RHEL9-CIS icon indicating copy to clipboard operation
RHEL9-CIS copied to clipboard

Published 20 hours ago verified publisher icon ansible-lockdown

role fails when sections 4.1.4.5, 4.1.4.6 and 4.1.4.7 are set to false on the defaults main file

Open sgomez86 opened this issue 1 year ago • 1 comments

Describe the Issue When rules rhel9cis_rule_4_1_4_5, rhel9cis_rule_4_1_4_6 and rhel9cis_rule_4_1_4_6 are set to false, the role will on file cis_4.1.4.x.yml section 4.1.4.5 because the variable auditd_conf_files is not defined but is used for the loop.

Expected Behavior Those sections are skipped

Actual Behavior role fails because one variable used on the when is not defined.

Control(s) Affected What controls are being affected by the issue

Environment (please complete the following information):

  • branch being used: devel
  • Ansible Version: 2.12
  • Host Python Version: Python 3.10
  • Ansible Server Python Version: 3.10
  • Additional Details:

Additional Notes Anything additional goes here

Possible Solution Include a block section that wraps tasks 4.1.4.5, 4.1.4.6 and 4.1.4.7

- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive"
  block: 
  - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive"
    ansible.builtin.file:
        path: "{{ item.path }}"
        mode: '0640'
    loop: "{{ auditd_conf_files.files }}"
    loop_control:
        label: "{{ item.path }}"
    when:
        - item.mode != '06(0|4)0'
        - rhel9cis_rule_4_1_4_5
    tags:
        - level2-server
        - level2-workstation
        - patch
        - auditd
        - rule_4.1.4.5
  
  - name: "4.1.4.6 | PATCH | Ensure audit configuration files are owned by root"
    ansible.builtin.file:
        path: "{{ item.path }}"
        owner: root
    loop: "{{ auditd_conf_files.files }}"
    loop_control:
        label: "{{ item.path }}"
    when:
        - rhel9cis_rule_4_1_4_6
    tags:
        - level2-server
        - level2-workstation
        - patch
        - auditd
        - rule_4.1.4.6
  
  - name: "4.1.4.7 | PATCH | Ensure audit configuration files belong to group root"
    ansible.builtin.file:
        path: "{{ item.path }}"
        group: root
    loop: "{{ auditd_conf_files.files }}"
    loop_control:
        label: "{{ item.path }}"
    when:
        - rhel9cis_rule_4_1_4_7
    tags:
        - level2-server
        - level2-workstation
        - patch
        - auditd
        - rule_4.1.4.7
  when:
    - rhel9cis_rule_4_1_4_5 or
      rhel9cis_rule_4_1_4_6 or
      rhel9cis_rule_4_1_4_7

sgomez86 avatar Dec 15 '23 09:12 sgomez86

@sgomez86 thanks for the bug report. I believe I looked at a similar issue yesterday we will discuss in the coming days about this and should have a answer soon.

MrSteve81 avatar Dec 15 '23 14:12 MrSteve81

hi @sgomez86

This Issue has been merged to devel and into main branch. I will therefore close this issue. Please feel free to reopen if you feel its not as expected.

Many thanks again for your time

uk-bolly

uk-bolly avatar Jun 19 '24 19:06 uk-bolly