Small bug in task 5.2.4.5 "Ensure audit configuration files are 640 or more restrictive" #59
Assignees
Labels
bug
Something isn't working
Comments
uk-bolly
added a commit
that referenced
this issue
Mar 27, 2024
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
uk-bolly
added a commit
that referenced
this issue
Mar 27, 2024
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
Merged
uk-bolly
added a commit
that referenced
this issue
Mar 27, 2024
* addressed #59 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * issue #59 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * issue #62 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated variable name in conditional Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated container check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated authselect PR Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix conditional typo Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix conditional typo Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix var typo Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
uk-bolly
added a commit
that referenced
this issue
Apr 15, 2024
* Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/3 by editing the destination path! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/4 by masking both the socket and the service! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/6 by editing the value of `clientalivecountmax` to 3! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/2 by using `import_tasks` module so as the rules will get added and executed! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/5 by adding the necessary lines to both sshd_config file and sshd_config.d/ files. The same method is used for all the rules from 4.2.x, to make them compliant with CISs checks. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Removing trailing whitespaces Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Removing trailing whitespaces and fixing an end-of-file Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Refactoring docs Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Small fixings for https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/19 Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Removing trailing whitespace Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing fail message so that is states the correct number of the rule that requires the root password to be set Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing inconsistencies for issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/22 Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing minor syntax issues by adding missing "PATCH" keywords or missing "|". Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing PRELIM task "PRELIM | 4.3.3 | Find all sudoers files" mentioned in issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/22. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Removing 1.1.2.1 from multiline task 1.1.2.2 ,1.1.2.3, 1.1.2.4 because it was not supposed to be there! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Removing prelim for installing authconfig, as it is not used. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/pre-commit/pre-commit-hooks: v4.4.0 → v4.5.0](pre-commit/pre-commit-hooks@v4.4.0...v4.5.0) - [github.com/gitleaks/gitleaks: v8.17.0 → v8.18.2](gitleaks/gitleaks@v8.17.0...v8.18.2) - [github.com/ansible-community/ansible-lint: v6.18.0 → v24.2.0](ansible/ansible-lint@v6.18.0...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.35.1) * Removing the 6.1.12 duplicate task and adding it to the 6.1.10 task as it was implementing something needed by 6.1.10. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * De-commenting allow and deny variables for sshd. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Removing double import of cis_5.3.yml. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * As authconfig is not needed anymore, the variable related to its installation is removed! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Feb 24 updates to devel (#58) * updated to use ansible_facts variables Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Squashed commit of the following: commit 0cad737fe35db33ff0b867ac4439688cd2bcb009 Author: Mark Bolwell <mark.bollyuk@gmail.com> Date: Fri Feb 23 09:41:39 2024 +0000 updated and tidied up Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> commit 1fa72013209866be66f7f2a353b9cf6264a3681d Author: Mark Bolwell <mark.bollyuk@gmail.com> Date: Fri Feb 23 09:41:10 2024 +0000 audit_only Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Always tag for 1.2.1 gpg_key package update #14 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tidy up prelim removal step Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changelog Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed inject facts as vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * 4.6.5 related to #27 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * 6.1.10 thanks to @DianaMariaDDM #37 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tage change to alwasy thanks to @DianaMariaDDM #41 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changelog Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changelog Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated ansible fact naming and checkout action (#64) * updated ansible fact naming for ansible_facts.virtualization_type Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated checkout version Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * ansible fact update Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated ansible facts and timeout now inherited Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * [pre-commit.ci] pre-commit autoupdate (#65) updates: - [github.com/ansible-community/ansible-lint: v24.2.0 → v24.2.1](ansible/ansible-lint@v24.2.0...v24.2.1) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> * 4.2.16: Add variable for SSH MaxAuthTries (#66) Signed-off-by: Tom Henderson <tom.henderson@pushpay.com> * 4.2.16: Correct variable name and required max value (#67) Signed-off-by: Tom Henderson <tom.henderson@pushpay.com> * March 24 updates (#68) * addressed #59 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * issue #59 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * issue #62 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated variable name in conditional Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated container check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated authselect PR Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix conditional typo Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix conditional typo Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix var typo Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * [pre-commit.ci] pre-commit autoupdate (#69) updates: - [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](pre-commit/pre-commit-hooks@v4.5.0...v4.6.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --------- Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> Signed-off-by: DianaMariaDDM <143085010+DianaMariaDDM@users.noreply.github.com> Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> Signed-off-by: Tom Henderson <tom.henderson@pushpay.com> Co-authored-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: DianaMariaDDM <143085010+DianaMariaDDM@users.noreply.github.com> Co-authored-by: Tom Henderson <tomhenderson@mac.com> Co-authored-by: Tom Henderson <tom.henderson@pushpay.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the Issue
If the
auditd_conf_filesregister used in this task is empty or undefined then the task would fail.Expected Behavior
The task should not fail even if the register is empty.
Actual Behavior
The task fails because of the order of execution in ansible fields. The first when conditional
when: - item.mode != '06(0|4)0'is the one responsible for this, along with the
loop:used in the task :loop: "{{ auditd_conf_files.files }}".If one combines a when statement with a loop, Ansible processes the condition separately for each item. This is by design, so you can execute the task on some items in the loop and skip it on other items.
The documentation for Ansible provides a solution:
Control(s) Affected
Environment (please complete the following information):
Additional Notes
Anything additional goes here
Possible Solution
The fix will be provided in a PR.
The text was updated successfully, but these errors were encountered: