Issue with a shell command

harry_devine · March 21, 2023, 11:52am

We have a role that implements the CIS benchmarks on our systems. When we get to the following play, we get the error described below:

name: Disable System Accounts - preparation
ansible.builtin.shell: |
set -o pipefail && awk -F’:’ |
($3<500 && $1!=“root” && $1!=“sync” && $1!=“shutdown” && $1!=“sync” && $1!=“shutdown” && $1!=“halt” && $7!=“/sbin/nologin”) { print $1 } /etc/passwd
register: enabled_system_accounts
changed_when: false

Error:

awk: cmd. line:1: |
awk: cmd. line:1: ^ syntax error
/bin/sh: -c: line 1: syntax error near unexpected token {' /bin/sh: -c: line 1: ($3<500 && $1!=“root” && $1!=“sync” && $1!=“shutdown” && $1!=“sync” && $1!=“shutdown” && $1!=“halt” && $7!=“/sbin/nologin”) { print $1 } /etc/passwd’

Any ideas?

Thanks,
Harry

Will_McDonald · March 21, 2023, 12:25pm

I suspect your problem is simply that your shell command’s incorrectly quoted and something like:

ansible.builtin.shell: |
set -o pipefail && awk -F’:’ '($3<500 && $1!=“root” && $1!=“sync” && $1!=“shutdown” && $1!=“sync” && $1!=“shutdown” && $1!=“halt” && $7!=“/sbin/nologin”) { print $1 } ’ /etc/passwd

Note the additional quotes.

https://github.com/major/ansible-role-cis/blob/master/tasks/section_07_level1.yml mostly matches your snippet but uses simpler formatting/quoting as an example.

https://github.com/major/ansible-role-cis appears to be deprecated, as does https://github.com/major/cis-rhel-ansible

It might also be worth including:

What target operating system release(s) you’re targeting and
What versions of upstream CIS roles you’re using.

harry_devine · March 21, 2023, 3:14pm

I was able to get past that issue, but now the next play is erroring out:

name: Disable System Accounts - preparation
ansible.builtin.shell: |
set -o pipefail && awk -F’:’ ‘($3<500 && $1!=“root” && $1!=“sync” && $1!=“shutdown” && $1!=“sync” && $1!=“shutdown” && $1!=“halt” && $7!=“/sbin/nologin”) { print $1 }’ /etc/passwd
register: enabled_system_accounts
changed_when: false
name: Disable System Accounts
ansible.builtin.user:
name: “{{ item }}”
shell: /sbin/nologin
with_items: “{{ enabled_system_accounts.stdout_lines }}”
when: enabled_system_accounts.stdout_lines is defined

The “Disable System Accounts” is giving me “The task includes an option with an undefined variable. The error was: ‘item’ is undefined”. I’m assuming that the “enabled_system_accounts” is not defined or available at this point? Any thoughts on how to get past this?

Thanks,
Harry

Alex_Wanderley · March 21, 2023, 3:42pm

Hello,

If you debug/print the whole content of “enabled_system_accounts” what do you see?
Is “enabled_system_accounts.stdout_lines” being populated?

Alex

dnmvisser · March 21, 2023, 4:25pm

with_items is incorrectly indented

Topic		Replies	Views
shell commands and escaping characters Ansible Project ubuntu	2	27	October 7, 2014
How to incorporate awk command in ansible shell module Ansible Project	5	357	August 28, 2019
invalid output was: /usr/bin/bash: syntax error at line 1: `(' unexpected Ansible Project	0	5	October 14, 2014
Tricky shell syntax error Ansible Project	8	47	December 1, 2013
command/shell tasks Results in Failures with the Use of action Ansible Project ansible-project	1	4	May 23, 2013

Issue with a shell command

Related topics