Re: [ansible-project] Re: selectattr for files' permission

[Dick Visser]

This looks like another case of using ansible as a glorified auditing and reporting tool, and shoehorning a round peg into a square hole along the way...

Or from cron? That sounds like fixing symptoms rather than problems.

AFAICS the high level logic is

* finding files
* reading their permissions
* changing them only if they are not what you want them (in a rescue block?)
* creating some sort of log file by (ab)using the lineinfile module



I would take the opposite approach:

* Ensure those permissions are what you want them to be
* Generate a report based on the result

That's it. Should be doable with just two tasks.



On 2022-06-03 (Fri) 15:50, Thuan wrote:

I would ask myself why those permission are changed and prevent that from happening in the first place. If this happens every week/day, are you going to run this playbook then every week/day to 'fix' things? This is more or less re-implementing what ansible already does out of the box - using ansible :)

revised playbook:

---


   hosts: localhost
   vars:
     stig_id: Test-12345

     target_file: /tmp/

     output_path: "/tmp/stig-{{ansible_hostname}}.txt"


   tasks:
     - name:
       block:
         - name: verify the files' permissions and ownership
           find:
             paths: "{{ target_file }}"
             patterns: "*.txt"
           register: permissions
           failed_when: >

             (permissions.files | selectattr('mode', '!=', '0640') | list)

         - set_fact:
             stig_text: "{{ stig_id }} PASSED"

       rescue:
         - name: change the permission and ownership of the files
           become: true
           file:
             path: "{{ item.path }}"
             owner: root
             group: adm
             mode: 0640
           loop: "{{ permissions.files }}"
           loop_control:
             label: "{{ item.path }}"
           register: change_perms

         - set_fact:
             stig_text: "PASSED"
           when: change_perms.changed == true

         - debug:
             msg: "{{ stig_id }} {{ stig_text }}"

       always:


On Friday, June 3, 2022 at 8:34:23 AM UTC-4 Thuan wrote:

    Hello,

    My current playbook worked and I just want to know if there room for
    improvement.


    ---

         - name: verify that the logs ownership/perms are belong to
    system administrators and service accounts.
           hosts: localhost
           vars:
             stig_id: Test-12345
             stig_text: 'FAILED. The Apache web server log files must
    only be accessible by privileged users.'
             target_file: /tmp/
             output_path: "/tmp/stig-{{ansible_hostname}}.txt"
             local_action: lineinfile regexp='^Test-12345' path="{{
    output_path }}" state=absent
           tasks:
             - name:
               block:
                 - name: verify the logs ownership
                   find:
                     paths: "{{ target_file }}"
                     patterns: "*.txt"
                   register: ownership
                   failed_when: >
                     (ownership.files | selectattr('pw_name', '!=',
    'root') | list) or
                     (ownership.files | selectattr('gr_name', '!=',
    'adm') | list) or
                     (ownership.files | selectattr('mode', '!=', '0750')
    | list)
                 - set_fact:
                     stig_text: "{{ stig_id }} PASSED"
               rescue:
                 - name: change the permission and ownership of the files
                   become: true
                   file:
                     path: "{{ item.path }}"
                     owner: root
                     group: adm
                     mode: 0750
                   with_items: "{{ ownership.files }}"
                   register: change_perms
                 - set_fact:
                     stig_text: "PASSED"
                   when: change_perms.changed == true
                 - debug:
                     msg: "{{ stig_id }} {{ stig_text }}"
               always:
                 - local_action: lineinfile line="{{ stig_id }} {{
    stig_text }}" path="{{ output_path }}" create=yes

--

- name: verify that the logs ownership/perms are belong to system administrators and service accounts.     stig_text: 'FAILED. The Apache web server log files must only be accessible by privileged users.'     local_action: lineinfile regexp='^Test-12345' path="{{ output_path }}" state=absent             (permissions.files | selectattr('pw_name', '!=', 'root') | list) or             (permissions.files | selectattr('gr_name', '!=', 'adm') | list) or         - local_action: lineinfile line="{{ stig_id }} {{ stig_text }}" path="{{ output_path }}" create=yes You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com <mailto:ansible-project+unsubscr...@googlegroups.com>. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/dddf0b80-9367-4e03-949e-ff81ca5c7503n%40googlegroups.com <https://groups.google.com/d/msgid/ansible-project/dddf0b80-9367-4e03-949e-ff81ca5c7503n%40googlegroups.com?utm_medium=email&utm_source=footer>.

--
You received this message because you are subscribed to the Google Groups "Ansible 
Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/45fd0ad1-de00-22e8-6d5a-4c538b032bd5%40gmail.com.

OpenPGP_0x266713D4E6EF488D.asc
Description: OpenPGP public key

OpenPGP_signature
Description: OpenPGP digital signature