Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ansible 2.0 | "remove suid/sgid" task fails #64

Closed
fitz123 opened this issue Jan 22, 2016 · 3 comments
Closed

ansible 2.0 | "remove suid/sgid" task fails #64

fitz123 opened this issue Jan 22, 2016 · 3 comments

Comments

@fitz123
Copy link
Contributor

fitz123 commented Jan 22, 2016

TASK [ansible-os-hardening : remove suid/sgid bit from all binaries except in system and user whitelist] ***
fatal: [testbuild]: FAILED! => {"failed": true, "msg": "ERROR! 'suid' is undefined"}

Ubuntu 14.04.3 LTS

@fitz123
Copy link
Contributor Author

fitz123 commented Jan 22, 2016

my 'ugly' workaround is:

suid_sgid.yml:

  • name: gather files from which to remove suids/sgids and remove system white-listed files
    set_fact:
    suid: '{{ (sbit_binaries.stdout_lines|default([])) | difference(os_security_suid_sgid_system_whitelist) }}'
    #when: os_security_suid_sgid_remove_from_unknown

at least it works

@rndmh3ro
Copy link
Member

Hi @fitz123, thanks for your suggestion on how to fix this.
There's already a PR pending to fix this, however with a slighty other way. In this other PR suid is ommited, if it is not set before.

@conorsch
Copy link
Contributor

The fix proposed in #63 works well. I'm using a fork for Ansible v2 support until that's merged.

iflowfor8hours pushed a commit to iflowfor8hours/sandcastle that referenced this issue Mar 2, 2016
On a fresh pull and dependencies fetch (including ansible itself)
the hardening role was causing ansible to fail to converge due to
a [resolved
issue](dev-sec/ansible-collection-hardening#64)
The requirements file format for ansible-galaxy has been changed to
yaml as well to remove a deprecation warning in ansible 2.
iflowfor8hours pushed a commit to iflowfor8hours/sandcastle that referenced this issue Mar 2, 2016
On a fresh pull and dependencies fetch (including ansible itself)
the hardening role was causing ansible to fail to converge due to
a [resolved
issue](dev-sec/ansible-collection-hardening#64)
The requirements file format for ansible-galaxy has been changed to
yaml as well to remove a deprecation warning in ansible 2.
rndmh3ro pushed a commit that referenced this issue Jul 24, 2020
rndmh3ro pushed a commit that referenced this issue Jul 24, 2020
add always_run: true to task. fix #64
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this issue Aug 3, 2022
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this issue Aug 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants