Issue with a shell command
29 views
Skip to first unread message
lift...@gmail.com
Mar 21, 2023, 7:52:14 AM3/21/23
to Ansible Project
We have a role that implements the CIS benchmarks on our systems. When we get to the following play, we get the error described below:
- name: Disable System Accounts - preparation
ansible.builtin.shell: |
set -o pipefail && awk -F':' \|
($3<500 && $1!="root" && $1!="sync" && $1!="shutdown" && $1!="sync" && $1!="shutdown" && $1!="halt" && $7!="/sbin/nologin") { print $1 } /etc/passwd
register: enabled_system_accounts
changed_when: false
ansible.builtin.shell: |
set -o pipefail && awk -F':' \|
($3<500 && $1!="root" && $1!="sync" && $1!="shutdown" && $1!="sync" && $1!="shutdown" && $1!="halt" && $7!="/sbin/nologin") { print $1 } /etc/passwd
register: enabled_system_accounts
changed_when: false
Error:
awk: cmd. line:1: |
awk: cmd. line:1: ^ syntax error
/bin/sh: -c: line 1: syntax error near unexpected token `{'
/bin/sh: -c: line 1: `($3<500 && $1!="root" && $1!="sync" && $1!="shutdown" && $1!="sync" && $1!="shutdown" && $1!="halt" && $7!="/sbin/nologin") { print $1 } /etc/passwd'
awk: cmd. line:1: ^ syntax error
/bin/sh: -c: line 1: syntax error near unexpected token `{'
/bin/sh: -c: line 1: `($3<500 && $1!="root" && $1!="sync" && $1!="shutdown" && $1!="sync" && $1!="shutdown" && $1!="halt" && $7!="/sbin/nologin") { print $1 } /etc/passwd'
Any ideas?
Thanks,
Harry
Will McDonald
Mar 21, 2023, 8:25:41 AM3/21/23
to ansible...@googlegroups.com
I suspect your problem is simply that your shell command's incorrectly quoted and something like:
ansible.builtin.shell: |
set -o pipefail && awk -F':' '($3<500 && $1!="root" && $1!="sync" && $1!="shutdown" && $1!="sync" && $1!="shutdown" && $1!="halt" && $7!="/sbin/nologin") { print $1 } ' /etc/passwd
set -o pipefail && awk -F':' '($3<500 && $1!="root" && $1!="sync" && $1!="shutdown" && $1!="sync" && $1!="shutdown" && $1!="halt" && $7!="/sbin/nologin") { print $1 } ' /etc/passwd
Note the additional quotes.
https://github.com/major/ansible-role-cis/blob/master/tasks/section_07_level1.yml
mostly matches your snippet but uses simpler formatting/quoting as an example.
https://github.com/major/ansible-role-cis appears to be deprecated, as does https://github.com/major/cis-rhel-ansible
It might also be worth including:
1. What target operating system release(s) you're targeting and
2. What versions of upstream CIS roles you're using.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/eeb341e7-e45a-4a3e-b1dd-77471c4d9706n%40googlegroups.com.
lift...@gmail.com
Mar 21, 2023, 11:14:35 AM3/21/23
to Ansible Project
I was able to get past that issue, but now the next play is erroring out:
- name: Disable System Accounts - preparation
ansible.builtin.shell: |
set -o pipefail && awk -F':' '($3<500 && $1!="root" && $1!="sync" && $1!="shutdown" && $1!="sync" && $1!="shutdown" && $1!="halt" && $7!="/sbin/nologin") { print $1 }' /etc/passwd
register: enabled_system_accounts
changed_when: false
- name: Disable System Accounts
ansible.builtin.shell: |
set -o pipefail && awk -F':' '($3<500 && $1!="root" && $1!="sync" && $1!="shutdown" && $1!="sync" && $1!="shutdown" && $1!="halt" && $7!="/sbin/nologin") { print $1 }' /etc/passwd
register: enabled_system_accounts
changed_when: false
- name: Disable System Accounts
ansible.builtin.user:
name: "{{ item }}"
shell: /sbin/nologin
with_items: "{{ enabled_system_accounts.stdout_lines }}"
when: enabled_system_accounts.stdout_lines is defined
name: "{{ item }}"
shell: /sbin/nologin
with_items: "{{ enabled_system_accounts.stdout_lines }}"
when: enabled_system_accounts.stdout_lines is defined
The "Disable System Accounts" is giving me "The task includes an option with an undefined variable. The error was: 'item' is undefined". I'm assuming that the "enabled_system_accounts" is not defined or available at this point? Any thoughts on how to get past this?
Thanks,
Harry
Alex Wanderley
Mar 21, 2023, 11:43:14 AM3/21/23
to ansible...@googlegroups.com
Hello,
If you debug/print the whole content of "enabled_system_accounts" what do you see?
Is "enabled_system_accounts.stdout_lines" being populated?
Alex
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4860da4d-9512-4b28-8f0e-1800391d9b86n%40googlegroups.com.
Alex Wanderley Application and Infrastructure Analyst II Financial and Corporate Services | Open City and Technology
780-496-4156 Office 780-819-0273 Mobile City of Edmonton Century Place, 19th Floor 9803 102A Avenue NW Edmonton AB, T5J 3A3
All information contained in this email post is proprietary to the City of Edmonton, confidential and intended only for the addressed recipient. If you have received this post in error, please disregard the contents, inform the sender of the misdirection, and remove it from your system. The copying, dissemination or distribution of this email, if misdirected, is strictly prohibited. |
The contents of this message and any attachment(s) are confidential, proprietary to the City of Edmonton, and are intended only for the addressed recipient. If you have received this in error, please disregard the contents, inform the sender of the misdirection, and remove it from your system. The copying, dissemination, or distribution of this message, if misdirected, is strictly prohibited.
Dick Visser
Mar 21, 2023, 12:26:02 PM3/21/23
to ansible...@googlegroups.com
with_items is incorrectly indented
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4860da4d-9512-4b28-8f0e-1800391d9b86n%40googlegroups.com.
Sent from Gmail Mobile
Reply all
Reply to author
Forward
0 new messages