selectattr for files' permission
46 views
Skip to first unread message
Thuan
Jun 3, 2022, 8:34:23 AM6/3/22
to Ansible Project
Hello,
My current playbook worked and I just want to know if there room for improvement.
---
- name: verify that the logs ownership/perms are belong to system administrators and service accounts.
hosts: localhost
vars:
stig_id: Test-12345
stig_text: 'FAILED. The Apache web server log files must only be accessible by privileged users.'
target_file: /tmp/
output_path: "/tmp/stig-{{ansible_hostname}}.txt"
local_action: lineinfile regexp='^Test-12345' path="{{ output_path }}" state=absent
tasks:
- name:
block:
- name: verify the logs ownership
find:
paths: "{{ target_file }}"
patterns: "*.txt"
register: ownership
failed_when: >
(ownership.files | selectattr('pw_name', '!=', 'root') | list) or
(ownership.files | selectattr('gr_name', '!=', 'adm') | list) or
(ownership.files | selectattr('mode', '!=', '0750') | list)
- set_fact:
stig_text: "{{ stig_id }} PASSED"
rescue:
- name: change the permission and ownership of the files
become: true
file:
path: "{{ item.path }}"
owner: root
group: adm
mode: 0750
with_items: "{{ ownership.files }}"
register: change_perms
- set_fact:
stig_text: "PASSED"
when: change_perms.changed == true
- debug:
msg: "{{ stig_id }} {{ stig_text }}"
always:
- local_action: lineinfile line="{{ stig_id }} {{ stig_text }}" path="{{ output_path }}" create=yes
Message has been deleted
Thuan
Jun 3, 2022, 9:50:54 AM6/3/22
to Ansible Project
revised playbook:
---
- name: verify that the logs ownership/perms are belong to system administrators and service accounts.
hosts: localhost
vars:
stig_id: Test-12345
stig_text: 'FAILED. The Apache web server log files must only be accessible by privileged users.'
target_file: /tmp/
output_path: "/tmp/stig-{{ansible_hostname}}.txt"
local_action: lineinfile regexp='^Test-12345' path="{{ output_path }}" state=absent
tasks:
- name:
block:
- name: verify the files' permissions and ownership
find:
paths: "{{ target_file }}"
patterns: "*.txt"
register: permissions
failed_when: >
(permissions.files | selectattr('pw_name', '!=', 'root') | list) or
(permissions.files | selectattr('gr_name', '!=', 'adm') | list) or
(permissions.files | selectattr('mode', '!=', '0640') | list)
- set_fact:
stig_text: "{{ stig_id }} PASSED"
rescue:
- name: change the permission and ownership of the files
become: true
file:
path: "{{ item.path }}"
owner: root
group: adm
mode: 0640
loop: "{{ permissions.files }}"
loop_control:
label: "{{ item.path }}"
register: change_perms
- set_fact:
stig_text: "PASSED"
when: change_perms.changed == true
- debug:
msg: "{{ stig_id }} {{ stig_text }}"
always:
- local_action: lineinfile line="{{ stig_id }} {{ stig_text }}" path="{{ output_path }}" create=yes
Dick Visser
Jun 3, 2022, 12:05:40 PM6/3/22
to ansible...@googlegroups.com
This looks like another case of using ansible as a glorified auditing
and reporting tool, and shoehorning a round peg into a square hole along
the way...
I would ask myself why those permission are changed and prevent that
from happening in the first place. If this happens every week/day, are
you going to run this playbook then every week/day to 'fix' things?
Or from cron? That sounds like fixing symptoms rather than problems.
AFAICS the high level logic is
* finding files
* reading their permissions
* changing them only if they are not what you want them (in a rescue block?)
* creating some sort of log file by (ab)using the lineinfile module
This is more or less re-implementing what ansible already does out of
the box - using ansible :)
I would take the opposite approach:
* Ensure those permissions are what you want them to be
* Generate a report based on the result
That's it. Should be doable with just two tasks.
> --
> You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ansible-proje...@googlegroups.com
> <mailto:ansible-proje...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/dddf0b80-9367-4e03-949e-ff81ca5c7503n%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/dddf0b80-9367-4e03-949e-ff81ca5c7503n%40googlegroups.com?utm_medium=email&utm_source=footer>.
and reporting tool, and shoehorning a round peg into a square hole along
the way...
I would ask myself why those permission are changed and prevent that
from happening in the first place. If this happens every week/day, are
you going to run this playbook then every week/day to 'fix' things?
Or from cron? That sounds like fixing symptoms rather than problems.
AFAICS the high level logic is
* finding files
* reading their permissions
* changing them only if they are not what you want them (in a rescue block?)
* creating some sort of log file by (ab)using the lineinfile module
This is more or less re-implementing what ansible already does out of
the box - using ansible :)
I would take the opposite approach:
* Ensure those permissions are what you want them to be
* Generate a report based on the result
That's it. Should be doable with just two tasks.
> You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ansible-proje...@googlegroups.com
> <mailto:ansible-proje...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/dddf0b80-9367-4e03-949e-ff81ca5c7503n%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/dddf0b80-9367-4e03-949e-ff81ca5c7503n%40googlegroups.com?utm_medium=email&utm_source=footer>.
Thuan
Jun 3, 2022, 1:15:30 PM6/3/22
to Ansible Project
I'm using the playbook to hardening the O.S, and build new image.
Block and rescue module give me the report whether that system requires change.
Reply all
Reply to author
Forward
0 new messages