19:06:51 <cyberpear> #startmeeting Ansible Lockdown Working Group
19:06:51 <zodbot> Meeting started Thu Jun 25 19:06:51 2020 UTC.
19:06:51 <zodbot> This meeting is logged and archived in a public location.
19:06:51 <zodbot> The chair is cyberpear. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:06:51 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:06:51 <zodbot> The meeting name has been set to 'ansible_lockdown_working_group'
19:07:00 <cyberpear> #chair xgeorgex
19:07:00 <zodbot> Current chairs: cyberpear xgeorgex
19:09:40 <cyberpear> #topic Roll Call
19:09:41 <cyberpear> .hello2
19:09:43 <zodbot> cyberpear: cyberpear 'James Cassell' <fedoraproject@cyberpear.com>
19:09:49 <cyberpear> anyone else joining today?
19:11:27 <xgeorgex> hey
19:11:39 <xgeorgex> Sorry if you were waiting I was looking at something and then realized I didn't check here for a bit
19:11:39 <cyberpear> #topic agenda
19:11:50 <cyberpear> no problem
19:11:56 <cyberpear> anything new to discuss today?
19:12:23 <xgeorgex> Nothing really on my side. I'm working on the RHEL8 stig stuff. I have cat1 and cat 2 one and almost halfway through cat 2
19:12:50 <cyberpear> I don't have too much new directly on-topic...
19:12:51 <xgeorgex> We should be pushing a new tomcat stig, we found one of the tasks that had like 8 controls was missing a quote on a control name
19:13:13 <xgeorgex> It didn't seem to make it not run, but I fixe it this morning anywyas
19:13:15 <xgeorgex> anyways
19:13:27 <xgeorgex> Other than that not much on our end
19:13:49 <xgeorgex> I think starting tomorrow I'll be working on another clients stuff so RHEL8 will be back burnered for about a week
19:14:20 <xgeorgex> I do have a question about something I'm trying to do in the rhel8 stig though, you might know what's up with it
19:14:36 <xgeorgex> But I'm not sure if that's on topic for the meeting
19:15:22 <cyberpear> ask away
19:15:34 <cyberpear> this week, I was having fun w/ "AP1.22. Privileged Access." at https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/857001m.pdf
19:16:09 <xgeorgex> So it's similar to task RHEL-07-020730, initialization files must not execute world-writable programs.
19:16:31 <xgeorgex> However in RHEL8 it has you doing it for all partitions and not just the / partition
19:16:51 <cyberpear> I think we "solved" that one by searching for world-write programs, rather than searching initilization files
19:17:09 <xgeorgex> Yeah but my issue is a but further down the line though
19:17:16 <cyberpear> I assume we just shelled out and used the `find` command
19:17:31 <xgeorgex> So I have the search that looks for the files but looping through ansible_mounts.mount
19:17:46 <xgeorgex> And it creates "dictionaries" for each mount
19:17:51 <xgeorgex> Which is what I wanted
19:18:18 <xgeorgex> However in the task that sets the permissions it's putting the [' from the stdout_lines output
19:18:47 <xgeorgex> So I'm getting path: ['/boot/testfile'] instead of path /boot/testfile
19:19:23 <xgeorgex> It only does that when I loop through the mounts stuff
19:19:48 <xgeorgex> Any ideas on how else to handle it? I was thinking maybe the find module instead of the shell: find stuff
19:19:53 <xgeorgex> But I can't get the patterns to find the files
19:20:05 <xgeorgex> Based on permissions
19:20:55 <cyberpear> hmm
19:21:16 <cyberpear> yeah, the `find` module is inadequate in my opinion
19:21:18 <xgeorgex> Yeah it's a bit weird and if it was just in / like it was before that's easy
