Need help with Loop and Stat playbook

[Thuan]

Hi all,

I'm try to use the Loop and Stat modules instead Shell command with Ansible playbook.

Whenever I run the playbook with --check,  I always get the 'Pass' message.

The error was: error while evaluating conditional (audit_tools.stat.mode != '0755'): 'dict object' has no attribute 'stat'\n\n

I need help.

Thanks

===========================================================

---

- set_fact:

    stig_id: V-219195

    stig_text: "FAILED. Audit tools aren't configured with mode of 0755 or less permissive."

- local_action: lineinfile regexp='^V-219195' path="{{ output_path }}" state=absent

- name: Ensure audit tools have 0755 permissions.

  block: 

    - name: check audit tools permissions.

      become: true

      stat:

        path: "/sbin/{{ audit_loop }}"

      loop:

        - auditctl

        - aureport

        - ausearch

        - autrace

        - auditd

        - audispd

        - augenrules

      loop_control:

        loop_var: audit_loop

      register: audit_tools

    

    - set_fact:

        stig_text: "{{ stig_id }} FAILED. Audit tools don't have 0755 permissions."

      when: audit_tools.stat.mode != '0755'

   

    - set_fact:

        stig_text: "PASSED"

    

  rescue:

    - name: change the audit tools' permissions to 0755.

      become: true

      file:

        path: "/sbin/{{ item.audit_loop }}"

        mode: 0755

        state: "{{ 'file' if item.stat.exists else 'touch' }}"

      loop: "{{ audit_tools.results }}"

      register: file_perms_rule 

  

    - set_fact:

        stig_text: "PASSED"

      when: file_perms_rule.changed

    - debug:

        msg: "{{ stig_id }} {{ stig_text }}"

  always:

    - local_action: lineinfile line="{{ stig_id }} {{ stig_text }}" path="{{ output_path }}" create=yes

[Roberto Paz]

Maybe some of the files are missing in the target. If that's the case, there is no "stat" for that file.

Maybe you should add "audit_tools.stat is defined and audit_tools.stat.mode != '0755'"

[Stefan Hornburg (Racke)]

On 12/17/20 5:05 PM, Roberto Paz wrote:
> Maybe some of the files are missing in the target. If that's the case, there is no "stat" for that file.
>

That's not true. If a file is missing you have stat.exists = false in the result.

The problem here is that the stat task is called in a loop, while set_fact is called without a loop.

Regards
Racke

> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
> ansible-proje...@googlegroups.com <mailto:ansible-proje...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/3138f57f-49a7-4537-92a5-9524f2feba24n%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/3138f57f-49a7-4537-92a5-9524f2feba24n%40googlegroups.com?utm_medium=email&utm_source=footer>.


--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.

[Thuan]

Hi all,

So I made a slight chance, I added "failed_when: audit_tools.stat.mode != '0755'' below 'register' module and the error message went away.

By the way, all files are exist.

I changed two files chmod to 0640 for testing purpose.

However, I still get the 'Passed' as a result when I ran the --check mode.

[Thuan]

Another issue, when all the files have proper permissions, then the playbook would give me the result as 'Failed.'

This is the opposite of what I want.

TASK [debug] ***********************************************************************************************

ok: [localhost] => {

    "msg": "V-219195 FAILED. Audit tools aren't configured with mode of 0755 or less permissive."