ansible-lockdown/RHEL6-STIG

V-38574 | AUDIT task needs to have check_mode: no set to work with --check

MasterChiefJon opened this issue · 12 comments

I downloaded v0.9.4 of this STIG role, and when I run it in --check mode on ansible v2.3.1.0, I get one fatal error. That error is on V-38574 | PATCH. Here is the error:
fatal: [jon-rhel6]: FAILED! => {"failed": true, "msg": "'dict object' has no attribute 'stdout_lines'"}
I'm guessing that the regexp is the root of the problem, but editing the regexp line in the cat2.yml file isn't getting me any different results. Can you give me any ideas on how to troubleshoot this? Note that we are using sha512 for our password hashes, so this check should result in an ok status.
I am running ansible on a fully-patched RedHat 7.4 server.

Any reason for running the RHEL 6 role on a RHEL 7 box?

The Anisble server is RHEL7. It is checking many servers, including RHEL6 boxes.

Doing a little more digging, the prior task "V-38574 | AUDIT" is showing as "skipping". So I think the line in that task that creates a list of pamd_files it not populated. So in "V-38574 | PATCH" "pamd_files" is not available to use. So why is it skipping?

Are the tags telling it to skip that somewhere? I was just looking at that and saw that the pamd_files list was populated by the find, which worked on my machine. So the fail is explained but not the skip.

I just re-ran it (again in --check mode) and added -v (verbose). This time, I got more detail on why the "V-38574 | AUDIT" task skipped. It says:
skipping: [jon-rhel6] => {"changed": false, "msg": "remote module (command) does not support check mode", "skipped": true}
So something in the AUDIT task doesn't support --check mode?

OK, I added
check_mode: no
to the AUDIT task in cat2.yml. Now that AUDIT task populates the value pamd_files even in --check mode. So the following (PATCH) task works.
Is there a better way to do this?

@MasterChiefJon The ansible command module, as well as several other modules like shell, etc do not have a mechanism to properly support check mode since they are simply running a potentially non-idempotent raw command on the remote host. So when ansible is run with --check it simply skips those steps.

The solution is to add check_mode: no to any command tasks that need to run even with --check. Is this the task where you had the issue in the cat2.yml file?

    - name: "MEDIUM | V-38574 | AUDIT | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth)."
      shell: find /etc/pam.d/ -type f -not -name '*.*'
      changed_when: no
      failed_when: no
      register: pamd_files

Yes, I added a line
check_mode: no
just before the line with the shell: command. That allowed the next task (V-38574 | PATCH) to work properly.

@MasterChiefJon Thanks for reporting the issue! We will get a fix in asap.

Hi @shepdelacreme,

I also had the same problem.
I am a junior in "Ansible" trying the certification, so, I just copied the contents of the training manual, that is always right. (note: in the manual it was written "shell")
In my case it did not make sense to use "check_mode: no"
But, I was also emulating the playbook with the "-C" option, like @MasterChiefJon.
When I ran the playbook without the "-C" option, it worked. :)
Probably, there are limitations on "shell" and "command" modules against emulations with option "-C".
Does it make sense, what I'm saying? Am I right?
Thanks,

fixed by #129