search

ansible-lockdown / RHEL7-CIS

Ansible role for Red Hat 7 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
472 stars 303 forks source link

Unsupported parameters for (ansible.legacy.command) module: warn. #315

Closed dankxylese closed 1 year ago

dankxylese commented 1 year ago

Describe the Issue The warn parameter for shell and command modules was deprecated in Ansible 2.11 and removed in Ansible 2.14, and so is throwing up errors when trying to run CIS for RHEL7, on the latest ansible version.

Expected Behavior CIS hardening runs without errors.

Actual Behavior Ansible fails and ends prematurely: amazon-ebs.this: TASK [rhel7_cis : 1.2.2 | AUDIT | Ensure package manager repositories are configured] *** amazon-ebs.this: fatal: [default]: FAILED! => {"changed": false, "msg": "Unsupported parameters for (ansible.legacy.command) module: warn. Supported parameters include: _raw_params, _uses_shell, argv, chdir, creates, executable, removes, stdin, stdin_add_newline, strip_empty_ends."}

Control(s) Affected https://github.com/ansible-lockdown/RHEL7-CIS/blob/be787735006586749da9203df935220beb9efeed/tasks/section_1/cis_1.2.x.yml#L24

https://github.com/ansible-lockdown/RHEL7-CIS/blob/be787735006586749da9203df935220beb9efeed/tasks/section_6/cis_6.2.x.yml#L9

https://github.com/ansible-lockdown/RHEL7-CIS/blob/be787735006586749da9203df935220beb9efeed/tasks/section_1/cis_1.1.x.yml#L337

https://github.com/ansible-lockdown/RHEL7-CIS/blob/be787735006586749da9203df935220beb9efeed/tasks/check_prereqs.yml#L22

Multiple instances in the following: https://github.com/ansible-lockdown/RHEL7-CIS/blob/be787735006586749da9203df935220beb9efeed/handlers/main.yml#L29

Environment:

Possible Solution Remove "warn" argument in all places it is used, like it was done with RHEL8 CIS at the start of 2023 (issue)

I-am-MoS commented 1 year ago

I was just about to raise this bug myself, thanks. Even though we are not building any new servers with rhel7 we like to keep the code similar for all OSes and keep a copy of a server for GoldedImage means just in case an odd need arises.

dankxylese commented 1 year ago

We are still using 7.9 for the next half a year. Came across this when testing with updated tools, such as ansible in this case. Would be great to get a new release so we can use the latest ansible, as 7.9 is still supported until summer 2024

uk-bolly commented 1 year ago

hi @dankxylese

Thank you for taking the time to raise the issue and providing such a clear solution. I have now added this to a new PR which i hope will be approved this week into devel. This can then be mrged to the main and a new release made.

Many thanks once again

uk-bolly