Check Number Of Wheel Group Members

92 views
Skip to first unread message

Jon Adcock

unread,
Apr 2, 2019, 12:22:41 PM4/2/19
to Ansible Project
I'm trying to add a task to my security playbook to ensure that there are no members in the default Linux wheel group.  This has turned out to be more difficult than I thought it would be.

Can someone out there help get me started?  (ansible 2.7.9)

Matt Martz

unread,
Apr 2, 2019, 12:28:14 PM4/2/19
to ansible...@googlegroups.com
You can use the `getent` module to do this.  Something like:

- getent:
    database: group

- assert:
    that:
      - getent_group.wheel|default(["", "", ""])[2] == ""

On Tue, Apr 2, 2019 at 11:22 AM Jon Adcock <jon.a...@gmail.com> wrote:
I'm trying to add a task to my security playbook to ensure that there are no members in the default Linux wheel group.  This has turned out to be more difficult than I thought it would be.

Can someone out there help get me started?  (ansible 2.7.9)

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8eb57467-d348-4ca3-a013-9b8b9ac01235%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--
Matt Martz
@sivel
sivel.net

Jon Adcock

unread,
Apr 2, 2019, 1:50:41 PM4/2/19
to Ansible Project
Thank you for your reply.  I am getting what appears to be a formatting error.  Here is the task from my playbook, and the error it is generating:
-------------------------------------------
  tasks:
  - getent:
       database: group

# Users in the default wheel group are automatically granted sudo privileges
  - assert:
       that: getent_group.wheel|default(["", "", ""])[2] == ""
       msg: "The wheel group contains one or more users!"
-------------------------------------------
task path: /etc/ansible/playbooks/test1.yml:22
fatal: [jon-rhel7]: FAILED! => {
    "msg": "The conditional check 'getent_group.wheel|default([\"\", \"\", \"\"])[2] == \"\"' failed. The error was: template error while templating string: expected token 'end of statement block', got '['. String: {% if getent_group.wheel|default([\"\", \"\", \"\"])[2] == \"\" %} True {% else %} False {% endif %}"
}

On Tuesday, April 2, 2019 at 12:28:14 PM UTC-4, Matt Martz wrote:
You can use the `getent` module to do this.  Something like:

- getent:
    database: group

- assert:
    that:
      - getent_group.wheel|default(["", "", ""])[2] == ""

On Tue, Apr 2, 2019 at 11:22 AM Jon Adcock <jon.a...@gmail.com> wrote:
I'm trying to add a task to my security playbook to ensure that there are no members in the default Linux wheel group.  This has turned out to be more difficult than I thought it would be.

Can someone out there help get me started?  (ansible 2.7.9)

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible...@googlegroups.com.

Matt Martz

unread,
Apr 2, 2019, 2:22:56 PM4/2/19
to ansible...@googlegroups.com
Your formatting doesn't match mine. Notice the difference of `that` between mine and yours.  `that` is ententes to be a list

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Sebastian Meyer

unread,
Apr 2, 2019, 2:23:04 PM4/2/19
to ansible...@googlegroups.com, Jon Adcock
On 02.04.19 19:50, Jon Adcock wrote:
> that: getent_group.wheel|default(["", "", ""])[2] == ""

You'll need () around the getent and default:

that: (getent_group.wheel|default(["", "", ""]))[2] == ""

The above should work.

Sebastian
--
Sebastian Meyer
Linux Consultant & Trainer
Mail: me...@b1-systems.de

B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537

Jon Adcock

unread,
Apr 2, 2019, 2:52:44 PM4/2/19
to Ansible Project
That got it !  Thank you for your help.
Reply all
Reply to author
Forward
0 new messages