Comments (8)
bbaassssiiee
commented on June 18, 2024
json_query is a plugin that runs on the ansible controller, so jmespath should only be installed there. But given the many ways Python packages are changed this can be a challenge.
from rhel8-cis.
bbaassssiiee
commented on June 18, 2024
Up until the release of AlmaLinux 8.8 that script for 8.7 worked because pip3 was installed as a weak dependency of ansible-core 2.13.3:
from rhel8-cis.
bbaassssiiee
commented on June 18, 2024
To keep us busy the upstream decided to drop that behaviour while introducing ansible-core 2.14 with a transitive dependency on python 3.11. (no pip in the 3.11 update for Alma8.7)
from rhel8-cis.
bbaassssiiee
commented on June 18, 2024
Hence no pip, no jmespath. And json_query has been moved to community.general anyway...
So not a bug in ansible-core they might say.
from rhel8-cis.
bbaassssiiee
commented on June 18, 2024
Here it states that pip is no longer bundled.
https://www.redhat.com/sysadmin/install-python-pip-linux
from rhel8-cis.
bbaassssiiee
commented on June 18, 2024
And now since 8.8 python3.11-pip is bundled again!
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/assembly_introduction-to-python_configuring-basic-system-settings
from rhel8-cis.
uk-bolly
commented on June 18, 2024
Thank you for raising this issue and the through investigation into why and how. These details really help.
Think the best thing here to do while the distributors get some consistency is to add this to the FAQs and suggest that the system is patched and jmespath is confirmed prior to running the benchmark remediation.
I have looked at running with JQ that is another product that may not be present on a system but it also comes with a risk if query not closed correctly may affect a system which we would rather not introduce anything at this time that may cause other issues.
Issue raised on RTD to get updated
Thanks as always
uk-bolly
from rhel8-cis.
bbaassssiiee
commented on June 18, 2024
Using the local provisioner in Packer I can use this playbook:
- name: Play to harden AlmaLinux
hosts: all:!localhost
gather_facts: false
become: true
pre_tasks:
- name: Install pip3.11
ansible.builtin.package:
name: python3.11-pip
state: present
- name: Install jmespath
ansible.builtin.pip:
name: jmespath
state: present
executable: /usr/bin/pip3.11
roles:
- role: rhel8cis
```from rhel8-cis.
Related Issues (20)
- 1.9 fails: Failed to validate GPG signature, Public key is not installed HOT 1
- Rebasing pull-requests instead of merging results in a clean history
- Incomplete auditd configuration HOT 1
- rsyslogd: unknown priority name "emrg" [v8.2102.0-15.el8] HOT 1
- remediation is missing for * in the second field of the shadow file HOT 1
- No way to run packer with ssh-key instead of password? HOT 1
- RHEL8-CIS-March_24_v3 : Ensure root password is set HOT 2
- HFS is an Apple file system, now under the same rule as squashfs HOT 1
- vars/is_container.yml not updated for CIS 3.0.0
- Ensure host based firewall loopback traffic is configured to the trusted zone HOT 2
- Registered fact rhel8cis_pam_pwhash overwrites the default variable rhel8cis_pam_pwhash
- Add `create: true` to lineinfile, because /etc/sysctl.d/60-kernel_sysctl.conf does not exist HOT 1
- ptrace scope is also set in /lib/sysctl.d/10-default-yama-scope.conf HOT 1
- Spelling Corrections and variable name update HOT 3
- Issue with Task 4.3.7 Ensure access to the su command is restricted HOT 1
- Issue with Task 4.4.3.4.1 Ensure pam_unix does not include nullok HOT 1
- Almalinux 8.10 has been released
- Error in Pre Audit | Capture pre-audit result] HOT 3
- Section 5.5.4 limits password reuse even if not required
- Ensure SSH X11 forwarding is disabled task only fixes first occurence
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rhel8-cis.