Task 4.2.3 fails if a log file vanishes

[ps-spb]

Describe the Issue If during a run, a logfile is configured to say keep X histories but are uniquely named (e.g. sessionlauncher.log.2023-09-21-14-19) and that log file vanishes, then the task will fail.

Expected Behavior Task ignores the fact a file no longer exists and carries on with the next file.

Actual Behavior A clear and concise description of what's happening.

Control(s) Affected 4.2.3

Environment (please complete the following information):

• branch being used: [e.g. devel]

• Ansible Version: [e.g. 2.10]

• Host Python Version: [e.g. Python 3.7.6]

• Ansible Server Python Version: [e.g. Python 3.7.6]

• branch being used: main

• Ansible Version: ansible 2.10.8

• Host Python Version: 3.10.12

• Ansible Server Python Version: 3.10.12 (same - being run locally)

Additional Details: We are targetting AWS WorkSpaces Ubuntu offering.

Additional Notes Sample error message:

failed: [localhost] (item=/var/log/dcv/sessionlauncher.log.2023-09-21-14-19) => {"ansible_loop_var": "item", "changed": false, "item": {"atime": 1695305339.6007233, "ctime": 1695305972.2894833, "dev": 66307, "gid": 999, "gr_name": "dcv", "inode": 1047182, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "mode": "0640", "mtime": 1695305927.553581, "nlink": 1, "path": "/var/log/dcv/sessionlauncher.log.2023-09-21-14-19", "pw_name": "root", "rgrp": true, "roth": false, "rusr": true, "size": 1556, "uid": 0, "wgrp": false, "woth": false, "wusr": true, "xgrp": false, "xoth": false, "xusr": false}, "msg": "file (/var/log/dcv/sessionlauncher.log.2023-09-21-14-19) is absent, cannot continue", "path": "/var/log/dcv/sessionlauncher.log.2023-09-21-14-19", "state": "absent"}
failed: [localhost] (item=/var/log/dcv/agent.console.log.2023-09-21-14-19) => {"ansible_loop_var": "item", "changed": false, "item": {"atime": 1695305344.936731, "ctime": 1695305972.1291497, "dev": 66307, "gid": 999, "gr_name": "dcv", "inode": 1047899, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "mode": "0640", "mtime": 1695305375.0647857, "nlink": 1, "path": "/var/log/dcv/agent.console.log.2023-09-21-14-19", "pw_name": "gdm", "rgrp": true, "roth": false, "rusr": true, "size": 58456, "uid": 133, "wgrp": false, "woth": false, "wusr": true, "xgrp": false, "xoth": false, "xusr": false}, "msg": "file (/var/log/dcv/agent.console.log.2023-09-21-14-19) is absent, cannot continue", "path": "/var/log/dcv/agent.console.log.2023-09-21-14-19", "state": "absent"}
failed: [localhost] (item=/var/log/dcv/agentlauncher.simon.baker.log.2023-09-21-14-23) => {"ansible_loop_var": "item", "changed": false, "item": {"atime": 1695305378.6407952, "ctime": 1695306196.3926826, "dev": 66307, "gid": 999, "gr_name": "dcv", "inode": 1048048, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "mode": "0640", "mtime": 1695305927.7215812, "nlink": 1, "path": "/var/log/dcv/agentlauncher.simon.baker.log.2023-09-21-14-23", "pw_name": "simon.baker", "rgrp": true, "roth": false, "rusr": true, "size": 2842, "uid": 891801367, "wgrp": false, "woth": false, "wusr": true, "xgrp": false, "xoth": false, "xusr": false}, "msg": "file (/var/log/dcv/agentlauncher.simon.baker.log.2023-09-21-14-23) is absent, cannot continue", "path": "/var/log/dcv/agentlauncher.simon.baker.log.2023-09-21-14-23", "state": "absent"}

Possible Solution Task ignores errors? This feels a little brittle...

[Atamido]

I'm running into the same issue. I've found one quick fix which significantly reduces the likelihood of the issue occurring, and then another more elaborate solution which fully covers the issue.

The quick fix is to modify the when statement in https://github.com/ansible-lockdown/UBUNTU22-CIS/blob/devel/tasks/section_4/cis_4.2.3.yml from:

    when:
        - item.path != "/var/log/btmp"
        - item.path != "/var/log/utmp"
        - item.path != "/var/log/wtmp"

to: when:

• item.path != "/var/log/btmp"
• item.path != "/var/log/utmp"
• item.path != "/var/log/wtmp"
• item.mode != "0640"
• item.mode != "0600" This prevents ansible.builtin.file from trying to run on a log file where the permissions are already correct. As most log files seem to have the correct permissions by default, this resolves the issue for most situations.

The second solution was to create a separate file with a block/rescue which would be used to set the permissions. In the same cis_4.2.3.yml file as before, change:

  - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions"
    ansible.builtin.file:
        path: "{{ item.path }}"
        mode: '0640'
    loop: "{{ logfiles.files }}"

to:

• name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions" ansible.builtin.include_tasks: set_perms.yml vars: perms_mode: '0640' loop: "{{ logfiles.files }}" And the set_perms.yml file:

• block:

  • ansible.builtin.file: path: "{{ item.path }}" mode: "{{ perm_mode }}" rescue:

    • name: Confirm file still exists ansible.builtin.stat: path: "{{ item.path }}" register: perm_file_check

    • ansible.builtin.file: path: "{{ item.path }}" mode: "{{ perm_mode }}" when: perm_file_check.stat.exists

[uk-bolly]

hi @ps-spb and @Atamido

Apologies for the delay in resolving this one. This has been a great issue, We have found a solution that appears to work well for most scenarios. I have now added this to a new PR. Thank you for taking the time to raise this and for you patience.

kindest regards

uk-bolly

[Atamido]

Thanks for this, it's a good solution.

I'd still like to see the when check existing permissions as it'll currently loosen a 0600 to 0640. Something like:

when:
    - item.path != "/var/log/btmp"
    - item.path != "/var/log/utmp"
    - item.path != "/var/log/wtmp"
    - item.mode > "0640" or item.mode < "0640" and item.mode > "0600"

[uk-bolly]

hi @Atamido

I believe this should be resolved in this PR also, i have changed the mode from octal format to symbolic. e.g.

u-x,g-wx,o-rwx

This should allow more restriced files to stay as they are.

Kindest regards

uk-bolly

[Atamido]

That PR changes the mode for format for 4.1.4.3, which is audit log files. But 4.2.3 still uses the octal format. I think if 4.2.3 were changed to also use symbolic, that would be an improvement.