Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/opt/AMAZON2-CIS-Audit/run_audit.sh: Permission denied #19

Closed
swestcott opened this issue Apr 26, 2023 · 1 comment
Closed

/opt/AMAZON2-CIS-Audit/run_audit.sh: Permission denied #19

swestcott opened this issue Apr 26, 2023 · 1 comment
Assignees
@uk-bolly
Labels
bug Something isn't working

Comments

@swestcott
Copy link

Describe the Issue
As per #18, I'm running in an environment without internet access so I need to copy the audit file to the server.

Relevant config,

    setup_audit: true
    run_audit: true
    skip_reboot: true
    get_goss_file: copy
    audit_content: copy
    copy_goss_from_path: ../goss
    audit_local_copy: ../AMAZON2-CIS-Audit/

Expected Behavior
Ansible is able to execute the run_audit.sh script

Actual Behavior
run_audit.sh fails to run as it's missing the execute bit

fatal: [default]: FAILED! => {"changed": true, "cmd": "/opt/AMAZON2-CIS-Audit/run_audit.sh -v /opt/AMAZON2-CIS-Audit/vars/ip-10-0-0-8.yml -o /opt/ip-10-0-0-8-AMAZON2-CIS_pre_scan_1682517307.json -g ['ungrouped']", "delta": "0:00:00.003543", "end": "2023-04-26 14:06:20.355328", "msg": "non-zero return code", "rc": 126, "start": "2023-04-26 14:06:20.351785", "stderr": "/bin/sh: /opt/AMAZON2-CIS-Audit/run_audit.sh: Permission denied", "stderr_lines": ["/bin/sh: /opt/AMAZON2-CIS-Audit/run_audit.sh: Permission denied"], "stdout": "", "stdout_lines": []}

Environment (please complete the following information):
As per #18

Additional Notes
When the Audit files are copied to the remote host, the file permissions are set to 0644, thereby removing the execute bit(s) on all files, including run_audit.sh

https://github.com/ansible-lockdown/AMAZON2-CIS/blob/devel/tasks/pre_remediation_audit.yml#L33-L39

Possible Solution
Either preserve or re-add the execute bit on run_audit.sh
@swestcott swestcott added the bug Something isn't working label Apr 26, 2023
@uk-bolly
Copy link
Member

hi @swestcott

Many thanks for raising this issue, I am happy to include in the next PR to devel. hopefully to be merged later this week.

regards

uk-bolly

@uk-bolly uk-bolly self-assigned this May 16, 2023
uk-bolly added a commit that referenced this issue May 16, 2023
@uk-bolly
updated due to #19 great catch
94f37e6 
Signed-off-by: Mark Bolwell <[email protected]>
@uk-bolly uk-bolly mentioned this issue May 16, 2023
Merged
@uk-bolly uk-bolly mentioned this issue May 1, 2024
Merged
uk-bolly added a commit that referenced this issue May 1, 2024
@uk-bolly @wp-davisona
devel to main release (#27)
15511b3 
* #18 corrected

Signed-off-by: Mark Bolwell <[email protected]>

* updated due to #19 great catch

Signed-off-by: Mark Bolwell <[email protected]>

* V2.0.0 final release (#24)

* removed warn: false

Signed-off-by: Mark Bolwell <[email protected]>

* fix typos

Signed-off-by: Mark Bolwell <[email protected]>

* addressed #21

Signed-off-by: Mark Bolwell <[email protected]>

* updated 1.1.2 logic

Signed-off-by: Mark Bolwell <[email protected]>

* updated handler

Signed-off-by: Mark Bolwell <[email protected]>

---------

Signed-off-by: Mark Bolwell <[email protected]>

* Correct 4.1.15 sudo audit syntax (#26)

Signed-off-by: Andrew Davison <[email protected]>

---------

Signed-off-by: Mark Bolwell <[email protected]>
Signed-off-by: Andrew Davison <[email protected]>
Co-authored-by: Andrew Davison <[email protected]>
mfortin pushed a commit to mfortin/AMAZON2-CIS that referenced this issue Jun 7, 2024
@uk-bolly @mfortin
updated due to ansible-lockdown#19 great catch
e5f54b2 
Signed-off-by: Mark Bolwell <[email protected]>
Signed-off-by: fortinm <[email protected]>
mfortin pushed a commit to mfortin/AMAZON2-CIS that referenced this issue Jun 7, 2024
@uk-bolly @wp-davisona @mfortin
devel to main release (ansible-lockdown#27)
7ad9390 
* ansible-lockdown#18 corrected

Signed-off-by: Mark Bolwell <[email protected]>

* updated due to ansible-lockdown#19 great catch

Signed-off-by: Mark Bolwell <[email protected]>

* V2.0.0 final release (ansible-lockdown#24)

* removed warn: false

Signed-off-by: Mark Bolwell <[email protected]>

* fix typos

Signed-off-by: Mark Bolwell <[email protected]>

* addressed ansible-lockdown#21

Signed-off-by: Mark Bolwell <[email protected]>

* updated 1.1.2 logic

Signed-off-by: Mark Bolwell <[email protected]>

* updated handler

Signed-off-by: Mark Bolwell <[email protected]>

---------

Signed-off-by: Mark Bolwell <[email protected]>

* Correct 4.1.15 sudo audit syntax (ansible-lockdown#26)

Signed-off-by: Andrew Davison <[email protected]>

---------

Signed-off-by: Mark Bolwell <[email protected]>
Signed-off-by: Andrew Davison <[email protected]>
Co-authored-by: Andrew Davison <[email protected]>
Signed-off-by: fortinm <[email protected]>
@uk-bolly uk-bolly mentioned this issue Jun 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@uk-bolly uk-bolly

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@swestcott @uk-bolly