content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

[feature request] Annotate task names with (tag) identifiers

Open apteryks opened this issue 4 years ago • 0 comments

Description of problem:

Filling the DISA SAR report is made more difficult because the DISA control items identifiers are not in the task names.

Steps to Reproduce:

Run the playbook with something like ansible-playbook -i "my-host," --ask-become-pass --diff playbook.yml, where playbook.yml is something like:

- hosts: all
  become: true
  roles:
     - { role: RedHatOfficial.rhel7_stig }
  ignore_errors: "{{ ansible_check_mode }}"

Actual Results:

The results are printed like: [RedHatOfficial.rhel7_stig : Search /etc/audit/rules.d for other user/group modification audit rules]

Expected Results:

[RedHatOfficial.rhel7_stig : Search /etc/audit/rules.d for other user/group modification audit rules (DISA-STIG-RHEL-07-030870)]

Additional Information/Debugging Steps:

Here's how I worked around it, via a callback plugin, to annotate each task name with the DISA-STIG-... tag:

# -*- coding: utf-8 -*-
# Copyright © 2021 Haivision
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.


DOCUMENTATION = '''
name: annotate_with_tags
type: stdout
short_description: Annotate output with DISA item tags.
extends_documentation_fragment:
- default_callback
description:
- "Each task in he RedHatOfficial.rhel7_ stig playbook already contains
the DISA security item identifiers, but they are not included in the
task names.  This callback plugin changes this."
author:
- Maxim Cournoyer ([email protected])
requirements:
- set as stdout in configuration
'''


from ansible.plugins.callback.default import CallbackModule as CallbackModule_default


class CallbackModule(CallbackModule_default):

    '''
    A simple callback module add the DISA tag numbers to the task
    names in the output.
    '''

    CALLBACK_VERSION = 2.0
    CALLBACK_TYPE = 'stdout'
    CALLBACK_NAME = 'annotate_with_tags'

    def v2_playbook_on_task_start(self, task, is_conditional):
        "Overridden to annotate the name task of the task with the tag."
        # XXX: Make the tag matching procedure configurable.
        tags = set([x for x in task.tags if x.startswith('DISA-STIG')])
        tags_text = f' ({", ".join(tags)})' if tags else ''
        task.name += tags_text
        super().v2_playbook_on_task_start(task, is_conditional)

The above callback plugin file (annotate_with_tags.py) can be put next to your playbook.yml file under the callback_plugins directory. Perhaps it could be added to the documentation or something?

apteryks avatar Aug 19 '21 20:08 apteryks