19:21:37 <xgeorgex> Yeah it's super limited in what it can do
19:21:41 <cyberpear> seems broken that stdout_lines would have [' in the output
19:22:18 <cyberpear> or perhaps you need to `with_items: "{{ ...stdout_lines}}"`
19:22:22 <cyberpear> make it a loop
19:22:30 <cyberpear> you probably can't pass stdout_lines directly to path
19:23:19 <xgeorgex> Maybe Ill try that. With other multi dict things I would look through the dicts like with_items : {{ var.results }} then the {{ items.what I want }}
19:23:28 <xgeorgex> Maybe Ill try that. With other multi dict things I would look through the dicts like with_items : {{ var.results }} then the {{ item.what I want }}
19:24:58 <xgeorgex> Which is what I was trying here. It's worked with other stuff so I'm not sure what's up here. The thing that makes me think it is getting [' from the variable is if I put a bogus file in there the error is file whatever doesn't exist, but here its file ['whatever'] doesn't exist
19:25:47 <xgeorgex> So I'm not grasping something with it
19:26:10 <cyberpear> sounds like a question to ask in #ansible or ansible-project@googlegroups.com
19:26:18 <cyberpear> but generally when troublshooting those, I run with -vvv
19:26:25 <cyberpear> that usually reveals the answer
19:26:35 <xgeorgex> Hmm that's a good idea
19:26:49 <cyberpear> so if you fpaste the -vvv output, I can look
19:27:06 <xgeorgex> I wasn't running verbose mode anything since I had a debug in there for the variables I was using the error was right there
19:27:09 <xgeorgex> However that might show more
19:27:36 <cyberpear> I usually only debug when -vvv doesn't show something I need
19:28:44 <xgeorgex> I didn't know what the stepping would be, so I just setup the find followed by the debug of the var it created so I could see what was needed on the change task
19:28:52 <xgeorgex> However it never worked so I just left it in there
19:29:40 <xgeorgex> "item": {
19:29:41 <xgeorgex> "ansible_loop_var": "item",
19:29:41 <xgeorgex> "changed": false,
19:29:41 <xgeorgex> "cmd": "find /boot -xdev -type f -perm -002",
19:29:41 <xgeorgex> "delta": "0:00:00.004664",
19:29:41 <xgeorgex> "end": "2020-06-25 19:29:16.845548",
19:29:45 <xgeorgex> "failed": false,
19:29:48 <xgeorgex> "failed_when_result": false,
19:29:49 <xgeorgex> "invocation": {
19:29:52 <xgeorgex> "module_args": {
19:29:53 <xgeorgex> "_raw_params": "find /boot -xdev -type f -perm -002",
19:29:55 <xgeorgex> "_uses_shell": true,
19:29:57 <xgeorgex> "argv": null,
19:30:00 <xgeorgex> "chdir": null,
19:30:02 <xgeorgex> "creates": null,
19:30:04 <xgeorgex> "executable": null,
19:30:06 <xgeorgex> "removes": null,
19:30:08 <xgeorgex> "stdin": null,
19:30:10 <xgeorgex> "stdin_add_newline": true,
19:30:12 <xgeorgex> "strip_empty_ends": true,
19:30:16 <xgeorgex> "warn": true
19:30:18 <xgeorgex> }
19:30:20 <xgeorgex> },
19:30:22 <xgeorgex> "item": {
19:30:24 <xgeorgex> "block_available": 198866,
19:30:26 <xgeorgex> "block_size": 4096,
19:30:28 <xgeorgex> "block_total": 249830,
19:30:30 <xgeorgex> "block_used": 50964,
19:30:32 <xgeorgex> "device": "/dev/sda1",
19:30:35 <xgeorgex> "fstype": "ext4",
19:30:36 <xgeorgex> "inode_available": 65225,
19:30:38 <xgeorgex> "inode_total": 65536,
19:30:40 <xgeorgex> "inode_used": 311,
19:30:42 <xgeorgex> "mount": "/boot",
19:30:46 <xgeorgex> "options": "rw,seclabel,relatime",
19:30:48 <xgeorgex> "size_available": 814555136,
19:30:50 <xgeorgex> "size_total": 1023303680,
19:30:52 <xgeorgex> "uuid": "7510feea-51b7-4b93-a6e4-b67a1ffe5d13"
19:30:54 <xgeorgex> },
19:30:56 <xgeorgex> "rc": 0,
19:30:58 <xgeorgex> "start": "2020-06-25 19:29:16.840884",
19:31:00 <xgeorgex> "stderr": "",
19:31:02 <xgeorgex> "stderr_lines": [],
19:31:04 <xgeorgex> "stdout": "/boot/testboot",
19:31:06 <xgeorgex> "stdout_lines": [
19:31:08 <xgeorgex> "/boot/testboot"
19:31:10 <xgeorgex> ]
19:31:11 <xgeorgex> },
19:31:16 <xgeorgex> "msg": "file (['/boot/testboot']) is absent, cannot continue",
19:31:18 <xgeorgex> "path": "['/boot/testboot']"
19:31:20 <xgeorgex> Hopefully that's not annoying to paste the chunk in here
19:31:22 <xgeorgex> So if I put just a bogus file path/name in path instead of the item.stdout_lines the msg is "file (path/file) is absent, the blacks and ticks aren't there
19:31:27 <xgeorgex> And the path thing at the bottom doesn't have the brackets or ticks
19:31:40 <cyberpear> https://paste.centos.org/
19:32:15 <xgeorgex> Ahhh.... Next time .....
19:32:39 <cyberpear> looks like you passed a list of a single item
19:33:01 <xgeorgex> Yeah since there was only one file that fell in that permissions find
19:33:13 <xgeorgex> Technically there are two, since there is one in / and one in /boot
19:33:24 <xgeorgex> But both outputs are the same
19:34:10 <cyberpear> which module is this?
19:34:43 <xgeorgex> https://paste.centos.org/view/164cb246
19:34:57 <xgeorgex> That's the whole output of the task, that is the file module
19:35:58 <xgeorgex> https://paste.centos.org/view/58f688c7
19:36:00 <xgeorgex> That's the task
19:38:38 <cyberpear> on your with_items, you want `|map(attribute='stdout_lines') | flatten` or so, then you can just do `path: "{{ item }}"`
19:39:38 <xgeorgex> Once I got the change task going I as going to do audit_homedirinifiles task, to confirm my find task was working I wanted to throw the change in there first
19:40:30 <cyberpear> because the `file` module takes a single path, not a list of paths: https://docs.ansible.com/ansible/latest/modules/file_module.html
19:41:08 <xgeorgex> Ok cool, I'm running this right now to see if that helped
19:43:45 <xgeorgex> YESSSS!!!! That got it, thanks
19:43:55 <xgeorgex> I'll remember that for future file module things
19:44:40 <cyberpear> sometimes you don't want to loop on a list of lists, but you want to flatten them and loop on each item in the combined lists
19:46:22 <xgeorgex> Yeah, I haven't run into that yet. And now I will remember to flatten those. #themoreyouknow....
19:47:32 <cyberpear> I've started writing an SELinux policy to allow restrictive administrative access, with things such as pam, sudoers, sssd, auditing locked out, but allowing pretty much everything else
19:47:48 <cyberpear> the hardest part is "what constitutes privileged" access
19:48:59 <cyberpear> the goal is to both limit the number of "privileged users", and (unstatedly) to avoid all the training and certification requirements that come with "privileged access" for those users
19:49:38 <cyberpear> in the process, I found that Ubuntu has a much more advanced aide configuration than Red Hat
19:50:02 <cyberpear> but I guess it has to, since there's no real equivalent to `rpm -Va` on Ubuntu
19:51:59 <cyberpear> I think that's all I had for today
19:52:07 <xgeorgex> Sweet, yeah really no rpm in ubuntu
20:04:21 <cyberpear> if nothing further, I'll close the meeting in a minute
20:19:00 <cyberpear> #endmeeting