search

ansible-lockdown / RHEL9-CIS

Ansible role for Red Hat 9 CIS Baseline
https://ansible-lockdown.readthedocs.io
MIT License
100 stars 82 forks source link

Audit fails with syntax error on ARM64 #77

Open lucab85 opened 11 months ago

lucab85 commented 11 months ago

Describe the Issue The CIS audit fails with a syntax error on a fresh RHEL 9.2 machine on ARM64 architecture.

Expected Behavior I expect the audit result of the CIS benchmark.

Actual Behavior

TASK [RHEL9-CIS : Pre Audit | Capture pre-audit result] *********************************
fatal: [rhel.example.com]: FAILED! => {"msg": "the field 'args' has an invalid value ({'pre_audit_summary': '{{ pre_audit.stdout | from_json | json_query(summary) }}'}), and could not be converted to an dict.The error was: Expecting value: line 1 column 1 (char 0)\n\nThe error appears to be in '/Users/lberton/.ansible/roles/RHEL9-CIS/tasks/pre_remediation_audit.yml': line 90, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: Pre Audit | Capture pre-audit result\n    ^ here\n"}

Control(s) Affected What controls are being affected by the issue

Environment (please complete the following information):

Additional Notes

audit.yml Playbook

---
- name: RHEL9 CIS Audit
  hosts: all
  become: true
  roles:
    - name: "RHEL9-CIS"
      vars:
        setup_audit: true
        run_audit: true

host:

$ cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="9.2 (Plow)"

Possible Solution Fix the syntax error in pre_remediation_audit.yml

lucab85 commented 11 months ago

Workaround Playbook:

---
- name: RHEL9 CIS Audit
  hosts: all
  become: true
  roles:
    - name: "RHEL9-CIS"
      vars:
        setup_audit: true
        run_audit: true
        goss_url: https://github.com/goss-org/goss/releases/download/v0.3.23/goss-linux-arm64
        goss_version:
          release: v0.3.23
          checksum: 'sha256:7b0794fa590857e7d64ef436e1a100ca26f6039f269a6138009aa837d27d7f9e'
uk-bolly commented 11 months ago

hi @lucab85

Thank you for taking the time raise this issue and highlight the problem you are having. That is indeed a great catch as these benchmarks are only written in they way they are provided against an x86 system. This is a definite improvement with more users moving to arm based chips with both MAC and pi systems. I will add this to make the goss binary work although i feel there could be other inconsistencies especially with the auditd.

One to be added to roadmap for enhancements

many thanks

uk-bolly

lopf commented 8 months ago

We're getting the same error in a x86_64 Rocky Linux 9.2 build. So far we've not figured out what changed since it was last successful in early Sept 2023.

Versions: python version = 3.11.2 ansible [core 2.14.2] (ansible-7.2.0-1 package) goss version v0.3.21 (also tried with 0.3.23: "OK - Goss is installed and version is ok (0.3.23 >= 0.3.21)")