OpenStack-Ansible

aide database file is missing

Bug #1745675 reported by Artyom
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Undecided
Major Hayden

Bug Description

I have simple configuration file like this

- name: Harden all systems
  hosts: all
  become: yes
  vars:
    security_enable_firewalld: yes
    security_rhel7_initialize_aide: yes
  roles:
    - ansible-hardening

The problem is that step "Move AIDE database into place" doesn't do what expected.

Even if the file /var/lib/aide/aide.db.new.gz doesn't exit, step "Initialize AIDE (this will take a few minutes)" doesn't trigger "Move AIDE database into place"

skipping: [X.X.X.X] => {
    "changed": false,
    "skip_reason": "Conditional result was False"
}

Revision history for this message
Artyom (artyomboyko) wrote :

CentOS Linux release 7.4.1708 (Core)

Jean-Philippe Evrard (jean-philippe-evrard)
Changed in openstack-ansible:
assignee: nobody → Major Hayden (rackerhacker)
Revision history for this message
Tim Way (tim.way) wrote :

https://github.com/openstack/ansible-hardening/blob/f422da8599c6d8f64ebfefbf0a0aa711ea1f9569/tasks/rhel7stig/aide.yml#L117-L119

^^ Always results in False for When so it is never ran.

https://github.com/openstack/ansible-hardening/blob/f422da8599c6d8f64ebfefbf0a0aa711ea1f9569/tasks/rhel7stig/aide.yml#L99-L100

^^ Changed_when: False here. Could this be more intelligently tested for change or remove it as a condition for the first task I listed?

Revision history for this message
Major Hayden (rackerhacker) wrote :

https://review.openstack.org/#/c/541398/

Changed in openstack-ansible:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-hardening (master)

Fix proposed to branch: master
Review: https://review.openstack.org/541398

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-hardening (master)

Reviewed: https://review.openstack.org/541398
Committed: https://git.openstack.org/cgit/openstack/ansible-hardening/commit/?id=295ef13395a2edf1922b0d5a31f224fdf4b0b525
Submitter: Zuul
Branch: master

commit 295ef13395a2edf1922b0d5a31f224fdf4b0b525
Author: Major Hayden <email address hidden>
Date: Tue Feb 6 12:39:10 2018 -0600

    Move aide db when needed

    The task that moves the aide database checks to see whether aide
    was just initialized, but that task has a "changed_when: false" to
    help with idempotency. That means that the database never gets
    moved into place.

    This patch changes the task to check whether the aide
    initialization was skipped or not. If it wasn't skipped, then the
    database will be moved.

    Closes-Bug: 1745675
    Change-Id: I2f186274cbff4b38706603a51429557057843e4e

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-hardening (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/544723

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-hardening (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/544725

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-hardening (stable/pike)

Reviewed: https://review.openstack.org/544725
Committed: https://git.openstack.org/cgit/openstack/ansible-hardening/commit/?id=cee2e0b5b432c50614b908d9bf50ed2cc32d8daa
Submitter: Zuul
Branch: stable/pike

commit cee2e0b5b432c50614b908d9bf50ed2cc32d8daa
Author: Major Hayden <email address hidden>
Date: Tue Feb 6 12:39:10 2018 -0600

    Move aide db when needed

    The task that moves the aide database checks to see whether aide
    was just initialized, but that task has a "changed_when: false" to
    help with idempotency. That means that the database never gets
    moved into place.

    This patch changes the task to check whether the aide
    initialization was skipped or not. If it wasn't skipped, then the
    database will be moved.

    Closes-Bug: 1745675
    Change-Id: I2f186274cbff4b38706603a51429557057843e4e
    (cherry picked from commit 295ef13395a2edf1922b0d5a31f224fdf4b0b525)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ansible-hardening 16.0.9

This issue was fixed in the openstack/ansible-hardening 16.0.9 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ansible-hardening 17.0.0.0rc2

This issue was fixed in the openstack/ansible-hardening 17.0.0.0rc2 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ansible-hardening 18.0.0.0b1

This issue was fixed in the openstack/ansible-hardening 18.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.