Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix rule 1.6.1 idempotence; #394

Merged
merged 1 commit into from
Jul 12, 2024
Merged

Fix rule 1.6.1 idempotence; #394

merged 1 commit into from
Jul 12, 2024

Conversation

ShawnHardwick
Copy link
Contributor

@ShawnHardwick ShawnHardwick commented Jul 3, 2024
edited
Loading

Overall Review of Changes:

  • Fix idempotency of rule 1.6.1
  • Modify behavior of changed_when if reboot is pending and skipped to allow idempotency to succeed

Changing the behavior of changed_when for the final reboot warning allows for users who are checking for changed tasks in their idempotency checks to filter this one out.

Issue Fixes:
N/A

Enhancements:
N/A

How has this been tested?:
When the remote host is configured as:

[mol-admin@d-mol-rysts-1 ~]$ update-crypto-policies --show
DEFAULT:NO-SHA1:NO-SSHCBC:NO-WEAKMAC

Rule 1.6.1 (and subsequent rules) no longer have changed tasks:

TASK [RHEL8-CIS : 1.6.1 | PATCH | Ensure system-wide crypto policy is not legacy | set_fact] ***

ok: [rhel-8] => changed=false 
  ansible_facts:
    rhel8cis_full_crypto_policy: DEFAULT

TASK [RHEL8-CIS : 1.6.1 | PATCH | Ensure system-wide crypto policy is not legacy] ***

skipping: [rhel-8] => changed=false 
  false_condition: rhel8cis_full_crypto_policy not in discovered_system_wide_crypto_policy.stdout
  skip_reason: Conditional result was False

TASK [RHEL8-CIS : 1.6.2 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | crypto_file] ***

skipping: [rhel-8] => changed=false 
  false_condition: '''NO-SHA1'' not in discovered_system_wide_crypto_policy.stdout'
  skip_reason: Conditional result was False

TASK [RHEL8-CIS : 1.6.2 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | set crypto policy] ***

skipping: [rhel-8] => changed=false 
  false_condition: '''NO-SHA1'' not in discovered_system_wide_crypto_policy.stdout'
  skip_reason: Conditional result was False

TASK [RHEL8-CIS : 1.6.3 | PATCH | Ensure system wide crypto policy disables cbc for ssh | crypto_file] ***

skipping: [rhel-8] => changed=false 
  false_condition: '''NO-SSHCBC'' not in discovered_system_wide_crypto_policy.stdout'
  skip_reason: Conditional result was False

TASK [RHEL8-CIS : 1.6.3 | PATCH | Ensure system wide crypto policy disables cbc for ssh | set crypto policy] ***

skipping: [rhel-8] => changed=false 
  false_condition: '''NO-SSHCBC'' not in discovered_system_wide_crypto_policy.stdout'
  skip_reason: Conditional result was False

TASK [RHEL8-CIS : 1.6.4 | PATCH | Ensure system wide crypto policy disables cbc for ssh | crypto_file] ***

skipping: [rhel-8] => changed=false 
  false_condition: '''NO-WEAKMAC'' not in discovered_system_wide_crypto_policy.stdout'
  skip_reason: Conditional result was False

TASK [RHEL8-CIS : 1.6.4 | PATCH | Ensure system wide crypto policy disables cbc for ssh | set crypto policy] ***

skipping: [rhel-8] => changed=false 
  false_condition: '''NO-WEAKMAC'' not in discovered_system_wide_crypto_policy.stdout'
  skip_reason: Conditional result was False

Ansible version:

ansible [core 2.16.8.post0]

Target remote host:

NAME="Red Hat Enterprise Linux"
VERSION="8.10 (Ootpa)"

@ShawnHardwick ShawnHardwick force-pushed the shawn.hardwick/1.6.1_idempotency_fix branch from a188cd3 to 17f2c09 Compare July 3, 2024 23:39
@ShawnHardwick
Fix idempotency of rule 1.6.1; Modify behavior of changed_when if reb…
1b4cfd9 
…oot is pending and skipped to allow idempotency to succeed

Signed-off-by: Shawn Hardwick <time4swim@gmail.com>
@ShawnHardwick ShawnHardwick force-pushed the shawn.hardwick/1.6.1_idempotency_fix branch from 17f2c09 to 1b4cfd9 Compare July 3, 2024 23:47
uk-bolly
uk-bolly approved these changes Jul 12, 2024
View reviewed changes
Copy link
Member

@uk-bolly uk-bolly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great change Thank you

@uk-bolly uk-bolly merged commit 6078eca into ansible-lockdown:devel Jul 12, 2024
4 checks passed
@uk-bolly uk-bolly mentioned this pull request Aug 21, 2024
Closed
@uk-bolly uk-bolly mentioned this pull request Oct 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@uk-bolly uk-bolly uk-bolly approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ShawnHardwick @uk-bolly