search

darkwizard242 / cis_ubuntu_2004

:computer: Ansible Role for applying CIS Benchmark for Ubuntu Linux 20.04 LTS (hardening).
https://galaxy.ansible.com/darkwizard242/cis_ubuntu_2004
MIT License
32 stars 19 forks source link

FAILED! => {"changed": false, "msg": "Unable to enable service systemd-timesyncd: Failed to enable unit: Unit file /etc/systemd/system/systemd-timesyncd.service is masked.\n"} #12

Closed tridev-cldcvr closed 2 years ago

tridev-cldcvr commented 2 years ago

I am running ansible playbook "playbook_with_custom_firewall_changes.yml" without making any changes on google compute engine (ubuntu-2004-focal-v2021111), but when it reaches to task

TASK [darkwizard242.cis_ubuntu_2004 : 2.1.1.1 | Ensure time synchronization is in use (Automated) | Enable systemd-timesyncd if time synchronization is not systemd-timesyncd] ***

ansible throws error.

FAILED! => {"changed": false, "msg": "Unable to enable service systemd-timesyncd: Failed to enable unit: Unit file /etc/systemd/system/systemd-timesyncd.service is masked.\n"}

I tried updating the task by adding below mentioned lines (basically trying to unmask before enabling it) systemd: name: "{{ ubuntu_2004_cis_section2_rule_2_1_1_1_params_timesyncd_service_name }}" state: started masked: no when:

but then it throws below error. (i think masked:no parameter deletes the /etc/systemd/system/systemd-timesyncd.service) file

FAILED! => {"changed": false, "msg": "Unable to start service systemd-timesyncd: Failed to start systemd-timesyncd.service: Unit systemd-timesyncd.service not found.\n"}

ISSUE TYPE

ANSIBLE VERSION

ansible 2.9.27 config file = /etc/ansible/ansible.cfg configured module search path = [u'/home/xyz/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/dist-packages/ansible executable location = /usr/bin/ansible python version = 2.7.16 (default, Oct 10 2019, 22:02:15) [GCC 8.3.0]

STEPS TO REPRODUCE

  1. spin up the vm in GCP with ubuntu-2004-focal-v2021111
  2. ansible-galaxy install darkwizard242.cis_ubuntu_2004

  3. ansible-playbook playbook_with_custom_firewall_changes.yml

    ACTUAL RESULTS

    googlecompute: TASK [darkwizard242.cis_ubuntu_2004 : 2.1.1.1 | Ensure time synchronization is in use (Automated) | Enable systemd-timesyncd if time synchronization is not systemd-timesyncd] *** googlecompute: fatal: [default]: FAILED! => {"changed": false, "msg": "Unable to enable service systemd-timesyncd: Failed to enable unit: Unit file /etc/systemd/system/systemd-timesyncd.service is masked.\n"}

tridev-cldcvr commented 2 years ago

It worked when I installed the systemd-timesyncd package by adding this tasks in pre.yml file

darkwizard242 commented 2 years ago

hi @tridev-cldcvr - Glad you got it resolved.

While I do not use GCP, I do use AWS and utilize Canonical's Marketplace AMI's for Ubuntu. Typically, systemd-timesyncd is a package that comes pre-installed in the official Ubuntu 20.04 LTS Server images on Ubuntu's sites and/or on Canonical's official AMI's on AWS Marketplace.

It is likely that the Image available for GCP may not have had systemd-timesyncd which is an "edge" case (probable causes can be that the image is utilizing a different time synchronization utility, which could be based on the requirements of GCP image provider for that image).

darkwizard242 commented 2 years ago

@tridev-cldcvr - closing this as no change required.