-
Notifications
You must be signed in to change notification settings - Fork 303
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tag strategy and consistency within this role #93
Comments
Thanks for the report. I think the tagging needs a thorough review/clean up at this point! |
Hmm I trying to think the best way to handle the tagging. Looking back at this issue it seems that the original report included two distinct problems.
The second item above is an issue because that is not the way tags work in Ansible. Running The other problem I see with the tagging is that, in addition to scored/not scored, the CIS benchmark has this notion of level1/level2 and further complicates it by having different values for server/workstation. I say all this because I think we need to pick something standard before applying tags across the board. @brydoncheyney has started applying tags in #101 so I think now is a good time to solidify the approach. imo I think it makes sense to tag things with very specific tags. i.e. a rule with the following attributes: Would get tagged:
Another task:
This means you can run the below command and be sure that only scored level1 server rules will be run and nothing else.
The other option as I see it:
Then people would need to run:
The second option is probably more flexible but people need to be aware of how tags work with Ansible and how to exclude tags. |
@bbaassssiiee Would appreciate your opinion on how people use tags with this role as well. |
Indeed, people would need to run:
And people need to be aware of how tags work with Ansible and how to exclude tags. |
I think that being forced to use both The use of composite tags, A possible solution is to break down the dimensions in some other way. For example, different playbooks or roles for server and workstation, reducing the tag space to scores and levels. Dimensions could also be defined by variables, e.g.
In fact, the use of variables instead of tags may allows tasks to make use of the conditional logic we require? - name: SCORED | 1.x.x | ... Level 1 ...
task:
args: ...
when:
- scored
- level1
- name: NOTSCORED | 1.x.y | ... Level 1 and Level 2 ... workstation ...
task:
args: ...
when:
- notscored
- workstation (unsure why rules are presently toggled on both tags and variable conditionals?) |
Flexibility. An option to turn off specific rules via the var file and not having to use tags for day to day runs (translates to new OS builds at our site) has proven less error prone in practice. We have a scanner appliance that takes in a audit file based on the entire CIS benchmark. As a result I run as many rules as possible, vars file tweaked as needed, and then any "localized" changes are in a playbook tacked on at the end of the run. I really only use tags when code evolves in one particular area and I need to redeploy those specific changes. I agree with your concerns here but I see the solution as simply adding the necessary amount of vars and tags needed to run the playbook according to your site requirements. |
Yes the use of variables in generally the preferred/recommended way to enable/disable rules or groups of rules. Tags still have their uses as @erpadmin points out. Ultimately I think to correct the tagging we should make sure the correct
Currently the plain It is advisable for people to create their own tailoring files using the |
Hello, Hello,
|
Example is 3.1.1 but there are more. Most are tagged as scored or not scored and without them all being tagged as such it seems some may run even if not intended. For instance running this playbook with
--tags=level-1,scored
ends up running some items which are not scored. Unsure if this is intended, but it still seems as though the tags should be consistent.The text was updated successfully, but these errors were encountered: