ctest lint fixes #10348
Merged
ctest lint fixes #10348
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @maage. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
openshift-ci
bot
added
ok-to-test
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the trimmed diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
@@ -1,7 +1,7 @@
- name: Test for crypto_policy group
command: grep '^\s*\[\s*crypto_policy\s*]' /etc/pki/tls/openssl.cnf
register: test_crypto_policy_group
- ignore_errors: true
+ failed_when: test_crypto_policy_group.rc not in [0, 1]
changed_when: false
check_mode: false
tags:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_nails_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_nails_enabled
+++ xccdf_org.ssgproject.content_rule_service_nails_enabled
@@ -6,7 +6,7 @@
manager: auto
- name: Enable service nails
- service:
+ systemd:
name: nails
enabled: 'yes'
state: started
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled' differs.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
@@ -3,7 +3,7 @@
set -o pipefail
grep -HEr '^\[.+\]' -r /etc/yum.repos.d/
register: repo_grep_results
- ignore_errors: true
+ failed_when: repo_grep_results.rc not in [0, 1]
changed_when: false
tags:
- CCE-80792-5
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_enable_authselect' differs.
--- xccdf_org.ssgproject.content_rule_enable_authselect
+++ xccdf_org.ssgproject.content_rule_enable_authselect
@@ -7,8 +7,8 @@
- name: Select authselect profile
ansible.builtin.command:
cmd: authselect select "{{ var_authselect_profile }}"
- ignore_errors: true
register: result_authselect_select
+ failed_when: result_authselect_select.rc not in [0, 4]
tags:
- CCE-88248-0
- NIST-800-53-AC-3
@@ -24,6 +24,9 @@
cmd: rpm -qV pam
register: result_altered_authselect
ignore_errors: true
+ failed_when: result_altered_authselect.rc not in [0, 1]
+ args:
+ warn: false
when: result_authselect_select is failed
tags:
- CCE-88248-0
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_display_login_attempts' differs.
--- xccdf_org.ssgproject.content_rule_display_login_attempts
+++ xccdf_org.ssgproject.content_rule_display_login_attempts
@@ -60,13 +60,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Ensure PAM Displays Last Logon/Access Notification - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -232,8 +232,12 @@
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
- when: |
- result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_authselect_present is defined
+ - result_authselect_present.stat.exists
+ - |-
+ (result_pam_module_add is defined and result_pam_module_add.changed)
+ or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
@@ -266,8 +270,9 @@
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- - (result_pam_showfailed_add is defined and result_pam_showfailed_add.changed)
- or (result_pam_showfailed_edit is defined and result_pam_showfailed_edit.changed)
+ - |-
+ (result_pam_showfailed_add is defined and result_pam_showfailed_add.changed)
+ or (result_pam_showfailed_edit is defined and result_pam_showfailed_edit.changed)
when:
- '"pam" in ansible_facts.packages'
- result_pam_file_present.stat.exists
@@ -330,13 +335,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Ensure PAM Displays Last Logon/Access Notification - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
@@ -21,13 +21,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Account Lockouts Must Be Logged - Informative message based on the authselect
integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not
@@ -202,13 +202,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Account Lockouts Must Be Logged - Informative message based on the authselect
integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -369,13 +369,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Account Lockouts Must Be Logged - Informative message based on the authselect
integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
@@ -80,13 +80,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: 'Limit Password Reuse: password-auth - Informative message based on the
authselect integrity check result'
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not
@@ -165,13 +165,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: 'Limit Password Reuse: password-auth - Informative message based on the
authselect integrity check result'
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -335,8 +335,12 @@
- name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b
- when: |
- result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_authselect_present is defined
+ - result_authselect_present.stat.exists
+ - |-
+ (result_pam_module_add is defined and result_pam_module_add.changed)
+ or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
@@ -427,13 +431,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: 'Limit Password Reuse: password-auth - Informative message based on
the authselect integrity check result'
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
@@ -609,13 +613,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: 'Limit Password Reuse: password-auth - Informative message based on the
authselect integrity check result'
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -776,8 +780,12 @@
- name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b
- when: |
- result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_authselect_present is defined
+ - result_authselect_present.stat.exists
+ - |-
+ (result_pam_module_add is defined and result_pam_module_add.changed)
+ or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
@@ -80,13 +80,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: 'Limit Password Reuse: system-auth - Informative message based on the authselect
integrity check result'
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not
@@ -165,13 +165,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: 'Limit Password Reuse: system-auth - Informative message based on the
authselect integrity check result'
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -335,8 +335,12 @@
- name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b
- when: |
- result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_authselect_present is defined
+ - result_authselect_present.stat.exists
+ - |-
+ (result_pam_module_add is defined and result_pam_module_add.changed)
+ or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
@@ -427,13 +431,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: 'Limit Password Reuse: system-auth - Informative message based on
the authselect integrity check result'
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
@@ -608,13 +612,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: 'Limit Password Reuse: system-auth - Informative message based on the
authselect integrity check result'
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -775,8 +779,12 @@
- name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b
- when: |
- result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_authselect_present is defined
+ - result_authselect_present.stat.exists
+ - |-
+ (result_pam_module_add is defined and result_pam_module_add.changed)
+ or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
@@ -69,13 +69,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Limit Password Reuse - Informative message based on the authselect integrity
check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not
@@ -149,13 +149,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Limit Password Reuse - Informative message based on the authselect integrity
check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -315,8 +315,12 @@
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
- when: |
- result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_authselect_present is defined
+ - result_authselect_present.stat.exists
+ - |-
+ (result_pam_module_add is defined and result_pam_module_add.changed)
+ or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
@@ -400,13 +404,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Limit Password Reuse - Informative message based on the authselect
integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
@@ -573,13 +577,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Limit Password Reuse - Informative message based on the authselect integrity
check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -738,8 +742,12 @@
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
- when: |
- result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_authselect_present is defined
+ - result_authselect_present.stat.exists
+ - |-
+ (result_pam_module_add is defined and result_pam_module_add.changed)
+ or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
@@ -22,13 +22,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Account Lockouts Must Be Logged - Informative message based on the authselect
integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not
@@ -207,13 +207,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Account Lockouts Must Be Logged - Informative message based on the authselect
integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -374,13 +374,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Account Lockouts Must Be Logged - Informative message based on the authselect
integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -47,13 +47,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Lock Accounts After Failed Password Attempts - Informative message based
on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not
@@ -263,13 +263,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Lock Accounts After Failed Password Attempts - Informative message based
on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -435,13 +435,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Lock Accounts After Failed Password Attempts - Informative message based
on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
@@ -43,13 +43,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Configure the root Account for Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not
@@ -247,13 +247,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Configure the root Account for Failed Password Attempts - Informative
message based on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -419,13 +419,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Configure the root Account for Failed Password Attempts - Informative
message based on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
@@ -40,13 +40,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Lock Accounts Must Persist - Informative message based on the authselect
integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not
@@ -240,13 +240,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Lock Accounts Must Persist - Informative message based on the authselect
integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -404,13 +404,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Lock Accounts Must Persist - Informative message based on the authselect
integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
@@ -37,13 +37,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Enforce pam_faillock for Local Accounts Only - Informative message based
on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not
@@ -228,13 +228,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Enforce pam_faillock for Local Accounts Only - Informative message based
on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -400,13 +400,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Enforce pam_faillock for Local Accounts Only - Informative message based
on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
@@ -41,13 +41,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Set Interval For Counting Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not
@@ -246,13 +246,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Set Interval For Counting Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -418,13 +418,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Set Interval For Counting Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent
@@ -37,13 +37,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Do Not Show System Messages When Unsuccessful Logon Attempts Occur - Informative
message based on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
@@ -47,13 +47,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Set Lockout Time for Failed Password Attempts - Informative message based
on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not
@@ -263,13 +263,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Set Lockout Time for Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -435,13 +435,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Set Lockout Time for Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth
@@ -52,13 +52,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Ensure PAM password complexity module is enabled in password-auth - Informative
message based on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -225,8 +225,12 @@
authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
- when: |
- result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_authselect_present is defined
+ - result_authselect_present.stat.exists
+ - |-
+ (result_pam_module_add is defined and result_pam_module_add.changed)
+ or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
@@ -237,8 +241,9 @@
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- - (result_pam__add is defined and result_pam__add.changed) or (result_pam__edit
- is defined and result_pam__edit.changed)
+ - |-
+ (result_pam__add is defined and result_pam__add.changed)
+ or (result_pam__edit is defined and result_pam__edit.changed)
when:
- '"pam" in ansible_facts.packages'
- result_pam_file_present.stat.exists
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth
@@ -52,13 +52,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Ensure PAM password complexity module is enabled in system-auth - Informative
message based on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -225,8 +225,12 @@
authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
- when: |
- result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_authselect_present is defined
+ - result_authselect_present.stat.exists
+ - |-
+ (result_pam_module_add is defined and result_pam_module_add.changed)
+ or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
@@ -237,8 +241,9 @@
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- - (result_pam__add is defined and result_pam__add.changed) or (result_pam__edit
- is defined and result_pam__edit.changed)
+ - |-
+ (result_pam__add is defined and result_pam__add.changed)
+ or (result_pam__edit is defined and result_pam__edit.changed)
when:
- '"pam" in ansible_facts.packages'
- result_pam_file_present.stat.exists
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
@@ -87,14 +87,14 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts
Permitted Per-Session - Informative message based on the authselect integrity
check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -295,14 +295,14 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts
Permitted Per-Session - Informative message based on the authselect integrity
check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth' differs.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
@@ -64,13 +64,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Set PAM's Password Hashing Algorithm - password-auth - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -235,8 +235,12 @@
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
- when: |
- result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_authselect_present is defined
+ - result_authselect_present.stat.exists
+ - |-
+ (result_pam_module_add is defined and result_pam_module_add.changed)
+ or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
@@ -269,8 +273,9 @@
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- - (result_pam_sha512_add is defined and result_pam_sha512_add.changed) or (result_pam_sha512_edit
- is defined and result_pam_sha512_edit.changed)
+ - |-
+ (result_pam_sha512_add is defined and result_pam_sha512_add.changed)
+ or (result_pam_sha512_edit is defined and result_pam_sha512_edit.changed)
when:
- '"pam" in ansible_facts.packages'
- result_pam_file_present.stat.exists
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth' differs.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
@@ -64,13 +64,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Set PAM's Password Hashing Algorithm - Informative message based on the
authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -231,8 +231,12 @@
- name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
- when: |
- result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_authselect_present is defined
+ - result_authselect_present.stat.exists
+ - |-
+ (result_pam_module_add is defined and result_pam_module_add.changed)
+ or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
@@ -264,8 +268,9 @@
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- - (result_pam_sha512_add is defined and result_pam_sha512_add.changed) or (result_pam_sha512_edit
- is defined and result_pam_sha512_edit.changed)
+ - |-
+ (result_pam_sha512_add is defined and result_pam_sha512_add.changed)
+ or (result_pam_sha512_edit is defined and result_pam_sha512_edit.changed)
when:
- '"pam" in ansible_facts.packages'
- result_pam_file_present.stat.exists
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_debug-shell_disabled' differs.
--- xccdf_org.ssgproject.content_rule_service_debug-shell_disabled
+++ xccdf_org.ssgproject.content_rule_service_debug-shell_disabled
@@ -1,13 +1,20 @@
-- name: Disable service debug-shell
+- name: Block Disable service debug-shell
block:
- name: Disable service debug-shell
- systemd:
- name: debug-shell.service
- enabled: 'no'
- state: stopped
- masked: 'yes'
- ignore_errors: 'yes'
+ block:
+
+ - name: Disable service debug-shell
+ systemd:
+ name: debug-shell.service
+ enabled: 'no'
+ state: stopped
+ masked: 'yes'
+ rescue:
+
+ - name: Intentionally ignored previous 'Disable service debug-shell' failure,
+ service was already disabled
+ meta: noop
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80876-6
@@ -25,7 +32,7 @@
command: systemctl list-unit-files debug-shell.socket
register: socket_file_exists
changed_when: false
- ignore_errors: true
+ failed_when: socket_file_exists.rc not in [0, 1]
check_mode: false
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_require_emergency_target_auth' differs.
--- xccdf_org.ssgproject.content_rule_require_emergency_target_auth
+++ xccdf_org.ssgproject.content_rule_require_emergency_target_auth
@@ -1,4 +1,4 @@
-- name: require emergency mode password
+- name: Require emergency mode password
lineinfile:
create: true
dest: /usr/lib/systemd/system/emergency.service
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_require_singleuser_auth' differs.
--- xccdf_org.ssgproject.content_rule_require_singleuser_auth
+++ xccdf_org.ssgproject.content_rule_require_singleuser_auth
@@ -1,4 +1,4 @@
-- name: require single user mode password
+- name: Require single user mode password
lineinfile:
create: true
dest: /usr/lib/systemd/system/rescue.service
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_pcscd_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_pcscd_enabled
+++ xccdf_org.ssgproject.content_rule_service_pcscd_enabled
@@ -6,7 +6,7 @@
manager: auto
- name: Start service pcscd
- service:
+ systemd:
name: pcscd
state: started
masked: 'no'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
@@ -55,13 +55,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Set number of Password Hashing Rounds - password-auth - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -226,8 +226,12 @@
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
- when: |
- result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_authselect_present is defined
+ - result_authselect_present.stat.exists
+ - |-
+ (result_pam_module_add is defined and result_pam_module_add.changed)
+ or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
@@ -271,8 +275,9 @@
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- - (result_pam_rounds_add is defined and result_pam_rounds_add.changed) or (result_pam_rounds_edit
- is defined and result_pam_rounds_edit.changed)
+ - |-
+ (result_pam_rounds_add is defined and result_pam_rounds_add.changed)
+ or (result_pam_rounds_edit is defined and result_pam_rounds_edit.changed)
when:
- '"pam" in ansible_facts.packages'
- result_pam_file_present.stat.exists
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth
@@ -55,13 +55,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Set number of Password Hashing Rounds - system-auth - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
@@ -226,8 +226,12 @@
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
- when: |
- result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_authselect_present is defined
+ - result_authselect_present.stat.exists
+ - |-
+ (result_pam_module_add is defined and result_pam_module_add.changed)
+ or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
@@ -271,8 +275,9 @@
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- - (result_pam_rounds_add is defined and result_pam_rounds_add.changed) or (result_pam_rounds_edit
- is defined and result_pam_rounds_edit.changed)
+ - |-
+ (result_pam_rounds_add is defined and result_pam_rounds_add.changed)
+ or (result_pam_rounds_edit is defined and result_pam_rounds_edit.changed)
when:
- '"pam" in ansible_facts.packages'
- result_pam_file_present.stat.exists
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords' differs.
--- xccdf_org.ssgproject.content_rule_no_empty_passwords
+++ xccdf_org.ssgproject.content_rule_no_empty_passwords
@@ -30,13 +30,13 @@
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
- ignore_errors: true
+ failed_when: result_authselect_check_cmd.rc not in [0, 3, 4]
- name: Prevent Login to Accounts With Empty Password - Informative message based
on the authselect integrity check result
ansible.builtin.assert:
that:
- - result_authselect_check_cmd is success
+ - result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su' differs.
--- xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su
+++ xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su
@@ -11,7 +11,7 @@
- restrict_strategy
- use_pam_wheel_for_su
-- name: restrict usage of su command only to members of wheel group
+- name: Restrict usage of su command only to members of wheel group
replace:
path: /etc/pam.d/su
regexp: ^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write' differs.
--- xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write
+++ xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write
@@ -1,19 +1,3 @@
-- name: Print error message if user is not root
- fail:
- msg: Root account required to read root $PATH
- when: ansible_env.USER != "root"
- ignore_errors: true
- tags:
- - CCE-80672-9
- - NIST-800-53-CM-6(a)
- - NIST-800-53-CM-6(a)
- - accounts_root_path_dirs_no_write
- - low_complexity
- - medium_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
- name: Get root paths which are not symbolic links
stat:
path: '{{ item }}'
@@ -21,7 +5,6 @@
failed_when: false
register: root_paths
with_items: '{{ ansible_env.PATH.split('':'') }}'
- when: ansible_env.USER == "root"
tags:
- CCE-80672-9
- NIST-800-53-CM-6(a)
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_auditd_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_auditd_enabled
+++ xccdf_org.ssgproject.content_rule_service_auditd_enabled
@@ -33,7 +33,7 @@
manager: auto
- name: Enable service auditd
- service:
+ systemd:
name: auditd
enabled: 'yes'
state: started
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated' differs.
--- xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated
+++ xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated
@@ -15,7 +15,7 @@
- medium_severity
- no_reboot_needed
-- name: enable syslog plugin
+- name: Enable syslog plugin
lineinfile:
dest: /etc/audit/plugins.d/syslog.conf
regexp: ^active
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_rsyslog_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_rsyslog_enabled
+++ xccdf_org.ssgproject.content_rule_service_rsyslog_enabled
@@ -6,7 +6,7 @@
manager: auto
- name: Enable service rsyslog
- service:
+ systemd:
name: rsyslog
enabled: 'yes'
state: started
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
+++ xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
@@ -101,7 +101,9 @@
- name: Ensure Log Files Are Owned By Appropriate Group - Extract log files old format
ansible.builtin.shell: |
set -o pipefail
- grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item.1.path }} |awk '{print $NF}'|sed -e 's/^-//' || true
+ grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item.1.path }} | \
+ awk '{print $NF}' | \
+ sed -e 's/^-//' || true
loop: '{{ rsyslog_config_files.results | subelements(''files'') }}'
register: log_files_old
changed_when: false
@@ -122,7 +124,10 @@
- name: Ensure Log Files Are Owned By Appropriate Group - Extract log files new format
ansible.builtin.shell: |
set -o pipefail
- grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true
+ grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \
+ grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \
+ grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \
+ tr -d "\""|| true
loop: '{{ rsyslog_config_files.results | subelements(''files'') }}'
register: log_files_new
changed_when: false
@@ -142,8 +147,9 @@
- name: Ensure Log Files Are Owned By Appropriate Group - Sum all log files found
ansible.builtin.set_fact:
- log_files: '{{ log_files_new.results|map(attribute=''stdout_lines'')|list|flatten|unique
- + log_files_old.results|map(attribute=''stdout_lines'')|list|flatten|unique }}'
+ log_files: '{{ log_files_new.results | map(attribute=''stdout_lines'') | list
+ | flatten | unique + log_files_old.results | map(attribute=''stdout_lines'')
+ | list | flatten | unique }}'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80860-0
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_ownership' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_files_ownership
+++ xccdf_org.ssgproject.content_rule_rsyslog_files_ownership
@@ -101,7 +101,9 @@
- name: Ensure Log Files Are Owned By Appropriate User - Extract log files old format
ansible.builtin.shell: |
set -o pipefail
- grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item.1.path }} |awk '{print $NF}'|sed -e 's/^-//' || true
+ grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item.1.path }} | \
+ awk '{print $NF}' | \
+ sed -e 's/^-//' || true
loop: '{{ rsyslog_config_
... The diff is trimmed here ... |
|
https://github.com/ComplianceAsCode/content/pull/10348/checks?check_run_id=12176022135 https://github.com/ComplianceAsCode/content/actions/runs/4483351640/jobs/7882683937?pr=10348 https://github.com/ComplianceAsCode/content/actions/runs/4483351637/jobs/7882536322?pr=10348 I need to look those. |
I have rerun it. In general, it often is an infrastructure problem. It can be related in some PRs where the PR contain changes that would mean a significant growth or performance hit. |
jan-cerny
reviewed
Mar 24, 2023
As this is test, it is better to fix fixables now and if there is new regression fail in future, than try to fix everything now. If you want to fix some other class, just drop line from tests/ansible-lint_config.yml and go from there.
