You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This causes RHEL-08-010770 to not perform work, as no local interactive home directories are found.
However, even after this is remedied, the next step in line pulls "INI files" in the found directory. For example, let's say the above getent returned /home/testuser.
The followup, "RHEL-08-010660 | RHEL-08-010770 | AUDIT | FInd ini files for interactive users", finds results and saves them in list form -- without the corresponding home folder they were pulled from. This would be fine if the full paths were being fetched -- but they aren't.
This leaves the stdout for the above command to look something like this:
.bash_logout
.bash_profile
.bashrc
Which is not usable by Ansible, as it doesn't give enough information. These incomplete paths get written to rhel_08_stig_interactive_homedir_results which then get set as a fact to rhel_08_stig_interactive_homedir_inifiles as a list of lists:
The final flaw is the way the with_items is called in the actual remediation for RHEL-08-010770, as it is passed in a way that preserves the sub-lists instead of flattening them into items... it ends up trying to pass THE ENTIRE list of incomplete filepaths to be remedied at once (the entire list per home directory discovered.)
Control(s) Affected
RHEL-08-010690, RHEL-08-010770
Possible Solution
First -- in the PRELIM | RHEL-08010690 | Gather local interactive user directories in prelim.yml, the shell command must be revised to use formatting that does not leave remnant single quotes, such as utilizing the Raw template marker in Jinja2 to wrap the curly braces i the getent command itself:
shell: "getent passwd {%raw%}{{% endraw %}{{ rhel8stig_int_gid }}..24339{%raw%}}{%endraw%} | # rest of string is correct after this
From there, I would then alter the Find ini files for interactive users step of the prelim.yml to include whole paths, instead of just the filename, by replacing the logic to just filter out for files that start with a .:
This output gets written to a variable (as a list) which then gets added into another variable (making it a list of lists.) This is then called by the RHEL-08-010770 patch in fix-cat2.yml. However, the rhel_08_stig_interactive_homedir_inifiles is being incorrectly passed. It is passed to the with_items as a single entry in a list, causing a THREE LEVEL deep list. This means when with_items flattens, it only flattens one level, causing the lists of files to be passed in all at once. This is an easy fix, by simply moving the variable to the same line as with_items (removing the extra listing level):
file:
path: "{{ item }}"mode: "{{ rhel8stig_local_int_perm }}"with_items: "{{ rhel_08_stig_interactive_homedir_inifiles }}"# Note how this is now on the same line, meaning its entries will get flattened and processed correctly
I have tested this fix and can confirm it to be functional, however this was only in a minimal scenario.
The text was updated successfully, but these errors were encountered:
Describe the Issue / Expected vs Actual Behaviors
In
prelim.yml
, the RHEL-08-010690 task calls to gather local interactive home directories with this line:However, when this is actually run, the single quotes are INTERPRETED, causing the actual run command to come out as:
instead of:
This causes
RHEL-08-010770
to not perform work, as no local interactive home directories are found.However, even after this is remedied, the next step in line pulls "INI files" in the found directory. For example, let's say the above
getent
returned/home/testuser
.The followup, "RHEL-08-010660 | RHEL-08-010770 | AUDIT | FInd ini files for interactive users", finds results and saves them in list form -- without the corresponding home folder they were pulled from. This would be fine if the full paths were being fetched -- but they aren't.
This leaves the
stdout
for the above command to look something like this:Which is not usable by Ansible, as it doesn't give enough information. These incomplete paths get written to
rhel_08_stig_interactive_homedir_results
which then get set as a fact torhel_08_stig_interactive_homedir_inifiles
as a list of lists:The final flaw is the way the
with_items
is called in the actual remediation forRHEL-08-010770
, as it is passed in a way that preserves the sub-lists instead of flattening them into items... it ends up trying to pass THE ENTIRE list of incomplete filepaths to be remedied at once (the entire list per home directory discovered.)Control(s) Affected
RHEL-08-010690, RHEL-08-010770
Possible Solution
First -- in the
PRELIM | RHEL-08010690 | Gather local interactive user directories
inprelim.yml
, theshell
command must be revised to use formatting that does not leave remnant single quotes, such as utilizing the Raw template marker in Jinja2 to wrap the curly braces i the getent command itself:From there, I would then alter the
Find ini files for interactive users
step of theprelim.yml
to include whole paths, instead of just the filename, by replacing the logic to just filter out for files that start with a.
:This output gets written to a variable (as a list) which then gets added into another variable (making it a list of lists.) This is then called by the
RHEL-08-010770
patch infix-cat2.yml
. However, therhel_08_stig_interactive_homedir_inifiles
is being incorrectly passed. It is passed to thewith_items
as a single entry in a list, causing a THREE LEVEL deep list. This means whenwith_items
flattens, it only flattens one level, causing the lists of files to be passed in all at once. This is an easy fix, by simply moving the variable to the same line aswith_items
(removing the extra listing level):I have tested this fix and can confirm it to be functional, however this was only in a minimal scenario.
The text was updated successfully, but these errors were encountered: