6.1.15 is not printing messsage alert when SGID executables exist

[boris-stojnev]

Describe the Issue
First task in the block 6.1.15 is using a register variable with a loop, but that variable rhel_08_6_1_15_perms_results is wrongly used in the second and third task of the 6.1.15 block.

Expected Behavior
Print debug msg with items on which manual intervention is required.

Actual Behavior
Task 6.1.15 | AUDIT | Audit SGID executables | Alert SGID executables exist will always be skipped because the condition will never be accomplished.

Environment:

• Ansible Version: 2.13.7
• Host Python Version: /
• Ansible Server Python Version: 3.8.10
• Using branch: devel

Possible Solution
Each mount point entry will be in the list rhel_08_6_1_15_perms_results.results[].stdout_lines should be correct path.
Reference https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_loops.html#registering-variables-with-a-loop

Edit: The same issue for 6.1.14 as well

[boris-stojnev]

I’m not very happy with this possible solution, but at least it prints warnings and it’s not misleading.

- name: "6.1.15 | AUDIT | Audit SGID executables"
  block:
      - name: "6.1.15 | AUDIT | Audit SGID executables | Find all SGID executables"
        shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000
        failed_when: false
        changed_when: false
        register: rhel_08_6_1_15_perms_results
        with_items: "{{ ansible_mounts }}"
        loop_control:
            label: "{{ item.mount }}"

      - name: "6.1.15 | AUDIT | Audit SGID executables |  Alert no SGID executables exist"
        debug:
            msg: "Good news! We have not found any SGID executable files on your system"
        failed_when: false
        changed_when: false
        when: item.stdout == ""
        loop: "{{ rhel_08_6_1_15_perms_results.results }}"

      - name: "6.1.15 | AUDIT | Audit SGID executables |  Alert SGID executables exist"
        debug:
            msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}"
        when: item.stdout != ""
        loop: "{{ rhel_08_6_1_15_perms_results.results }}"

      - name: "6.1.15 | AUDIT | Alert SGID executables exist - Manual | warning count"
        set_fact:
            control_number: "{{ control_number }} + [ 'rule_6.1.15' ]"
            warn_count: "{{ warn_count | int + 1 }}"
        when: item.stdout != ""
        loop: "{{ rhel_08_6_1_15_perms_results.results }}"

  when:
      - rhel8cis_rule_6_1_15
  tags:
      - level1-server
      - level1-workstation
      - manual
      - audit
      - files
      - rule_6.1.15

[uk-bolly]

hi @boris-stojnev

Thank you for raising this issue, we've been working on a suitable solution for this issue.
There is a new PR raised now to address this issue. which we hope to get merged later today.
Apologies for the delay in addressing this issue.

many thanks

uk-bolly

[uk-bolly]

hi @boris-stojnev

Thank you again for raising this issue and for your patience. This is now merged into devel.
We hope to merge into devel over the next week.

Many thanks

uk-bolly

[uk-bolly]

hi @boris-stojnev

This issue has been merged into main. I will therefore close this issue. Please open an issue if you feel this is not resolved.

many thanks

uk-bolly