Why can't these fail?

[smiller171]

I can't find any tasks checking the registered vars, and yet these tasks are set to never fail. As far as I can tell these are scored rules that are being allowed to pass unchecked.

https://github.com/florianutz/Ubuntu1604-CIS/blob/8b12f248491aabc60c6c69ddedbfcfa6a7ae6edf/tasks/section1.yml#L313-L339 https://github.com/florianutz/Ubuntu1604-CIS/blob/8b12f248491aabc60c6c69ddedbfcfa6a7ae6edf/tasks/section1.yml#L363-L403

[florianutz]

I know about that issue. But at the moment I have no idea for a feasible solution. Furthermore that option doesn't make sense for cloud systems. There is just one partition by default. From my point of view, this must be configured when installing the system and should not be done afterwards by a hardening script. There are two options to improve that:

• The role generate a local log with the status of the recommended partitions
• The role fails when there are no mount points (and we disable this checks by default)

[smiller171]

@florianutz I think the right thing to do here is to fail if the check isn't skipped, but to skip it by default. IMO by setting failed_when to false you're just wasting CPU cycles by checking at all.