Search code examples
ubuntu-14.04ansible

Why is Ansible task being skipped?

I have 2 ansible tasks that I am trying to run in a CIS hardening script on an Ubuntu 14.04 Server.

The first task is

- name: 8.1.12 Collect Use of Privileged Commands (Scored)
    shell: /usr/bin/find {/usr/local/sbin,/usr/local/bin,/sbin,/bin,/usr/sbin,/usr/bin} -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" }'
    register: privileged_programs
    tags:
      - scored
      - section8.1.12

This is supposed to register a list of privileged programs to be used in the next task. If I copy the command above onto the Ubuntu VM and run it, I get a long list of programs just like I should.

The second task is this:

- name: 8.1.12 Collect Use of Privileged Commands (Scored)
    lineinfile: dest=/etc/audit/audit.rules line="{{item}}" insertafter=EOF state=present
    with_items: privileged_programs.stdout_lines
    when: privileged_programs is defined and privileged_programs.stdout_lines|length > 0
    notify: restart auditd
    tags:
      - scored
      - section8.1.12

It should fire if any results are registered but so far I have not been able to get it to run. It is skipped every time I try to run the 2 tasks. I am assuming that the privileged_programs variable is not being stored or passed correctly.

Note: I tried changing the first task from shell to command but I then got an error "stderr: /usr/bin/find: paths must precede expression"

Note2: I also checked in the etc/audit/audit.rules and verified that the privileged programs are not contained therein yet.

Edit: I added a debug in between the two tasks to output var=privileged_programs. Here is part of it that I think may indicate part of the issue:

"stderr": "/usr/bin/find:        `{/usr/local/sbin,/usr/local/bin,/sbin,/bin,/usr/sbin,/usr/bin}': No such file or directory",
        "stdout": "",
        "stdout_lines": [],
        "warnings": []

Anyone know why this would be?

Thanks in advance!

Solution

  • Bourne shell has some issue with the syntax. Works fine in Bash.

    I made it working. Try the following syntax.

    shell: /usr/bin/find /usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin