All modules using validate must use an absolute path to the executable - i.e. sshd tasks

[average-joe]

While running CAT1 patches, certain ssh tasks keep failing. Specifically, RHEL-07-010300 & RHEL-07-040390, however RHEL-07-040710 does complete.

These are the results of running each STIG:

RHEL-07-010300

TASK [MindPointGroup.RHEL7-STIG : HIGH | RHEL-07-010300 | PATCH | The SSH daemon must not allow authentication using an empty password.] 
fatal: [lab-system]: FAILED! => {"changed": false, "cmd": "sshd -tf /tmp/tmppYXE_o", "failed": true, "msg": "[Errno 2] No such file or directory", "rc": 2}

RHEL-07-040390

TASK [MindPointGroup.RHEL7-STIG : HIGH | RHEL-07-040390 | PATCH | The SSH daemon must be configured to only use the SSHv2 protocol.] 
fatal: [lab-system]: FAILED! => {"changed": false, "cmd": "sshd -t -f /tmp/tmpR2L_QS", "failed": true, "msg": "[Errno 2] No such file or directory", "rc": 2}

RHEL-07-040710

TASK [MindPointGroup.RHEL7-STIG : HIGH | RHEL-07-040710 | PATCH | Remote X connections for interactive users must be encrypted.] 
ok: [lab-system]

The validate line appears to be the issue. Has this been reproduced by anyone? I've attempted this on multiple machines with the same result.

[shepdelacreme]

Can you share your ansible --version and how you are executing the role? I'll see if I can replicate. Also is this against a RHEL or CentOS end host?

[average-joe]

Here's what I have:

Ansible version

ansible 2.3.1.0
python version = 2.7.13 (default, Apr 20 2017, 12:13:37) [GCC 6.3.0]

Below is my command line executing the role: ansible-playbook playbooks/stigs.yml -l "hostname"

I'm running on a CentOS 7.

[shepdelacreme]

@average-joe Thanks! I'll take a look. Can I assume playbooks/stigs.yml is just basic like so?

- hosts: all
  become: yes
  become_method: sudo

  roles:
    - MindPointGroup.RHEL7-STIG

[average-joe]

@shepdelacreme you're correct.

[shepdelacreme]

Hmm I can't seem to replicate this. I was testing against RHEL7 and CentOS 7 with vagrant. I tried Ansible 2.3.1.0 and 2.4.0.0 installed via pip.

What version of the role do you have installed? If you run: ansible-galaxy list it should give you output like so: - MindPointGroup.RHEL7-STIG, 0.1.3

[average-joe]

I'm running:

- src: MindPointGroup.RHEL7-STIG
  version: 0.1.3

I can't seem to understand why it's trying to search for the file in /tmp either.

[shepdelacreme]

Ok...same version as the one I'm running.

The process for the lineinfile module is as follows: it makes the change in a temporary file, runs the validate command, and then moves the file into place. So it makes sense that it is pointing at a temporary location...however I didn't think it pointed at /tmp by default...I thought it usually used a a temp folder in the users homedir. ie /root/.ansible/tmp/tempfile or some such.

Can you run the playbook with the verbosity turned up and provide the output? ie ansible-playbook playbooks/stigs.yml -l "hostname" -vvv

Also can you verify that the dir /tmp is readable and what not on the remote system?

[dsmorse]

On a min CENTOS 7.4 there is nothing in /etc/ssh the files typically get installed by something.. can @average-joe confirm if there are files in /etc/ssh, maybe the lineinfile is not gracefully handling the absence of the ssh_config file

[average-joe]

For @dsmorse: I can confirm there are files in the /etc/ssh/ directory.

/etc/ssh/
-rw-r--r--. 1 root root     242153 Apr 12 14:05 moduli
-rw-r--r--. 1 root root       2398 Sep  5 18:02 ssh_config
-rw-------. 1 root root       4579 Sep 20 21:43 sshd_config
-rw-r-----. 1 root ssh_keys    227 Sep  5 16:42 ssh_host_ecdsa_key
-rw-r--r--. 1 root root        162 Sep  5 16:42 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys    387 Sep  5 17:44 ssh_host_ed25519_key
-rw-r--r--. 1 root root         82 Sep  5 17:44 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys   1679 Sep  5 16:42 ssh_host_rsa_key
-rw-r--r--. 1 root root        382 Sep  5 16:42 ssh_host_rsa_key.pub

I'd also be surprised if there were no files in this directory after a min install. Without a default sshd_config file I wouldn't be able to ssh into the system in the first place.

For @shepdelacreme, my /tmp directory is as follows: drwxrwxrwt. 11 root root 4096 Sep 21 04:06 tmp

When running RHEL-07-010300 specifically in verbose, I get the following:

TASK [MindPointGroup.RHEL7-STIG : HIGH | RHEL-07-010300 | PATCH | The SSH daemon must not allow authentication using an empty password.] ****************************************************************************************************
task path: /ansible/roles/MindPointGroup.RHEL7-STIG/tasks/fix-cat1.yml:58
Using module file /usr/lib/python2.7/site-packages/ansible/modules/files/lineinfile.py
<192.168.50.119> ESTABLISH SSH CONNECTION FOR USER: ansible
<192.168.50.119> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/6ba8797a74 192.168.50.119 '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
<192.168.50.119> (0, '/home/ansible\n', '')
<192.168.50.119> ESTABLISH SSH CONNECTION FOR USER: ansible
<192.168.50.119> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/6ba8797a74 192.168.50.119 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /home/ansible/.ansible/tmp/ansible-tmp-1505997576.0-155538587751956 `" && echo ansible-tmp-1505997576.0-155538587751956="` echo /home/ansible/.ansible/tmp/ansible-tmp-1505997576.0-155538587751956 `" ) && sleep 0'"'"''
<192.168.50.119> (0, 'ansible-tmp-1505997576.0-155538587751956=/home/ansible/.ansible/tmp/ansible-tmp-1505997576.0-155538587751956\n', '')
<192.168.50.119> PUT /tmp/tmpaKXQP2 TO /home/ansible/.ansible/tmp/ansible-tmp-1505997576.0-155538587751956/lineinfile.py
<192.168.50.119> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/6ba8797a74 '[192.168.50.119]'
<192.168.50.119> (0, 'sftp> put /tmp/tmpaKXQP2 /home/ansible/.ansible/tmp/ansible-tmp-1505997576.0-155538587751956/lineinfile.py\n', '')
<192.168.50.119> ESTABLISH SSH CONNECTION FOR USER: ansible
<192.168.50.119> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/6ba8797a74 192.168.50.119 '/bin/sh -c '"'"'chmod u+x /home/ansible/.ansible/tmp/ansible-tmp-1505997576.0-155538587751956/ /home/ansible/.ansible/tmp/ansible-tmp-1505997576.0-155538587751956/lineinfile.py && sleep 0'"'"''
<192.168.50.119> (0, '', '')
<192.168.50.119> ESTABLISH SSH CONNECTION FOR USER: ansible
<192.168.50.119> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/6ba8797a74 -tt 192.168.50.119 '/bin/sh -c '"'"'su  root -c '"'"'"'"'"'"'"'"'/bin/sh -c '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-grrcahlegbeuuicjunayimleubyyphjn; /usr/bin/python /home/ansible/.ansible/tmp/ansible-tmp-1505997576.0-155538587751956/lineinfile.py; rm -rf "/home/ansible/.ansible/tmp/ansible-tmp-1505997576.0-155538587751956/" > /dev/null 2>&1'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"''"'"'"'"'"'"'"'"' && sleep 0'"'"''
<192.168.50.119> (0, '\r\n\r\n{"msg": "[Errno 2] No such file or directory", "failed": true, "cmd": "sshd -tf /tmp/tmpmtWUhk", "rc": 2, "invocation": {"module_args": {"directory_mode": null, "force": null, "remote_src": null, "backrefs": false, "insertafter": null, "path": "/etc/ssh/sshd_config", "owner": null, "follow": false, "line": "PermitEmptyPasswords no", "group": null, "insertbefore": null, "unsafe_writes": null, "create": false, "state": "present", "content": null, "serole": null, "setype": null, "dest": "/etc/ssh/sshd_config", "selevel": null, "regexp": "^#?PermitEmptyPasswords", "validate": "sshd -tf %s", "src": null, "seuser": null, "delimiter": null, "mode": null, "attributes": null, "backup": false}}}\r\n', 'Shared connection to 192.168.50.119 closed.\r\n')
fatal: [lab-system.rogue]: FAILED! => {
    "changed": false,
    "cmd": "sshd -tf /tmp/tmpmtWUhk",
    "failed": true,
    "invocation": {
        "module_args": {
            "attributes": null,
            "backrefs": false,
            "backup": false,
            "content": null,
            "create": false,
            "delimiter": null,
            "dest": "/etc/ssh/sshd_config",
            "directory_mode": null,
            "follow": false,
            "force": null,
            "group": null,
            "insertafter": null,
            "insertbefore": null,
            "line": "PermitEmptyPasswords no",
            "mode": null,
            "owner": null,
            "path": "/etc/ssh/sshd_config",
            "regexp": "^#?PermitEmptyPasswords",
            "remote_src": null,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": null,
            "state": "present",
            "unsafe_writes": null,
            "validate": "sshd -tf %s"
        }
    },
    "msg": "[Errno 2] No such file or directory",
    "rc": 2
}

Also, I'm running CentOS 7 w/ Kernel: Linux 3.10.0-514.26.2.el7.x86_64

[shepdelacreme]

I'm curious what your ansible.cfg looks like as well. If you run ansible --version it should produce output that says something like so: config file = /etc/ansible/ansible.cfg

Can you look at whatever file it returns to you and see if the remote_tmp is set? It should look like this: remote_tmp = ~/.ansible/tmp

Also how did you build this CentOS machine and what is it running on? I haven't been able to replicate this issue on any of the centOS boxes I usually use for testing. ie. Vagrant box, AWS instance, etc.

Last bit of info...how is /tmp mounted? Is it a separate partition that is listed in /etc/fstab, is it a tmpfs filesystem, are you using the systemd unit files for mounting /tmp?

[average-joe]

Here's what I had in /etc/ansible/ansible.cfg:

[defaults]
roles_path = ./roles/
retry_files_enabled = False
host_key_checking = False
forks = 50
callback_whitelist = slack

I added the line remote_tmp = ~/.ansible/tmp and tested it again...still no luck, with the same error message.

This CentOS is running as a VM on ESX 6.5 in a private lab. At present it is not a separate partition.

[shepdelacreme]

Ok I got a tip from the #ansible IRC channel. It may be a PATH issue and when running the validate command sshd -tf /tmp/asdas the file not found error is actually referencing the sshd executable.

Can you update the RHEL-07-010300 tasks validate command to use /usr/sbin/sshd and try again. It should look like the code below after the update.

- name: "HIGH | RHEL-07-010300 | PATCH | The SSH daemon must not allow authentication using an empty password."
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: ^#?PermitEmptyPasswords
      line: PermitEmptyPasswords no
      validate: /usr/sbin/sshd -tf %s
  notify: restart sshd
  when: rhel_07_010300
  tags:
      - cat1
      - high
      - patch
      - RHEL-07-010300
      - sshd

[average-joe]

I've ran every task associated with modifying the sshd_config file.

The following fail: RHEL-07-010300 RHEL-07-040390 RHEL-07-010050 RHEL-07-010460 RHEL-07-010470 RHEL-07-040110 RHEL-07-040320 RHEL-07-040330 RHEL-07-040340 RHEL-07-040350 RHEL-07-040360 RHEL-07-040370 RHEL-07-040380 RHEL-07-040400 RHEL-07-040430 RHEL-07-040440 RHEL-07-040450 RHEL-07-040460 RHEL-07-040470

The following succeed: RHEL-07-040710

Now here's the kicker. If I go into the sshd_config file and manually remove the # from the lines which need to be modified/enabled and set their values to the STIG value, it succeeds.

[average-joe]

@shepdelacreme I'll work on your request...will let you know.

[average-joe]

@shepdelacreme Success!

That completed successfully and change the line to it's STIG value.

[shepdelacreme]

Excellent! I'll mark this as a bug and get a PR with the fix in soon.

[samdoran]

@average-joe I'm curious why your PATH is missing /usr/sbin, though. Can you run sudo -l on your test machine? CentOS 7 has a pretty sane secure_path by default.

[average-joe]

@samdoran Sure, here are the results:

Matching Defaults entries for root on this host:
    !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
    HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
    LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User root may run the following commands on this host:
    (ALL) ALL

[samdoran]

That's really weird. Not sure why this isn't working without the full path. Oh well! Glad @shepdelacreme got your issue sorted.

[shepdelacreme]

Closing this issue