RHEL 8.2 tries to remove linux-firmware, when 2.2.2 does a yum remove xorg-x11*

[ahamilto156]

G'day Harry,

Again thx for writing this role. There is an issue with RHEL8.2: I have a work-around in my Ansible playbook, but thought you should know...

TASK [Ansible-RHEL8-CIS-Benchmarks : 2.2.2 - Ensure X Window System is absent, exception 123] => yum remove xorg-x11* => erroring on trying to remove linux-firmware. Q: why is it trying to remove it? A: Unknown ATM

The CIS play tries to remove xorg-x11 but fails if it is already absent. Workaround is to exclude test 2.2.2 on systems that have this issue. Also had other issues with this where the removal of xorg-x11 was successful but removes dependant packages installed by other processes - example being grafana, which installs an X11 font package - the hardening goes ahead and REMOVES xorg-x11* including the required font package. Bottom line, there are legitimate reasons to exclude a hardening task from a host - provided other mitigations are in place there shouldn't be any problems.

[HarryHarcourt]

Hi In relation to this, it is a valid, I think, I did in the defaults/main.yml put a section in there:

# 2.2.2
# Installation of X-Windows
cis_xwindows_install: { package: "xorg-x11*", state: absent, exception: 123 }

You state whether you want the package present or absent, if you want it present, the "security exception" number or text should be added (in quotes). I guess we need a "conditional" to check it's presence before trying to remove it.

[ahamilto156]

Harry,

Thx for the swift response. It is an issue with RHEL 8.2 and I have a conditional in my playbook. If it is 8.2 then put in an exception.

The "conditional" to check it's presence before trying to remove it would be good, but no rush on it!

Cheers,

Andrew Hamilton MEngSc. (Elec.), Grad Dip. PM, BE (Comp.)

Senior Consultant

Red Hat https://www.redhat.com

A: L11, 40 Marcus Clarke Street,

Canberra City, ACT, 2601, Australia

E: andrew.hamilton@redhat.com andrew.hamilton@redhat.com M: +61-477-242-645-[+61-477-ahamil]

F: +61-2-6247-4380 @RedHat https://twitter.com/redhat Red Hat https://www.linkedin.com/company/red-hat Red Hat https://www.facebook.com/RedHatInc https://red.ht/sig

On Thu, Jun 4, 2020 at 10:35 AM HarryHarcourt notifications@github.com wrote:

Hi In relation to this, it is a valid, I think, I did in the defaults/main.yml put a section in there:

2.2.2

Installation of X-Windows

cis_xwindows_install: { package: "xorg-x11*", state: absent, exception: 123 }

You state whether you want the package present or absent, if you want it present, the "security exception" number or text should be added (in quotes). I guess we need a "conditional" to check it's presence before trying to remove it.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/HarryHarcourt/Ansible-RHEL8-CIS-Benchmarks/issues/4#issuecomment-638531171, or unsubscribe https://github.com/notifications/unsubscribe-auth/AO6IHP56CAN3RFGJZPE6RHTRU3T3BANCNFSM4NJ5QVLQ .

[HarryHarcourt]

Hi Andrew Would you like to share your condition? Best Ben

[ahamilto156]

G'day Ben,

Seems to be an issue with EL8.2, the CIS Benchmark role didn't fail before that update. The CIS role tries to remove xorg-x11* but fails because the dependancy linux-firmware is also to be removed. The workaround is to exclude test 2.2.2 on systems that have this issue.

NOTE: This failure also happens when you try to remove xorg-x11* manually. So, it's definitely a RHEL 8.2 issue.

Bottom line: There are legitimate reasons to exclude a hardening task from a host - provided other mitigations are in place there shouldn't be any problems.

I have put a condition in my play that if it's RHEL8.2+, then I exclude 2.2.2. I've put the "+" in there in anticipation of the bug carrying through to RHEL8.3, but may need to modify the play in the near future! I've done a quick bugzilla.redhat.com search and can't find a bug for it.

Haven't tried it on Fedora as in the middle of something, and don't want to try to remove xorg-x11*, in case something else breaks on it. Besides, I would have to update to 32 first... 🤓 And even though it should be done on a VM, I don't have any spare IT resources ATM!

Cheers,

Andrew Hamilton MEngSc. (Elec.), Grad Dip. PM, BE (Comp.)

Senior Consultant

Red Hat https://www.redhat.com

A: L11, 40 Marcus Clarke Street,

Canberra City, ACT, 2601, Australia

E: andrew.hamilton@redhat.com andrew.hamilton@redhat.com M: +61-477-242-645-[+61-477-ahamil]

F: +61-2-6247-4380 @RedHat https://twitter.com/redhat Red Hat https://www.linkedin.com/company/red-hat Red Hat https://www.facebook.com/RedHatInc https://red.ht/sig

On Thu, Jun 11, 2020 at 3:57 AM HarryHarcourt notifications@github.com wrote:

Hi Andrew Would you like to share your condition? Best Ben

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/HarryHarcourt/Ansible-RHEL8-CIS-Benchmarks/issues/4#issuecomment-642167839, or unsubscribe https://github.com/notifications/unsubscribe-auth/AO6IHP2PJ7NFIWIU2AUNRETRV7CR7ANCNFSM4NJ5QVLQ .

