jmespath package install required on target to run CIS section 6 controls
tburow opened this issue · 1 comments
Describe the Issue
A clear and concise description of what the bug is.
Expected Behavior
normal execution of section 6 controls. Reviewing AL2 code there is a significant different in execution here.
Per normal Ansible expectations - there should be no need to install additional software to execute.
Actual Behavior
amazon-ebs.instance: TASK [ansible-security/roles/AMAZON2023-CIS : 6.1.12 | AUDIT | Ensure SUID and SGID files are reviewed | Alert SUID exist] *** amazon-ebs.instance: fatal: [default]: FAILED! => {"msg": "You need to install \"jmespath\" prior to running json_query filter"}
Control(s) Affected
CIS 6.1.12
Environment (please complete the following information):
ansible --version
ansible [core 2.15.4]
config file = None configured module search path = ['/home/ec2-user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/ec2-user/workspace/AMI-Builder/ami-al2023-commercial/ansible-venv/lib/python3.9/site-packages/ansible
ansible collection location = /home/ec2-user/.ansible/collections:/usr/share/ansible/collections
executable location = /home/ec2-user/workspace/AMI-Builder/ami-al2023-commercial/ansible-venv/bin/ansible
python version = 3.9.16 (main, Sep 29 2023, 03:37:09) [GCC 10.5.0 20230707 (Red Hat 10.5.0-1)] (/home/ec2-user/workspace/AMI-Builder/ami-al2023-commercial/ansible-venv/bin/python3.9)
jinja version = 3.1.2 libyaml = True:
Branch
Additional Notes
I'm running this via packer against an AL2023 AMI
here is the ansible setup im using
stage('Setup Python venv') { steps { echo "Setup venv and install ansible" sh ''' rm -rf /tmp/pip-install-* python3.9 -m venv ansible-venv source ansible-venv/bin/activate pip3.9 install ansible selinux ansible --version ''' }
here is the packer Resource
provisioner "ansible" { playbook_file = "./ami-al2023-play.yml" use_proxy = false extra_arguments = [ "--extra-vars", "ansible_python_interpreter=/usr/bin/python3 amzn2023cis_selinux_enforce=${var.amzn2023cis_selinux_enforce}" ] }
Code Sinippet in Question
Line 316
- name: "6.1.12 | AUDIT | Ensure SUID and SGID files are reviewed | Alert SGID exist"
ansible.builtin.debug:
msg: "Warning!! SGID set on items in {{ amzn2023cis_6_1_12_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid]
when: amzn2023cis_6_1_12_sgid_found
This Method for json parsing through out 6.1.x for debug messages will fail anytime invoked with out the additional package install.
msg: "Warning!! SGID set on items in {{ amzn2023cis_6_1_12_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid]
Possible Solution
https://opensource.com/article/21/4/process-json-data-ansible
Section 3