Mishandled privilege escalation

Talismanic commented 4 years ago

On categ_ansible_test_code.txt file there are some sudo usage which is candidate of "Mishandled privilege escalation". However, I have not considered this part as anti-pattern.

shell: "sudo journalctl -u {{ item }}.service | tee {{ zuul_output_dir }}/logs/logs/{{ inventory_hostname }}/var/log/journal/{{ item }}.service.log"

Reason because:

To decalre it as mishandled privilege escalation, we need to know the ansible version Developer was using. Because, before ansible 1.8 , is was not mandatory to avoid sudo in shell module.
Also the line actually auditing journal logs which is normally not readable other than root user.

akondrahman commented 4 years ago

I understand. Can we know the Ansible version automatically?

Talismanic commented 4 years ago

Ansible version can be determined from ansible playbook through some command or OS.
Till now I cound not find any way to determine ansible version from the code base

akondrahman commented 4 years ago

OK. In that case we cannot consider wrong version as an anti-pattern. How many anti-patterns have we found so far Ansible?

Talismanic commented 4 years ago

So far I have found :

Assertion Roulette
External Dependency
Privilege Escalation
Local Testing

akondrahman commented 4 years ago

My gut feeling is there might be 1/2 more ... may be sth. related to Python testing as we will not skip Python altogether?

Talismanic commented 4 years ago

I am closing this issue and taking the category to #1

akondrahman / IaCTesting

Mishandled privilege escalation #3