florianutz / ubuntu2004_cis

Ubuntu CIS Hardening Ansible Role
MIT License
109 stars 67 forks source link

Ansible cron operation fails #33

Closed sedenardi closed 2 years ago

sedenardi commented 2 years ago

Describe the bug The step "SCORED | 1.4.2 | PATCH | Ensure filesystem integrity is regularly checked" fails due to invalid cron settings (see Error below). This only started happening in the last month or so.

To Reproduce Steps to reproduce the behavior:

  1. Include florianutz.ubuntu2004_cis in Ansible playbook
  2. Run playbook
  3. See error

Error:

cloud-init[1223]: TASK [florianutz.ubuntu2004_cis : SCORED | 1.4.2 | PATCH | Ensure filesystem integrity is regularly checked] ** python3[46108]: ansible-cron Invoked with name=Run AIDE integrity check weekly cron_file=/etc/crontab user=root minute=0 hour=5 day= month= weekday= job=/usr/bin/aide.wrapper --config /etc/aide/aide.conf --check state=present backup=False disabled=False env=False special_time=None insertafter=None insertbefore=None cloud-init[1223]: fatal: [localhost]: FAILED! => {"changed": false, "msg": "Will not manage /etc/crontab via cron_file, see documentation."}

Expected behavior The step and entire playbook should execute successfully.

Software (please complete the following information):

sedenardi commented 2 years ago

Looks like this change was introduced in 2.12 according to https://github.com/ansible/ansible/issues/37355 (and PR https://github.com/ansible/ansible/pull/73591). I did not experience this issue using 2.11.x

sedenardi commented 2 years ago

Changing the ubuntu2004cis_aide_cron.cron_file variable to create a new /etc/cron.d/aide file rather than modify /etc/crontab resolves this issue.

- name: harden server to CIS benchmarks
  ansible.builtin.import_role:
    name: florianutz.ubuntu2004_cis
  vars:
    ubuntu2004cis_aide_cron:
      cron_user: root
      cron_file: aide
      aide_job: '/usr/bin/aide.wrapper --config /etc/aide/aide.conf --check'
      aide_minute: 0
      aide_hour: 5
      aide_day: '*'
      aide_month: '*'
      aide_weekday: '*'
ericsysmin commented 2 years ago

I hit this as well, is this going to be merged as a fix?

sedenardi commented 2 years ago

I'm happy to submit a PR, but I'm not sure if this change is compatible with ansible versions < 2.12. I had a tough time finding ansible docs for a specific version other than the latest. Though I'd have to imagine that ansible always let you specify a specific cron_file?

florianutz commented 2 years ago

Sorry I missed that a bit. I have fixed the bug so that the new Ansible versions work as well. Can you please check if the the new version is now running without errors for you.