os_hardening fails on "Create a combined sysctl-dict if overwrites are defined" task

[dpavle]

Describe the bug

Expected behavior Expected the task to complete successfully.

Actual behavior

fatal: [hostname]: FAILED! => {"msg": "failed to combine variables, expected dicts but got a 'dict' and a 'AnsibleUnicode': \n{\"fs.protected_hardlinks\": 1, \"fs.protected_symlinks\": 1, \"fs.suid_dumpable\": 0, \"kernel.core_uses_pid\": 1, \"kernel.kptr_restrict\": 2, \"kernel.kexec_load_disabled\": 1, \"kernel.sysrq\": 0, \"kernel.randomize_va_space\": 2, \"kernel.yama.ptrace_scope\": 1, \"net.ipv4.ip_forward\": 0, \"net.ipv6.conf.all.forwarding\": 0, \"net.ipv4.conf.all.rp_filter\": 1, \"net.ipv4.conf.default.rp_filter\": 1, \"net.ipv4.icmp_echo_ignore_broadcasts\": 1, \"net.ipv4.icmp_ignore_bogus_error_responses\": 1, \"net.ipv4.icmp_ratelimit\": 100, \"net.ipv4.icmp_ratemask\": 88089, \"net.ipv4.tcp_timestamps\": 0, \"net.ipv4.conf.all.arp_ignore\": 1, \"net.ipv4.conf.all.arp_announce\": 2, \"net.ipv4.tcp_rfc1337\": 1, \"net.ipv4.tcp_syncookies\": 1, \"net.ipv4.conf.all.shared_media\": 1, \"net.ipv4.conf.default.shared_media\": 1, \"net.ipv4.conf.all.accept_source_route\": 0, \"net.ipv4.conf.default.accept_source_route\": 0, \"net.ipv6.conf.all.accept_source_route\": 0, \"net.ipv6.conf.default.accept_source_route\": 0, \"net.ipv4.conf.all.send_redirects\": 0, \"net.ipv4.conf.default.send_redirects\": 0, \"net.ipv4.conf.all.log_martians\": 1, \"net.ipv4.conf.default.log_martians\": 1, \"net.ipv4.conf.default.accept_redirects\": 0, \"net.ipv4.conf.all.accept_redirects\": 0, \"net.ipv4.conf.all.secure_redirects\": 0, \"net.ipv4.conf.default.secure_redirects\": 0, \"net.ipv6.conf.default.accept_redirects\": 0, \"net.ipv6.conf.all.accept_redirects\": 0, \"net.ipv6.conf.all.accept_ra\": 0, \"net.ipv6.conf.default.accept_ra\": 0, \"net.ipv6.conf.default.router_solicitations\": 0, \"net.ipv6.conf.default.accept_ra_rtr_pref\": 0, \"net.ipv6.conf.default.accept_ra_pinfo\": 0, \"net.ipv6.conf.default.accept_ra_defrtr\": 0, \"net.ipv6.conf.default.autoconf\": 0, \"net.ipv6.conf.default.dad_transmits\": 0, \"net.ipv6.conf.default.max_addresses\": 1, \"vm.mmap_min_addr\": 65536, \"vm.mmap_rnd_bits\": 32, \"vm.mmap_rnd_compat_bits\": 16, \"kernel.unprivileged_bpf_disabled\": 1, \"kernel.unprivileged_userns_clone\": 0}\n\"net.ipv4.ip_forward\""}

Example Playbook

---
- hosts: all
  become: true
  collections:
     - devsec.hardening
  roles: 
     - os_hardening
     - ssh_hardening  

OS / Environment

Ansible running on a Ubuntu 20.04 VM hosts: a couple of Ubuntu 20.04 based VPS's

Ansible Version

ansible [core 2.11.5] 
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/virtualbox/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/virtualbox/.local/lib/python3.8/site-packages/ansible
  ansible collection location = /home/virtualbox/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.10 (default, Jun  2 2021, 10:49:15) [GCC 9.4.0]
  jinja version = 3.0.1
  libyaml = True

Role Version

devsec.hardening:7.10.0

Additional context Add any other context about the problem here.

[schurzi]

Do you have defined overwrites? If yes, can you please show how you defined the overwrites? It seems there is an error in formatting and Ansible does not interpret the overwrites as an array.

[dpavle]

Right, I had an error in my playbook when enabling IPv4 forwarding with overwrite (missing ': 1'), fixed now.