Because of usage of CDumper identation does not match what yamllint expects by default. Change values to match current situation and pass yamllint-check tests. Because of usage of CDumper indent-sequences is not consistent.
Auditd lines are over 160, especially open related where there is multiple systemcalls. I guess there is no point somehow artifically managing auditd config to achieve shorter lines. `login_banner_text` can be more than 900, so this test still should be warning.
Without this there is cache lock and 180s timeout. Error message: "Timeout waiting for another instance of ansible-lint to release the lock."
Implementation uses just one sweep over files. If no dupes is found about the same speed. If dupes are found it is faster. You can compare speed with stigid. Interface changed from: $0 ref to $0 root-directory ref Still does not actually understand YAML, just uses regexps.
Had numerous issues. Use arrays instead of variable globexpansion. Ensure ansible-playbook checks only <product>-playbook-*.yml files.
Fixes yamllint issue at end of file. yaml too many blank lines (1 > 0) (empty-lines)
…blank_lines Without this ansible-playbook-per-profile-yamllint-check tests fail as between rule segments there can be extra lines because of some reason. Like: ./fedora-playbook-standard.yml 342:1 warning too many blank lines (5 > 2) (empty-lines) 1124:1 warning too many blank lines (3 > 2) (empty-lines) ...
…errors
Commands can fail because of multiple reasons. Even external, so
ignore_errors is not recommended.
For "rpm -V" it is packages with issuers.
man authselect:
The authselect can return these exit codes:
• 0: Success.
• 1: Generic error.
• 2: Profile or configuration was not found or the system was not configured with authselect.
• 3: Current configuration is not valid, it was edited without authselect.
• 4: System configuration must be overwritten to activate an authselect profile, --force parameter is needed.
• 5: Executed command must be run as root.
• 6: No configuration was detected.
This fixes ansible-lint issue:
ignore-errors Use failed_when and specify error conditions instead of using ignore_errors
…er podman Do not delete password-auth,postlogin as removing them breaks test env access (for examples sshd) and test resolution can not continue normally. Other files should be enough.
…rrors Commands can fail because of multiple reasons. Even external, so ignore_errors is not recommended. systemctl list-unit-files <unit> returns: 0 - found 1 - not found
Allow 0 or 1 as valid rc code and fail if there is real error.
EXIT STATUS
Normally the exit status is 0 if a line is selected, 1 if no
lines were selected, and 2 if an error occurred. However, if the
-q or --quiet or --silent is used and a line is selected, the
exit status is 0 even if an error occurred.
All other ansible assumes code is run as root.
This aligns with service_disabled.
…duct is enabled Other similar have limitation too. When you try to focus on only one distro not in this list, this poses unnecessary burden as those files should not be needed.
Only way to resolve test-generate_contributors is to kill git process as it does not timeout.
