usr/bin/mtr) is absent, cannot continue", "path": "/usr/bin/mtr", "state": "absent"}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/lib/evolution/camel-lock-helper-1.2) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "item": "/usr/lib/evolution/camel-lock-helper-1.2", "msg": "file (/usr/lib/evolution/camel-lock-helper-1.2) is absent, cannot continue", "path": "/usr/lib/evolution/camel-lock-helper-1.2", "state": "absent"}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/lib/pt_chown) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "item": "/usr/lib/pt_chown", "msg": "file (/usr/lib/pt_chown) is absent, cannot continue", "path": "/usr/lib/pt_chown", "state": "absent"}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/lib/eject/dmcrypt-get-device) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "item": "/usr/lib/eject/dmcrypt-get-device", "msg": "file (/usr/lib/eject/dmcrypt-get-device) is absent, cannot continue", "path": "/usr/lib/eject/dmcrypt-get-device", "state": "absent"}
ok: [ansible-test-2_172.21.27.9] => (item=/usr/lib/mc/cons.saver) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": false, "item": "/usr/lib/mc/cons.saver", "msg": "file (/usr/lib/mc/cons.saver) is absent, cannot continue", "path": "/usr/lib/mc/cons.saver", "state": "absent"}

[rndmh3ro]

What kind of server are you running the role against? What distribution and version?

[fernando-eickhoff]

Amazon Linux 2
Kernel 5.4.226-129.415.amzn2.x86_64 on an x86_64

ip-172-21-27-9 login: 2023/03/01 13:15:30Z: Amazon SSM Agent v3.1.1732.0 is running
2023/03/01 13:15:30Z: OsProductName: Amazon Linux
2023/03/01 13:15:30Z: OsVersion: 2

[fernando-eickhoff]

I figured out the issue. The issue was not with your role, sorry about that. My job was always being abruptly interrupted exactly in the same point when processing the os_hardening role, but actually I notice the following exception in the ansible runner when I dig the issue deeper:

DEBUG 2023/03/02 18:20:25 Client disconnected from control service @
DEBUG 2023/03/02 18:20:25 Stdout complete - closing channel for: q8TEoNEh 
WARNING 2023/03/02 18:20:25 Could not read in control service: read unix /var/run/receptor/receptor.sock->@: use of closed network connection
DEBUG 2023/03/02 18:20:25 Client disconnected from control service @
WARNING 2023/03/02 18:20:25 Could not close connection: close unix /var/run/receptor/receptor.sock->@: use of closed network connection
DEBUG 2023/03/02 18:20:29 Client connected to control service @
DEBUG 2023/03/02 18:20:29 Control service closed
DEBUG 2023/03/02 18:20:29 Client disconnected from control service @
DEBUG 2023/03/02 18:20:29 Client connected to control service @
DEBUG 2023/03/02 18:20:29 Control service closed 

The solution was to set the following configuration in my cluster provisioning as described here:

  ee_extra_env: |
    - name: RECEPTOR_KUBE_SUPPORT_RECONNECT
      value: disabled

Thanks for the support.

[rndmh3ro]

Glad you could solve it!