Lab 9 Enforcing compliance with Ansible fails

freddysf

Failure on Ubuntu 20.04.6 LTS:

`~/secops/ansible# ansible-playbook compliance.yaml
ERROR! this task 'ansible.builtin.include_tasks' has extra params, which is only allowed in the following modules: command, raw, import_tasks, add_host, include, meta, include_vars, set_fact, win_shell, include_tasks, shell, import_role, script, group_by, win_command, include_role

The error appears to be in '/root/secops/ansible/collections/ansible_collections/devsec/hardening/roles/os_hardening/tasks/main.yml': line 2, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

---

• name: Include hardening tasks
  ^ here`

freddysf

@gouravshah

gouravshah

@freddysf if you look at the code and where it comes from, it is being invoked by the following code that you are applying

https://github.com/lfs262/secops/blob/main/ansible/compliance.yaml

This invokes a collection from Ansible Galaxy, namely https://galaxy.ansible.com/devsec/hardening. The source code being called is here

https://github.com/dev-sec/ansible-collection-hardening/blob/master/roles/os_hardening/tasks/main.yml

following is the actual code where the issue lies

---
- name: Include hardening tasks
  ansible.builtin.include_tasks: hardening.yml
  when: os_hardening_enabled | bool
  tags:
    - always

I want you to try a couple of things here,

1. Share with me the version of Ansible. Also try updating it to the latest version if not already.
2. Try using " " in line number 3 above which should then look like "hardening.yml" let me know if that fixes it.

Do report your findings. Also, you could join the office hours on Monday/Tuesday where we could do some live debugging.

freddysf

yeah I did install the latest version of Ansible and not sure if it's because the hardening role version in the labs is much older than the current one from https://github.com/dev-sec/ansible-collection-hardening > "We have kept the old releases of the os-hardening role in this repository, so you can find the them by exploring older tags. The last release of the standalone role was 6.2.0."

I tried a few things and ended up doing from scratch, I've deleted the instance but something like this worked, though there were many more issues than in the lab reported by inspec after running the playbook:

ansible-galaxy install dev-sec.os-hardening

inventory.ini:

[localhost]
127.0.0.1 ansible_connection=local
 

compliance.yml:

---
- name: Apply os-hardening to localhost
  hosts: localhost
  become: yes
  roles:
    - role: dev-sec.os-hardening
  vars:
    os_security_kernel_enable_module_loading: true
    os_security_ssh_client_config: true
    os_security_ssh_max_auth_retries: 5
    os_security_ssh_password_authentication: no
    os_security_ssh_permit_root_login: no

gouravshah

@freddysf thanks for reporting your findings. I would test these changes and incorporate into the labs. As for the inspec reports, we still need to figure out whether there are new checks that ansible is missing or if its ansible os hardening playbook which is less effective now.

marioercef

Just install older version of collection by doing this:

ansible-galaxy collection install devsec.hardening:8.3.0 --force