Hi Thuan,
I'm not sure why you are just trying to assert the permissions rather than
enforce them, but why not enforce them with something like:
- name: Change permissions recursively
hosts: all
gather_facts: False
ignore_errors: True
vars:
path: <put your path here>
modes:
d: '2755'
f: '0640'
tasks:
- name: Change permissions
command: find "{{ path }}" -type "{{ item.key }}" ! -perm "{{
item.value }}" -exec chmod -f "{{ item.value }}" {} \;
with_dict: "{{ modes }}"
register: result
changed_when: result.stdout != ""
On Thu, Dec 31, 2020 at 10:43 AM Thuan <[email protected]> wrote:
> Hi all,
>
> My playbook is working for single files but not for directories.
> It doesn't check the folders permissions recursively.
>
>
>
>
>
>
> ============================================================
>
> - name: Ensure system directories are own by root group.
> block:
> - name: Verify the command directories are exists.
> become: true
> stat:
> path: "{{ item }}"
> loop:
> - /bin/
> - /sbin/
> - /usr/bin/
> - /usr/sbin/
> - /usr/local/bin
> - /usr/local/sbin
> register: command_directories
> - name: Verify the ownership of command directories are belong to root.
> loop: |
> {{ command_directories.results | map(attribute='item')|
> zip(command_directories.results | map(attribute='stat.gr_name'))|list }}
>
> assert:
> that: item.1 == 'root'
> loop_control:
> label: "{{ item.0 }}"
>
> - set_fact:
> stig_text: "PASSED"
> rescue:
>
> - name: configure the command directories ownership to root and create if
> it doesn't exist.
> become: true
> file:
> path: "{{ item.item }}"
> group: root
> state: "{{ 'directory' if item.stat.exists else 'touch' }}"
> recurse: yes
> loop: "{{ command_directories.results }}"
> register: file_perms_rule
> - set_fact:
> stig_text: "PASSED"
> when: file_perms_rule.changed
>
> ==================================================================
>
>
> TASK [Verify the ownership of command directories are belong to root.]
> ***************************************
> [WARNING]: The loop variable 'item' is already in use. You should set the
> `loop_var` value in the
> `loop_control` option for the task to something else to avoid variable
> collisions and unexpected behavior.
> ok: [localhost] => (item=/bin/) => {
> "ansible_loop_var": "item",
> "changed": false,
> "item": [
> "/bin/",
> "root"
> ],
> "msg": "All assertions passed"
> }
> ok: [localhost] => (item=/sbin/) => {
> "ansible_loop_var": "item",
> "changed": false,
> "item": [
> "/sbin/",
> "root"
> ],
> "msg": "All assertions passed"
> }
> ok: [localhost] => (item=/usr/bin/) => {
> "ansible_loop_var": "item",
> "changed": false,
> "item": [
> "/usr/bin/",
> "root"
> ],
> "msg": "All assertions passed"
> }
> ok: [localhost] => (item=/usr/sbin/) => {
> "ansible_loop_var": "item",
> "changed": false,
> "item": [
> "/usr/sbin/",
> "root"
> ],
> "msg": "All assertions passed"
> }
> ok: [localhost] => (item=/usr/local/bin) => {
> "ansible_loop_var": "item",
> "changed": false,
> "item": [
> "/usr/local/bin",
> "root"
> ],
> "msg": "All assertions passed"
> }
> ok: [localhost] => (item=/usr/local/sbin) => {
> "ansible_loop_var": "item",
> "changed": false,
> "item": [
> "/usr/local/sbin",
> "root"
> ],
> "msg": "All assertions passed"
> }
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/3736ce06-1bf1-4cfe-a2fb-042619b8497en%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/3736ce06-1bf1-4cfe-a2fb-042619b8497en%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAH4rTPveoDtb9Qb2BKdQoQk8Gv3s0xgyW2B3niLMcYCbjPxAgA%40mail.gmail.com.
