From 9e8ecee96491626b6bff97b6c7e16558b45ed8ef Mon Sep 17 00:00:00 2001 From: c59099 Date: Wed, 19 Jul 2023 17:30:54 +0200 Subject: [PATCH 1/3] - Added extra checks in using loop items in when statement - Fixed typo in handler name Signed-off-by: Marco V --- tasks/section_1/cis_1.10.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index ed6774d4..adb25c18 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -10,7 +10,7 @@ ansible.builtin.shell: | update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}" update-crypto-policies - notify: change_requires_reboot + notify: Change_requires_reboot when: - rhel9cis_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy when: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 8da977d2..69cf777b 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -164,7 +164,7 @@ ansible.builtin.set_fact: rhel_09_6_1_10_unowned_files_found: true loop: "{{ rhel_09_6_1_10_audit.results }}" - when: item.stdout | length > 0 + when: item | length > 0 and item.stdout is defined and item.stdout | length > 0 - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: @@ -205,7 +205,7 @@ ansible.builtin.set_fact: rhel_09_6_1_11_ungrouped_files_found: true loop: "{{ rhel_09_6_1_11_audit.results }}" - when: item.stdout | length > 0 + when: item | length > 0 and item.stdout is defined and item.stdout | length > 0 - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: @@ -258,7 +258,7 @@ ansible.builtin.set_fact: rhel9_6_1_13_suid_found: true loop: "{{ rhel_09_6_1_13_suid_perms.results }}" - when: item.stdout | length > 0 + when: item | length > 0 and item.stdout is defined and item.stdout | length > 0 - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" ansible.builtin.debug: @@ -297,7 +297,7 @@ ansible.builtin.set_fact: rhel9_6_1_14_sgid_found: true loop: "{{ rhel_09_6_1_14_sgid_perms.results }}" - when: item.stdout | length > 0 + when: item | length > 0 and item.stdout is defined and item.stdout | length > 0 - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" ansible.builtin.debug: From cfe7f8c8527440087c0ed84ec40534ae9032e434 Mon Sep 17 00:00:00 2001 From: Marco V Date: Fri, 21 Jul 2023 09:53:14 +0200 Subject: [PATCH 2/3] Refactored the when statement layout Signed-off-by: Marco V --- tasks/section_6/cis_6.1.x.yml | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 69cf777b..8a1c4a87 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -158,13 +158,18 @@ loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" - when: item['device'].startswith('/dev') and not 'bind' in item['options'] + when: + - item['device'].startswith('/dev') + - not 'bind' in item['options'] - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | set fact" ansible.builtin.set_fact: rhel_09_6_1_10_unowned_files_found: true loop: "{{ rhel_09_6_1_10_audit.results }}" - when: item | length > 0 and item.stdout is defined and item.stdout | length > 0 + when: + - item | length > 0 + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout | length > 0 - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: @@ -199,13 +204,18 @@ loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" - when: item['device'].startswith('/dev') and not 'bind' in item['options'] + when: + - item['device'].startswith('/dev') + - not 'bind' in item['options'] - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | set fact" ansible.builtin.set_fact: rhel_09_6_1_11_ungrouped_files_found: true loop: "{{ rhel_09_6_1_11_audit.results }}" - when: item | length > 0 and item.stdout is defined and item.stdout | length > 0 + when: + - item | length > 0 + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout | length > 0 - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: @@ -258,7 +268,10 @@ ansible.builtin.set_fact: rhel9_6_1_13_suid_found: true loop: "{{ rhel_09_6_1_13_suid_perms.results }}" - when: item | length > 0 and item.stdout is defined and item.stdout | length > 0 + when: + - item | length > 0 + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout | length > 0 - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" ansible.builtin.debug: @@ -297,7 +310,10 @@ ansible.builtin.set_fact: rhel9_6_1_14_sgid_found: true loop: "{{ rhel_09_6_1_14_sgid_perms.results }}" - when: item | length > 0 and item.stdout is defined and item.stdout | length > 0 + when: + - item | length > 0 + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout | length > 0 - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" ansible.builtin.debug: From 69813b582497064abf170104f4921ef5415c9e08 Mon Sep 17 00:00:00 2001 From: Marco V Date: Fri, 21 Jul 2023 09:53:14 +0200 Subject: [PATCH 3/3] Refactored the when statement layout Signed-off-by: Marco V