[HarryHarcourt]

Have you tried blocks before, this may prove and easier path. https://docs.ansible.com/ansible/latest/user_guide/playbooks_blocks.html

[ahamilto156]

Yeah, have them in my playbook. It's how I circumvented the problem. Basically I have a block for [when] RHEL 8 then narrow it down to [when] 8.1- and 8.2+

Thx for the tip,

Andrew Hamilton

On Tue, Jun 16, 2020 at 2:00 AM HarryHarcourt notifications@github.com wrote:

Have you tried blocks before, this may prove and easier path. https://docs.ansible.com/ansible/latest/user_guide/playbooks_blocks.html

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/HarryHarcourt/Ansible-RHEL8-CIS-Benchmarks/issues/4#issuecomment-644222852, or unsubscribe https://github.com/notifications/unsubscribe-auth/AO6IHPZGBVEAARNJXRMZOSLRWZARXANCNFSM4NJ5QVLQ .

[HarryHarcourt]

Do you think you could commit back into this effort? Best Ben

[ahamilto156]

Just hit a bug in my hardening.yml, so when I figure it out, I will commit...

Cheers,

Andrew

On Thu, Jun 18, 2020 at 2:19 PM HarryHarcourt notifications@github.com wrote:

Do you think you could commit back into this effort? Best Ben

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/HarryHarcourt/Ansible-RHEL8-CIS-Benchmarks/issues/4#issuecomment-645762104, or unsubscribe https://github.com/notifications/unsubscribe-auth/AO6IHPYTLKAF2SI4HMHRLCDRXGITHANCNFSM4NJ5QVLQ .

[ahamilto156]

Ben,

I don't wish to modify the role as it works perfectly. However, I have written a hardening.yml script to import the role. It just adds exceptions and the default is changed it RHEL 8.2+:

• name: System Hardening become: true hosts: all

tasks:

• block:

• block:

• name: Apply CIS hardening for RHEL 8.0 or 8.1 via role Ansible-RHEL8-CIS-Benchmarks8 include_role: name: Ansible-RHEL8-CIS-Benchmarks tags:

• hardening

• cis when: ansible_distribution_version < '8.2'

• name: Apply CIS hardening for RHEL 8.2+ via role Ansible-RHEL8-CIS-Benchmarks8 include_role: name: Ansible-RHEL8-CIS-Benchmarks vars:

  See hosts_template for more details on exclusions

  cis_level_1_exclusions: ['1.2.3','1.3.1','1.8','2.2.2','2.2.7','3.4.1', '3.4.2','3.4.3','3.4.4','3.4.5','4.1.3','5.4.1.1','5.3.2'] tags:

• hardening

• cis when: ansible_distribution_version >= '8.2' when: ansible_distribution_major_version == '8'

• name: Apply CIS hardening for EL7 import_role: name: Ansible-RHEL7-CIS-Benchmarks tags:

• hardening

• cis when: ansible_distribution_major_version == '7' when: ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS'

• name: Extra System Hardening become: true hosts: all tasks:

• name: Apply additional hardening import_role: name: ansible-role-extra-hardening tags:

• hardening

NOTE: The default cis_level_1_exclusions as defined in the hosts files are ['1.2.3','1.3.1','1.8','2.2.7','3.4.1','3.4.2','3.4.3','3.4.4','3.4.5','4.1.3','5.4.1.1','5.3.2'], so the additional exclusion is 2.2.2.

Cheers,

Andrew Hamilton

On Thu, Jun 18, 2020 at 2:40 PM Andrew Hamilton ahamilto@redhat.com wrote:

Just hit a bug in my hardening.yml, so when I figure it out, I will commit...

Cheers,

Andrew

On Thu, Jun 18, 2020 at 2:19 PM HarryHarcourt notifications@github.com wrote:

Do you think you could commit back into this effort? Best Ben

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/HarryHarcourt/Ansible-RHEL8-CIS-Benchmarks/issues/4#issuecomment-645762104, or unsubscribe https://github.com/notifications/unsubscribe-auth/AO6IHPYTLKAF2SI4HMHRLCDRXGITHANCNFSM4NJ5QVLQ .

[brantleyp1]

I fumbled my way through it and found of the list of xorg-x11 packages, it was unhappy if I ran `yum remove xorg-x11-drv, but all the other packages were ok. So I edited my defaults/main.yaml tocis_xwindows_install: { package: "xorg-x11-docs,xorg-x11-drivers,xorg-x11-proto,xorg-x11-server,xorg-x11-utils,xorg-x11-x", state: absent, exception: 123 }` and it was happy. Not sure if that's the best way to go about it, but it allows for keeping the x11 fonts but removing out all the other parts.

Oddly though, when I broke out the list of xorg-x11-drv* and ran each package of that individually, it never tried to remove linux-firmware.