Ansible bigip - confirm only two local user accounts
Greetings. For security compliance purposes I'm trying to confirm that only two local user accounts exist on each F5 but not having any luck. Below are the two methods I've tried and the error messages. Any help would be greatly appreciated. Ansible 2.9.1 --- - name: check security compliance on F5s hosts: testGroup connection: local gather_facts: no vars: providerA: password: "{{ password }}" server: "{{ ansible_host }}" user: "{{ user }}" validate_certs: False tasks: - name: local users bigip_command: commands: list auth user provider: "{{ providerA }}" register: local_users - name: confirm only two user accounts exist debug: msg: "only two user accounts exist" when: local_users.stdout.find('auth user') == 2 { "msg": "The conditional check 'local_users.stdout.find('auth user') == 2' failed. The error was: error while evaluating conditional (local_users.stdout.find('auth user') == 2): 'list object' has no attribute 'find'\n\nThe error appears to be in '/tmp/bwrap_1407122_vqhuv58l/awx_1407122_2ajau8cz/project/ansible-f5-security-compliance/playbooks/main.yml': line 20, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: confirm only two user accounts exist\n^ here\n", "_ansible_no_log": false } --- - name: check security compliance on F5s hosts: testGroup connection: local gather_facts: no vars: providerA: password: "{{ password }}" server: "{{ ansible_host }}" user: "{{ user }}" validate_certs: False tasks: - name: local users bigip_device_info: gather_subset: - users provider: "{{ providerA }}" register: local_users - name: confirm only two user accounts exist debug: msg: "only two user accounts exist" when: local_users.stdout.find('full_path') == 2 { "msg": "The conditional check 'local_users.stdout.find('full_path') == 2' failed. The error was: error while evaluating conditional (local_users.stdout.find('full_path') == 2): 'dict object' has no attribute 'stdout'\n\nThe error appears to be in '/tmp/bwrap_1407131_x5we4dg9/awx_1407131_pmwj_q1j/project/ansible-f5-security-compliance/playbooks/main.yml': line 21, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: confirm only two user accounts exist\n^ here\n", "_ansible_no_log": false }
Mitigating Ruby YAML.load Universal RCE Deserialization Gadget with BIG-IP ASM
Recently a new YAML deserialization gadget was published that may lead to arbitrary code execution when deserialized by supplying it to Ruby'sYAML.load function as input. Prior to this new gadget it was known that calling YAML.load on user supplied input is a bad idea, but this was only relevant to applications that are based on the Ruby on Rails web framework. In this case the published gadget is universal, meaning it will only depend on the existence of classes that are shipped with the default installation of Ruby, and thus it will be able to execute code in any Ruby application that deserializes YAML documents using the YAML.load function. Mitigating the vulnerability with BIG-IP ASM BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing Ruby code injection attack signatures which can be found in signature sets that include the “Server Side Code Injection” attack type or “Ruby” System. Figure 1: Exploit blocked with attack signature 200004159 Additional Reading https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/
