Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Task 4.2.3 fails if a log file vanishes #90

Open
ps-spb opened this issue Sep 21, 2023 · 5 comments
Open

Task 4.2.3 fails if a log file vanishes #90

ps-spb opened this issue Sep 21, 2023 · 5 comments
Assignees
Labels
bug Something isn't working

Comments

@ps-spb
Copy link

ps-spb commented Sep 21, 2023

Describe the Issue
If during a run, a logfile is configured to say keep X histories but are uniquely named (e.g. sessionlauncher.log.2023-09-21-14-19) and that log file vanishes, then the task will fail.

Expected Behavior
Task ignores the fact a file no longer exists and carries on with the next file.

Actual Behavior
A clear and concise description of what's happening.

Control(s) Affected
4.2.3

Environment (please complete the following information):

  • branch being used: [e.g. devel]

  • Ansible Version: [e.g. 2.10]

  • Host Python Version: [e.g. Python 3.7.6]

  • Ansible Server Python Version: [e.g. Python 3.7.6]

  • branch being used: main

  • Ansible Version: ansible 2.10.8

  • Host Python Version: 3.10.12

  • Ansible Server Python Version: 3.10.12 (same - being run locally)

Additional Details:
We are targetting AWS WorkSpaces Ubuntu offering.

Additional Notes
Sample error message:

failed: [localhost] (item=/var/log/dcv/sessionlauncher.log.2023-09-21-14-19) => {"ansible_loop_var": "item", "changed": false, "item": {"atime": 1695305339.6007233, "ctime": 1695305972.2894833, "dev": 66307, "gid": 999, "gr_name": "dcv", "inode": 1047182, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "mode": "0640", "mtime": 1695305927.553581, "nlink": 1, "path": "/var/log/dcv/sessionlauncher.log.2023-09-21-14-19", "pw_name": "root", "rgrp": true, "roth": false, "rusr": true, "size": 1556, "uid": 0, "wgrp": false, "woth": false, "wusr": true, "xgrp": false, "xoth": false, "xusr": false}, "msg": "file (/var/log/dcv/sessionlauncher.log.2023-09-21-14-19) is absent, cannot continue", "path": "/var/log/dcv/sessionlauncher.log.2023-09-21-14-19", "state": "absent"}
failed: [localhost] (item=/var/log/dcv/agent.console.log.2023-09-21-14-19) => {"ansible_loop_var": "item", "changed": false, "item": {"atime": 1695305344.936731, "ctime": 1695305972.1291497, "dev": 66307, "gid": 999, "gr_name": "dcv", "inode": 1047899, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "mode": "0640", "mtime": 1695305375.0647857, "nlink": 1, "path": "/var/log/dcv/agent.console.log.2023-09-21-14-19", "pw_name": "gdm", "rgrp": true, "roth": false, "rusr": true, "size": 58456, "uid": 133, "wgrp": false, "woth": false, "wusr": true, "xgrp": false, "xoth": false, "xusr": false}, "msg": "file (/var/log/dcv/agent.console.log.2023-09-21-14-19) is absent, cannot continue", "path": "/var/log/dcv/agent.console.log.2023-09-21-14-19", "state": "absent"}
failed: [localhost] (item=/var/log/dcv/agentlauncher.simon.baker.log.2023-09-21-14-23) => {"ansible_loop_var": "item", "changed": false, "item": {"atime": 1695305378.6407952, "ctime": 1695306196.3926826, "dev": 66307, "gid": 999, "gr_name": "dcv", "inode": 1048048, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "mode": "0640", "mtime": 1695305927.7215812, "nlink": 1, "path": "/var/log/dcv/agentlauncher.simon.baker.log.2023-09-21-14-23", "pw_name": "simon.baker", "rgrp": true, "roth": false, "rusr": true, "size": 2842, "uid": 891801367, "wgrp": false, "woth": false, "wusr": true, "xgrp": false, "xoth": false, "xusr": false}, "msg": "file (/var/log/dcv/agentlauncher.simon.baker.log.2023-09-21-14-23) is absent, cannot continue", "path": "/var/log/dcv/agentlauncher.simon.baker.log.2023-09-21-14-23", "state": "absent"}

Possible Solution
Task ignores errors? This feels a little brittle...

@ps-spb ps-spb added the bug Something isn't working label Sep 21, 2023
@Atamido
Copy link

Atamido commented Aug 13, 2024

I'm running into the same issue. I've found one quick fix which significantly reduces the likelihood of the issue occurring, and then another more elaborate solution which fully covers the issue.

The quick fix is to modify the when statement in
https://github.com/ansible-lockdown/UBUNTU22-CIS/blob/devel/tasks/section_4/cis_4.2.3.yml
from:

    when:
        - item.path != "/var/log/btmp"
        - item.path != "/var/log/utmp"
        - item.path != "/var/log/wtmp"

to:

    when:
        - item.path != "/var/log/btmp"
        - item.path != "/var/log/utmp"
        - item.path != "/var/log/wtmp"
        - item.mode != "0640"
        - item.mode != "0600"

This prevents ansible.builtin.file from trying to run on a log file where the permissions are already correct. As most log files seem to have the correct permissions by default, this resolves the issue for most situations.

The second solution was to create a separate file with a block/rescue which would be used to set the permissions. In the same cis_4.2.3.yml file as before, change:

  - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions"
    ansible.builtin.file:
        path: "{{ item.path }}"
        mode: '0640'
    loop: "{{ logfiles.files }}"

to:

  - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions"
    ansible.builtin.include_tasks: set_perms.yml
        vars:
          perms_mode: '0640'
    loop: "{{ logfiles.files }}"

And the set_perms.yml file:

  - block:
    - ansible.builtin.file:
        path: "{{ item.path }}"
        mode: "{{ perm_mode }}"
    rescue:
      - name: Confirm file still exists
        ansible.builtin.stat:
          path: "{{ item.path }}"
        register: perm_file_check

      - ansible.builtin.file:
          path: "{{ item.path }}"
          mode: "{{ perm_mode }}"
          when: perm_file_check.stat.exists

@uk-bolly uk-bolly self-assigned this Sep 17, 2024
@uk-bolly
Copy link
Member

hi @ps-spb and @Atamido

Apologies for the delay in resolving this one. This has been a great issue, We have found a solution that appears to work well for most scenarios. I have now added this to a new PR.
Thank you for taking the time to raise this and for you patience.

kindest regards

uk-bolly

@Atamido
Copy link

Atamido commented Sep 17, 2024

Thanks for this, it's a good solution.

I'd still like to see the when check existing permissions as it'll currently loosen a 0600 to 0640. Something like:

when:
    - item.path != "/var/log/btmp"
    - item.path != "/var/log/utmp"
    - item.path != "/var/log/wtmp"
    - item.mode > "0640" or item.mode < "0640" and item.mode > "0600"

@uk-bolly
Copy link
Member

hi @Atamido

I believe this should be resolved in this PR also, i have changed the mode from octal format to symbolic. e.g.

u-x,g-wx,o-rwx

This should allow more restriced files to stay as they are.

Kindest regards

uk-bolly

@Atamido
Copy link

Atamido commented Sep 19, 2024

That PR changes the mode for format for 4.1.4.3, which is audit log files. But 4.2.3 still uses the octal format. I think if 4.2.3 were changed to also use symbolic, that would be an improvement.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants