fapolicyd and ansible permission deny

[mcknight1981]

I am running a simple ansible-playbook -i inventory.ini -b playbook.yaml, without fapolicyd running all the ping's are successful, when i activate the policy, I get this: [WARNING]: sftp transfer mechanism failed on [xxx.xx.xxx.xxx]. Use ANSIBLE_DEBUG=1 to see detailed information An exception occurred during task execution. To see the full traceback, use -vvv. The error was: PermissionError: [Errno 1] Operation not permitted: b'/usr/home/xxxxx/.ansible/tmp/ansible-local-30386wpmj2n12/tmp75p3z00c' fatal: [xxx.xx.xxx.xxx]: FAILED! => {"msg": "Unexpected failure during module execution.", "stdout": ""}

I don't know how to fix this, i have added the file to trust.d and still wont work

[radosroka]

You are using ansible with ansible user which is not supported by default. If you use root there should be no problem if that's not possible you can allow just specific directory.

[skosachiov]

E.g.: exception for system, first local user and ansible user: https://github.com/skosachiov/remediations-gendbuntu/blob/main/roles/fapolicyd/templates/25-system-auid.rules.j2 See ansible fapolicyd role templates: https://github.com/skosachiov/remediations-gendbuntu/tree/main/roles/fapolicyd Tasks: mask fapolicyd (to avoid start on debian), install fapolicyd, copy config/rules/trusts, unmask, start fapolicyd.

[mcknight1981]

I will take a look at both of these, the problem is we are not able to be root and run ansible, it must be the user. Its a security thing we have. We are able to use root to escalate in the playbook become = yes.

[skosachiov]

Auid (not uid) ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with su - root), thus for username ansible:

...
allow perm=execute auid=ansible all : all
allow perm=execute all : all trust=1 
...
allow perm=any auid=ansible : ftype=text/x-python
allow perm=any all : ftype=text/x-python trust=1 
...
allow perm=open auid=ansible : ftype=application/x-bytecode.python
allow perm=open all : ftype=application/x-bytecode.python trust=1
...
deny_syslog perm=execute all : all
deny_syslog perm=any all : ftype=text/x-python
deny_syslog perm=any all : ftype=application/x-bytecode.python

Regular users can only run trusted files.

[mcknight1981]

Do i need to make an ansible user profile?

[skosachiov]

Creating a separate Local account, such as "ansible", with key-based authentication can be very useful for managing a large fleet of hosts. Domain authentication can fail at the most inopportune moment.