Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug: When using CIS hardening, the task of copying the systcl config fails under certain conditions #193

Open
Evantage-WS opened this issue Feb 14, 2024 · 12 comments
Labels
bug Something isn't working

Comments

@Evantage-WS
Copy link

Summary

When enabling cis, with "cis-1.23", which is deprecated btw, it is "cis" now, it fails when copying the sysctl values in - name: Copy systemctl config file for kernel hardening. My download is not in /usr/local/share, but in /opt/rke2/share/rke2/rke2-cis-sysctl.conf. This because of the following:

#   - INSTALL_RKE2_TAR_PREFIX
#     Installation prefix when using the tar installation method.
#     Default is /usr/local, unless /usr/local is read-only or has a dedicated mount point,
#     in which case /opt/rke2 is used instead.

Tested on SLES 15.5

Issue Type

Bug Report

Ansible Version

ansible [core 2.16.2]
  config file = None
  configured module search path = ['/Users/wvanderstek/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/Cellar/ansible/9.1.0/libexec/lib/python3.12/site-packages/ansible
  ansible collection location = /Users/wvanderstek/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.12.1 (main, Dec  7 2023, 20:45:44) [Clang 15.0.0 (clang-1500.1.0.2.5)] (/opt/homebrew/Cellar/ansible/9.1.0/libexec/bin/python)
  jinja version = 3.1.3
  libyaml = True

Steps to Reproduce

 rke2_cis_profile: "cis-1.23"

on a machine with the following conditions:

#   - INSTALL_RKE2_TAR_PREFIX
#     Installation prefix when using the tar installation method.
#     Default is /usr/local, unless /usr/local is read-only or has a dedicated mount point,
#     in which case /opt/rke2 is used instead.

Expected Results

Looks in both directories for the file

Actual Results

Unable to find /usr/local/share/rke2/rke2-cis-sysctl.conf
@Evantage-WS Evantage-WS added the bug Something isn't working label Feb 14, 2024
@jLemmings
Copy link
Contributor

Facing the same issue, should be fixxed when following PR is approved: #206

@Evantage-WS
Copy link
Author

Just tested, looks like it is resolved. Thanks @jLemmings!

@Evantage-WS
Copy link
Author

Unfortunally, it is still failing.

module.create_vms.null_resource.execute_ansible_create_playbooks[0] (local-exec): fatal: [testproxmox-m1]: FAILED! => {"changed": false, "msg": "Source /usr/local/share/rke2/rke2-cis-sysctl.conf not found"}

This happens because the test is done if usr_local.stat.writeable = True, instead of testing that /usr/local is read-only or has a dedicated mount point. In my case it is a dedicated mountpoint (default with Suse Linux)

@Evantage-WS Evantage-WS reopened this Apr 22, 2024
@jLemmings
Copy link
Contributor

@Evantage-WS looking into it and will come up with a new PR.

@jLemmings
Copy link
Contributor

@Evantage-WS does it work for you after the last PR? Working great for me on multiple RHEL9 hosts which are CIS hardened.

@Evantage-WS
Copy link
Author

Hi @jLemmings,

Sorry, but no. It is still failing, I entered some feedback in the merge, see #213 (comment)

Thanks!

@jLemmings
Copy link
Contributor

@Evantage-WS what OS are you running? I was not aware of the mountpoint binary which makes it a bit nicer. What is the output of grep '/usr/local ' /proc/mounts on your node?

@Evantage-WS
Copy link
Author

Hi @jLemmings, I am running openSUSE 15.6 and Suse Linux Enterprise Server (SLES) 15.5

output is (with and without space in path

k3s-clusterx-m1:~ # grep '/usr/local ' /proc/mounts
k3s-clusterx-m1:~ # 

k3s-clusterx-m1:~ # grep '/usr/local' /proc/mounts
k3s-clusterx-m1:~ # 

@jLemmings
Copy link
Contributor

The space is there on purpose to not match appended '/'. What are the return codes of both commands?

@Evantage-WS
Copy link
Author

k3s-clusterx-m1:~ # grep '/usr/local ' /proc/mounts
k3s-clusterx-m1:~ # echo $?
1

@jLemmings
Copy link
Contributor

Oh the condition should be an "or" and not an "and" statement: https://github.com/lablabs/ansible-role-rke2/blob/main/tasks/cis.yml#L23

Am i right assuming you do not have a separate /usr/local partition but the it is read only?

@Evantage-WS
Copy link
Author

@jLemmings yes, correct

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants