RHEL 8.2 tries to remove linux-firmware, when 2.2.2 does a yum remove xorg-x11* #4
Comments
|
Hi You state whether you want the package present or absent, if you want it present, the "security exception" number or text should be added (in quotes). |
|
Harry,
Thx for the swift response. It is an issue with RHEL 8.2 and I have a
conditional in my playbook. If it is 8.2 then put in an exception.
The "conditional" to check it's presence before trying to remove it would
be good, but no rush on it!
Cheers,
Andrew Hamilton MEngSc. (Elec.), Grad Dip. PM, BE (Comp.)
Senior Consultant
Red Hat <https://www.redhat.com>
A: L11, 40 Marcus Clarke Street,
Canberra City, ACT, 2601, Australia
E: [email protected] <[email protected]>
M: +61-477-242-645-[+61-477-ahamil]
F: +61-2-6247-4380
@redhat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://red.ht/sig>
…On Thu, Jun 4, 2020 at 10:35 AM HarryHarcourt ***@***.***> wrote:
Hi
In relation to this, it is a valid, I think, I did in the
defaults/main.yml put a section in there:
# 2.2.2
# Installation of X-Windows
cis_xwindows_install: { package: "xorg-x11*", state: absent, exception: 123 }
You state whether you want the package present or absent, if you want it
present, the "security exception" number or text should be added (in
quotes).
I guess we need a "conditional" to check it's presence before trying to
remove it.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#4 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AO6IHP56CAN3RFGJZPE6RHTRU3T3BANCNFSM4NJ5QVLQ>
.
|
|
Hi Andrew |
|
G'day Ben,
Seems to be an issue with EL8.2, the CIS Benchmark role didn't fail before
that update. The CIS role tries to remove xorg-x11* but fails because the
dependancy linux-firmware is also to be removed. The workaround is to
exclude test 2.2.2 on systems that have this issue.
*NOTE:* This failure also happens when you try to remove xorg-x11*
manually. So, it's definitely a RHEL 8.2 issue.
*Bottom line:* There are legitimate reasons to exclude a hardening task
from a host - provided other mitigations are in place there shouldn't be
any problems.
I have put a condition in my play that if it's RHEL8.2+, then I exclude
2.2.2. I've put the "+" in there in anticipation of the bug carrying
through to RHEL8.3, but may need to modify the play in the near future!
I've done a quick bugzilla.redhat.com search and can't find a bug for it.
Haven't tried it on Fedora as in the middle of something, and don't want to
try to remove xorg-x11*, in case something else breaks on it. Besides, I
would have to update to 32 first... 🤓 And even though it should be done on
a VM, I don't have any spare IT resources ATM!
Cheers,
Andrew Hamilton MEngSc. (Elec.), Grad Dip. PM, BE (Comp.)
Senior Consultant
Red Hat <https://www.redhat.com>
A: L11, 40 Marcus Clarke Street,
Canberra City, ACT, 2601, Australia
E: [email protected] <[email protected]>
M: +61-477-242-645-[+61-477-ahamil]
F: +61-2-6247-4380
@redhat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://red.ht/sig>
…On Thu, Jun 11, 2020 at 3:57 AM HarryHarcourt ***@***.***> wrote:
Hi Andrew
Would you like to share your condition?
Best
Ben
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#4 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AO6IHP2PJ7NFIWIU2AUNRETRV7CR7ANCNFSM4NJ5QVLQ>
.
|
|
Have you tried blocks before, this may prove and easier path. |
|
Yeah, have them in my playbook. It's how I circumvented the problem.
Basically I have a block for [when] RHEL 8 then narrow it down to [when]
8.1- and 8.2+
Thx for the tip,
Andrew Hamilton
…On Tue, Jun 16, 2020 at 2:00 AM HarryHarcourt ***@***.***> wrote:
Have you tried blocks before, this may prove and easier path.
https://docs.ansible.com/ansible/latest/user_guide/playbooks_blocks.html
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#4 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AO6IHPZGBVEAARNJXRMZOSLRWZARXANCNFSM4NJ5QVLQ>
.
|
|
Do you think you could commit back into this effort? |
|
Just hit a bug in my hardening.yml, so when I figure it out, I will
commit...
Cheers,
Andrew
…On Thu, Jun 18, 2020 at 2:19 PM HarryHarcourt ***@***.***> wrote:
Do you think you could commit back into this effort?
Best
Ben
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#4 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AO6IHPYTLKAF2SI4HMHRLCDRXGITHANCNFSM4NJ5QVLQ>
.
|
|
Ben,
I don't wish to modify the role as it works perfectly. However, I have
written a hardening.yml script to import the role. It just adds exceptions
and the default is changed it RHEL 8.2+:
---
- name: System Hardening
become: true
hosts: all
tasks:
- block:
- block:
- name: Apply CIS hardening for RHEL 8.0 or 8.1 via role
Ansible-RHEL8-CIS-Benchmarks8
include_role:
name: Ansible-RHEL8-CIS-Benchmarks
tags:
- hardening
- cis
when: ansible_distribution_version < '8.2'
- name: Apply CIS hardening for RHEL 8.2+ via role
Ansible-RHEL8-CIS-Benchmarks8
include_role:
name: Ansible-RHEL8-CIS-Benchmarks
vars:
# See hosts_template for more details on exclusions
cis_level_1_exclusions: ['1.2.3','1.3.1','1.8','2.2.2','2.2.7','3.4.1',
'3.4.2','3.4.3','3.4.4','3.4.5','4.1.3','5.4.1.1','5.3.2']
tags:
- hardening
- cis
when: ansible_distribution_version >= '8.2'
when: ansible_distribution_major_version == '8'
- name: Apply CIS hardening for EL7
import_role:
name: Ansible-RHEL7-CIS-Benchmarks
tags:
- hardening
- cis
when: ansible_distribution_major_version == '7'
when: ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS'
- name: Extra System Hardening
become: true
hosts: all
tasks:
- name: Apply additional hardening
import_role:
name: ansible-role-extra-hardening
tags:
- hardening
*NOTE: *The default cis_level_1_exclusions as defined in the hosts files
are
['1.2.3','1.3.1','1.8','2.2.7','3.4.1','3.4.2','3.4.3','3.4.4','3.4.5','4.1.3','5.4.1.1','5.3.2'],
so the additional exclusion is 2.2.2.
Cheers,
Andrew Hamilton
…On Thu, Jun 18, 2020 at 2:40 PM Andrew Hamilton ***@***.***> wrote:
Just hit a bug in my hardening.yml, so when I figure it out, I will
commit...
Cheers,
Andrew
On Thu, Jun 18, 2020 at 2:19 PM HarryHarcourt ***@***.***>
wrote:
> Do you think you could commit back into this effort?
> Best
> Ben
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#4 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AO6IHPYTLKAF2SI4HMHRLCDRXGITHANCNFSM4NJ5QVLQ>
> .
>
|
|
I fumbled my way through it and found of the list of xorg-x11* packages, it was unhappy if I ran Oddly though, when I broke out the list of xorg-x11-drv* and ran each package of that individually, it never tried to remove linux-firmware. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
G'day Harry,
Again thx for writing this role. There is an issue with RHEL8.2: I have a work-around in my Ansible playbook, but thought you should know...
TASK [Ansible-RHEL8-CIS-Benchmarks : 2.2.2 - Ensure X Window System is absent, exception 123] => yum remove xorg-x11* => erroring on trying to remove linux-firmware. Q: why is it trying to remove it? A: Unknown ATM
The CIS play tries to remove xorg-x11* but fails if it is already absent. Workaround is to exclude test 2.2.2 on systems that have this issue. Also had other issues with this where the removal of xorg-x11* was successful but removes dependant packages installed by other processes - example being grafana, which installs an X11 font package - the hardening goes ahead and REMOVES xorg-x11* including the required font package. Bottom line, there are legitimate reasons to exclude a hardening task from a host - provided other mitigations are in place there shouldn't be any problems.
The text was updated successfully, but these errors were encountered: