Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Playbook won't run for hardening #462

Closed
Mike-Zelixon opened this issue Jul 12, 2021 · 14 comments
Closed

Playbook won't run for hardening #462

Mike-Zelixon opened this issue Jul 12, 2021 · 14 comments

Comments

@Mike-Zelixon
Copy link

Hi guys,
I'm an ansible n00b and the os hardening isn't working for me.

I wrote a simple playbook like in the default

- hosts: localhost
  become: true 
  ignore_errors: yes
  ignore_unreachable: yes 
 
  collections:
    - devsec.hardening
  roles:
    - os_hardening

and added a hosts file with localhost as host.

I run ansible-playbook -i host play.yml and this is what I get

PLAY [localhost] **********************************************************************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************************************************************
fatal: [localhost]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh: connect to host localhost port 22: Connection refused", "skip_reason": "Host localhost is unreachable", "unreachable": true}

TASK [os_hardening : include_tasks] ***************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"reason": "couldn't resolve module/action 'pam_limits'. This often indicates a misspelling, missing collection, or incorrect module path.\n\nThe error appears to be in '/etc/ansible/roles/os_hardening/tasks/limits.yml': line 11, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: Create additional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b\n    ^ here\n"}

PLAY RECAP ****************************************************************************************************************************************************************************
localhost                  : ok=0    changed=0    unreachable=1    failed=1    skipped=1    rescued=0    ignored=0

if anyone can help me i would greatly appreciate it !!!!!!
@rndmh3ro
Copy link
Member

The error means that ansible cannot connect to your local server via ssh. This has nathing to do with the collection.

Try this:

- hosts: localhost
  connection: local
  collections:
    - devsec.hardening
  roles:
    - os_hardening

@Mike-Zelixon
Copy link
Author

Mike-Zelixon commented Jul 12, 2021
edited
Loading

Thanks!!! But what about the 2nd error?
With 'pam_limits'
I get the same error with the new YML and then it stops.

@rndmh3ro
Copy link
Member

If you fill out the bug-template that we provide, I can try to help you. What Ansible version do you use. How did you install the collection? What other collections are installed?

@Mike-Zelixon
Copy link
Author

Bug template? Didn't see one.
I use ansible 2.10... I installed the collection via the github repo and via galaxy as well I believe.
Really appreciate the fast answers.

@rndmh3ro
Copy link
Member

Do you have the community.general collection installed?
https://docs.ansible.com/ansible/latest/collections/community/general/pam_limits_module.html

This plugin is part of the community.general collection (version 3.3.0).

To install it use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.pam_limits.

@Mike-Zelixon
Copy link
Author

Ok... I installed it... put it into play.yml.... and now I'm getting this

ERROR! 'community.general.pam_limits' is not a valid attribute for a Play

The error appears to be in '/etc/ansible/roles/os_hardening/defaults/play.yml': line 1, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

@rndmh3ro
Copy link
Member

Your indentation is probably wrong. Please show the code you used.

@Mike-Zelixon
Copy link
Author

You told me to include in the playbook no?

I tried this

- hosts: localhost
  connection: local
  ignore_errors: yes   
 
  collections:
    - devsec.hardening
  roles:
    - os_hardening


- name: Mike 
  community.general.pam_limits:
    domain: localhost

and this . nothing works.

- hosts: localhost
  connection: local
  ignore_errors: yes   
 
  collections:
    - devsec.hardening
  roles:
    - os_hardening
 
  community.general.pam_limits:
    domain: localhost

@rndmh3ro
Copy link
Member

You probably should read some introductional tutorials on Ansible to get the basics before trying to use mroe complicated collections.

Use this:

- hosts: localhost
  connection: local
 
  collections:
    - devsec.hardening
  roles:
    - os_hardening
  tasks:
    - name: Mike 
      community.general.pam_limits:
        domain: localhost

@Mike-Zelixon
Copy link
Author

I don't understand...
I used exactly what you wrote just now....
And I still get an error...

ERROR! couldn't resolve module/action 'community.general.pam_limits'. This often indicates a misspelling, missing collection, or incorrect module path.

The error appears to be in '/etc/ansible/roles/os_hardening/defaults/play.yml': line 9, column 7, but may
be elsewhere in the file depending on the exact syntax problem.

I installed the module with ansible galaxy and I'm still getting this error.

At this point I'm almost ready to give up and use another hardening script....

@rndmh3ro
Copy link
Member

I used exactly what you wrote just now....

No, you didn't, the code you showed and the code I showed are different.

The error appears to be in '/etc/ansible/roles/os_hardening/defaults/play.yml': line 9, column 7, but may

This seems to me that Ansible doesn't use the collection but instead a role.

As this is not a support forum and your issue not a bug, please read up on the basic Ansible concepts.

@Mike-Zelixon
Copy link
Author

This is what I used (exactly what you told me to do)

- hosts: localhost
  connection: local
 
  collections:
    - devsec.hardening
  roles:
    - os_hardening
  tasks:
    - name: Mike 
      community.general.pam_limits:
        domain: localhost

this is the error i get

ERROR! couldn't resolve module/action 'community.general.pam_limits'. This often indicates a misspelling, missing collection, or incorrect module path.

am i missing something here ???

i'm sorry if i'm being a burden I really am

@schurzi
Copy link
Contributor

schurzi commented Jul 14, 2021

Do you have the community.general collection installed?
https://docs.ansible.com/ansible/latest/collections/community/general/pam_limits_module.html

This plugin is part of the community.general collection (version 3.3.0).

To install it use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.pam_limits.

I'm thinking, maybe this error is from an older version of community.general collection. @Mike-Zelixon could you plase run ansible-galaxy collection list on your ansible host and paste the output here?

currently we a re declaring a dependency on community.general in version 1.0.0, this seems wrong and maybe the cause for this problem.

ansible-collection-hardening/galaxy.yml

Line 23 in 2c5cf45

community.general: '>=1.0.0'

@schurzi schurzi reopened this Jul 14, 2021
@dev-sec dev-sec deleted a comment from ezeelogin1 Apr 2, 2022
@rndmh3ro
Copy link
Member

I jsut checked, pam_limits was already in community.general 1.0.0.

@Mike-Zelixon, if you still have problems, please open a new issue. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@schurzi @rndmh3ro @Mike-Zelixon