search

dev-sec / ansible-collection-hardening

This Ansible collection provides battle tested hardening for Linux, SSH, nginx, MySQL
http://dev-sec.io/
Apache License 2.0
4.08k stars 732 forks source link

Problem with os_always_ignore_users --> template error while templating string: no test named 'in' #785

Open tsmalmbe opened 3 months ago

tsmalmbe commented 3 months ago

Description

I have installed latest ansible. I am running Python 2.7. Ansible is installed using pip.

This is my playbook:

- hosts: newhardenings
  become: true
  gather_facts: true
  collections:
    - devsec.hardening
  roles: # Custom vars specified in src/main/resources/ansible/inventory/group_vars/all/global_vars.yml
    - role: os_hardening
    - role: ssh_hardening

I am moving from the "old roles" currently and was expecting the change to the new collection "plug and play". I am most likely doing something very stupidly wrong here.

Reproduction steps

This is how I run the playbook:

ansible-playbook --vault-id secrets@vault --ask-become-pass -i production server-hardening-latest.yml

Current Behavior

TASK [devsec.hardening.os_hardening : Extract system accounts from local user database] ********************************************************************************************
fatal: [servername.our.domain]: FAILED! => {"msg": "The conditional check 'item is not in os_always_ignore_users' failed. The error was: template error while templating string: no test named 'in'. String: {% if item is not in os_always_ignore_users %} True {% else %} False {% endif %}\n\nThe error appears to be in '/home/ansible/.ansible/collections/ansible_collections/devsec/hardening/roles/os_hardening/tasks/user_accounts.yml': line 14, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Extract system accounts from local user database\n  ^ here\n"}

Expected Behavior

I expect this to work. I do not know what else to expect.

OS / Environment

Provide all relevant information below, e.g. target OS versions, network device firmware, etc. Centos 7

Ansible Version

ansible 2.9.27
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/ansible/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible
  python version = 2.7.5 (default, Nov 14 2023, 16:14:06) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]

Collection Version

Latest, just installed.
rndmh3ro commented 3 months ago

I am moving from the "old roles" currently and was expecting the change to the new collection "plug and play".

There were significant changes since the old roles where deprecated.

But I guess your problem is that you're using old, unsupported versions of basically anything. Centos 7 is unsupported, Python 2.7 is unsupported, Ansible 2.9 is unsupported. Try upgrading these, then it should work.