search

dev-sec / ansible-collection-hardening

This Ansible collection provides battle tested hardening for Linux, SSH, nginx, MySQL
http://dev-sec.io/
Apache License 2.0
4k stars 728 forks source link

ansible hardening fails on ubuntu 16.04 with msg": "ERROR! 'sysctl_rhel_config' is undefined #147

Closed rreilly-edr closed 7 years ago

rreilly-edr commented 7 years ago

Hi, when running the hardening against ubuntu 16.04 I get the below error, seems to think it is rhel ?

    c360-ubuntu: fatal: [127.0.0.1]: FAILED! =>
    c360-ubuntu:
    c360-ubuntu: {
    c360-ubuntu:    "_host": "127.0.0.1",
    c360-ubuntu:    "_result": {
    c360-ubuntu:       "failed": true,
    c360-ubuntu:       "msg": "ERROR! 'sysctl_rhel_config' is undefined"
    c360-ubuntu:    },
    c360-ubuntu:    "_task": "TASK: ansible-os-hardening : Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation"
    c360-ubuntu: }
    c360-ubuntu: 
    c360-ubuntu: fatal: [127.0.0.1]: FAILED! => {"failed": true, "msg": "ERROR! 'sysctl_rhel_config' is undefined"}
    c360-ubuntu:
    c360-ubuntu: RUNNING HANDLER [nginx : restart nginx] ****************************************
    c360-ubuntu:
    c360-ubuntu: RUNNING HANDLER [nginx : reload nginx] *****************************************
    c360-ubuntu:
    c360-ubuntu: RUNNING HANDLER [php5 : restart php-fpm] ***************************************
    c360-ubuntu:
    c360-ubuntu: RUNNING HANDLER [codedeploy : start codedeploy-agent] **************************
    c360-ubuntu:
    c360-ubuntu: RUNNING HANDLER [postfix : restart postfix] ************************************
    c360-ubuntu:
    c360-ubuntu: PLAY RECAP *********************************************************************
    c360-ubuntu: 127.0.0.1                  : ok=76   changed=44   unreachable=0    failed=1
    c360-ubuntu:
==> c360-ubuntu: Terminating the source AWS instance...
==> c360-ubuntu: Cleaning up any extra volumes...
==> c360-ubuntu: No volumes to clean up, skipping
==> c360-ubuntu: Deleting temporary security group...
==> c360-ubuntu: Deleting temporary keypair...
Build 'c360-ubuntu' errored: Error executing Ansible: Non-zero exit status: 2
rndmh3ro commented 7 years ago

That's strange!

Can you run ansible localhost -m setup -a 'filter=ansible_distribution' on the host and paste the output here?

rreilly-edr commented 7 years ago

I will this is in a packer pipeline, need to spin one up and run the test, I will do this asap

rreilly-edr commented 7 years ago

Hi here is the output 

localhost | SUCCESS => {
    "ansible_facts": {
        "ansible_distribution": "Ubuntu"
    }, 
    "changed": false, 
    "failed": false
}
rndmh3ro commented 7 years ago

What kind of AMI is this? I'll try to reproduce it.

rreilly-edr commented 7 years ago

ami-1d4e7a66

rreilly-edr commented 7 years ago

now i cannot find that image.. but it was generic ubuntu 16.04

rndmh3ro commented 7 years ago

I'll take a look tomorrow!

rndmh3ro commented 7 years ago

So I just tried to replicate this issue, using the same AMI as you on AWS. However for me it worked. Is it possible that you provide your FULL playbook, so I can try to reproduce it?

rj-reilly commented 7 years ago

I will need to check, I did not write it and need to make sure there is nothing i need to redact.

erickt commented 7 years ago

I just ran into this, and I figured out the problem. If you're like me, you just did an "apt install ansible" but that installs ansible 2.0.0. This needs 2.2.1 or higher.

rj-reilly commented 7 years ago

hmm, i think i did a pip install ansible but i will double check that ! thanks

rj-reilly commented 7 years ago

Yep it looks like the person who wrote the packer files used a bash script to install ansible from apt-get :( ok i will fix this to install from pip. thank you so much, i will report back

rndmh3ro commented 7 years ago

I checked the readme and meta-files and they already mention minimum ansible version 2.2.1., so I'm closing this now.

If you need further help, feel free to reopen!