search

dev-sec / ansible-collection-hardening

This Ansible collection provides battle tested hardening for Linux, SSH, nginx, MySQL
http://dev-sec.io/
Apache License 2.0
3.98k stars 727 forks source link

Deprecation warnings for os_hardening #638

Closed DonEstefan closed 1 year ago

DonEstefan commented 1 year ago

Description

TASK [devsec.hardening.os_hardening : Remove suid/sgid bit from binaries in blacklist | os-06] ******************************************************
[DEPRECATION WARNING]: "listify_lookup_plugin_terms" does not use "dataloader" anymore, the ability to pass it in will be removed in future versions. This feature will be removed in version 2.18. 

[...]

TASK [devsec.hardening.os_hardening : Find files with write-permissions for group] *****************************************************************
[DEPRECATION WARNING]: "listify_lookup_plugin_terms" does not use "dataloader" anymore, the ability to pass it in will be removed in future versions. This feature will be removed in version 2.18. 

[...]

TASK [devsec.hardening.os_hardening : Change system accounts not on the user provided ignore-list] *************************************************
[DEPRECATION WARNING]: "listify_lookup_plugin_terms" does not use "dataloader" anymore, the ability to pass it in will be removed in future versions. This feature will be removed in version 2.18. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

Reproduction steps

# ansible --version
ansible [core 2.14.1]

# ansible-playbook site.yml --tags os_hardening

Current Behavior

"DEPRECATION WARNING" is shown

Expected Behavior

"DEPRECATION WARNING" is not shown

OS / Environment

centos8

Ansible Version

ansible [core 2.14.1]
  config file = /workspaces/ansible-proxy/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  ansible collection location = /workspaces/ansible-proxy/collections
  executable location = /usr/bin/ansible
  python version = 3.9.13 (main, Nov  9 2022, 13:16:24) [GCC 8.5.0 20210514 (Red Hat 8.5.0-15)] (/usr/bin/python3.9)
  jinja version = 3.1.2
  libyaml = True

Collection Version

collections:
    - name: devsec.hardening
      version: "8.4.0"

Additional information

No response

schurzi commented 1 year ago

Thank you for reporting this. This is however not a bug in our collection, the deprecation warning is triggered by using with_community.general.flattened from https://github.com/ansible-collections/community.general.

Here is an example playbook:

- hosts: localhost
  gather_facts: False
  tasks:
    - name: test
      debug:
        msg: "{{ item }}"
      with_community.general.flattened:
        - a
        - b
        - c

which produces the output:

# ansible-playbook /test.yml

PLAY [localhost] **********************************************************************************************************************************************************************************************************************************

TASK [test] ***************************************************************************************************************************************************************************************************************************************
[DEPRECATION WARNING]: "listify_lookup_plugin_terms" does not use "dataloader" anymore, the ability to pass it in will be removed in future versions. This feature will be removed in version 2.18. Deprecation warnings can be disabled by
setting deprecation_warnings=False in ansible.cfg.
ok: [localhost] => (item=a) => {
    "msg": "a"
}
ok: [localhost] => (item=b) => {
    "msg": "b"
}
ok: [localhost] => (item=c) => {
    "msg": "c"
}

PLAY RECAP ****************************************************************************************************************************************************************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

The feature was deprecated in Ansible with https://github.com/ansible/ansible/pull/78244. And it seems this deprecation has not been applied to the community.general code.

I will open a PR in their repository but we have no influence on when this will be merged or shipped.

schurzi commented 1 year ago

I have opened a PR in Ansible community.general (https://github.com/ansible-collections/community.general/pull/6074) and will now close this issue, since nothing can be done from our side.