|
Seems Also it seems Added two patches about And added simple test suite for |
Centos 7 test env uses now old python v2: -- Found PythonInterp: /usr/bin/python (found version "2.7.5") I see no point trying to backtrack code to support py2. This test is not per product, so in any other distro with py3 it runs and there is no lost functionality. Only when developing under Centos 7 and py2 you can not run this test. It still works under Centos 7 and py3: python3-3.6.8-18.el7.x86_64 python3-pip-9.0.3-8.el7.noarch After I installed pytest using pip3, also test suite passes. [root@e8f9b323981c ssg]# PYTHONPATH=. pytest -v tests/unit/ssg_test_suite/test_assert_reference_unique.py ============================= test session starts ============================== platform linux -- Python 3.6.8, pytest-7.0.1, pluggy-1.0.0 -- /usr/bin/python3 cachedir: .pytest_cache rootdir: /ssg collected 5 items tests/unit/ssg_test_suite/test_assert_reference_unique.py::test_assert_reference_unique_noop PASSED [ 20%] tests/unit/ssg_test_suite/test_assert_reference_unique.py::test_assert_reference_unique_help PASSED [ 40%] tests/unit/ssg_test_suite/test_assert_reference_unique.py::test_assert_reference_unique_nonexisting PASSED [ 60%] tests/unit/ssg_test_suite/test_assert_reference_unique.py::test_assert_reference_unique_pass PASSED [ 80%] tests/unit/ssg_test_suite/test_assert_reference_unique.py::test_assert_reference_unique_fail PASSED [100%] ============================== 5 passed in 0.31s ===============================
|
added cmake if to guard against py2. It seems code climate does not gather coverage under tests, something like: |
|
Forgot |
|
Okay, pytest version in centos-7 env is older than 4.6.x from pip. It seems v2.7.0. |
|
Code Climate has analyzed commit dbb7579 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 28.5% (50% is the threshold). This pull request will bring the total coverage in the repository to 51.8% (-0.1% change). View more on Code Climate. |
|
Looking automatus results. One way I do to speed up testing timewise would be to split remediation type per job. For example 3 way works for most: not defined, ansible and bash. This requires some extra patches. Why "Automatus Fedora / Run Tests (pull_request)" uses "product rhel8" and "ssg-rhel8-ds.xml"? I have used always fedora versions and I guess this explains some discrepancies. Fedora does not have I guess these should be labeled as warnings. They should not fail the test. You are just trying to test a rule on platform not configured to allow rule. Same as notapplicable. I think both of these might be unrelated failures. Further analysis would require automatus logs from |
|
This It seems This matches From arf: At least I don't know how to analyze this further. It might be bug in oscap.
Definitely none was broken like my example above. |
|
Okay, find out why. Because rule is not selected: If I edit arf: output is expected. I guess for arf.xml should be modified to mark tested rule as selected. Or maybe actual ds modified to mark rules to be tested as selected. I think any of these ideas should be handled as separate task. |
The rule not being selected is expected here. But I think that we have hit some bug in OpenSCAP. I have reported it in OpenSCAP/openscap#1963. |
2 similar comments
The rule not being selected is expected here. But I think that we have hit some bug in OpenSCAP. I have reported it in OpenSCAP/openscap#1963. |
The rule not being selected is expected here. But I think that we have hit some bug in OpenSCAP. I have reported it in OpenSCAP/openscap#1963. |
The rule not being selected is expected here. But I think that we have hit some bug in OpenSCAP. I have reported it in OpenSCAP/openscap#1963. Then we need to decide about the Automatus behavior. So I have reported a #10369 |
jan-cerny
approved these changes
Mar 30, 2023
This was referenced Apr 4, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
When testing with -DANSIBLE_PLAYBOOKS_PER_RULE_ENABLED=ON -DANSIBLE_CHECKS=ON there was regression. This patchset fixes some of regressions and then comments out rest I decided are not worth not fix now.
Rationale:
This allows me to run full ctest run and all tests pass for all products.
Update: Almost. Because of some rules are harded to check I have dropped some patches and there can be some issues.
This should allow to keep reasonable and similar style within all ansible files. And then later it allows to do bigger refactorings with fqcn and jinja spacing for example. I selected most ansible-lint rules to skip based on issue numbers, so only low number cases were fixed.
name[template]is added just because I dont't like the rule especially with this kind of sprawling code base with templates and all kinds of cases.Long lines are not fully fixed because some are ssg template comments and not fixable as is. And also some other points would require not simple fixes. I tried to balance this and then added rule as skipped.
Review Hints:
Somehow different pyyaml versions have different serialization formats. So I implemented generic EOL tidy and then kludge to select implementation based on how it output problematic output. This is only tested on Fedora 37.