search

ansible-lockdown / RHEL7-STIG

Ansible role for Red Hat 7 STIG Baseline
MIT License
282 stars 144 forks source link

Removed GUI condition check for RHEL-07-040730 #467

Open layluke opened 4 months ago

layluke commented 4 months ago

Overall Review of Changes: Removing GUI condition check for RHEL-07-040730

Issue Fixes: https://github.com/ansible-lockdown/RHEL7-STIG/issues/464

How has this been tested?: N/A

georgenalen commented 2 months ago

Hey @layluke. I'm looking at the PR and the reason for that conditional is that task will remove all GUI components. For folks that are running this role against RHEL7 with a GUI they can set rhel7stig_gui to true and it will leave the GUI. Looking at the task in its current state it should do that, is there a particular issue with it that you are seeing?

layluke commented 2 months ago

Hey @layluke. I'm looking at the PR and the reason for that conditional is that task will remove all GUI components. For folks that are running this role against RHEL7 with a GUI they can set rhel7stig_gui to true and it will leave the GUI. Looking at the task in its current state it should do that, is there a particular issue with it that you are seeing?

@georgenalen Yes, I think there is an issue here still. The issue is, this will remove x11 if rhel7stig_gui is set to false andrhel_07_040730 is set to false. If rhel7stig_gui is true, it just skips the removal. It will also skip the removal if rhel7stig_gui is removed and rhel_07_040730 is set to true (default)

I mentioned it in the issue https://github.com/ansible-lockdown/RHEL7-STIG/issues/464. Currently, there is no way to get x11 to stay unless rhel7stig_gui is set to true, making it impossible to run x11 on a headless system.

Currently rhel_07_040730 has no weight in this conditional check. If there is a way for rhel_07_040730 to take precedence in the conditional that may be ideal. I think that it's implied if it's not running a GUI is not being installed, x windows is usually not there unless you want it to be.

that's why I thought the best way to handle it was to remove the conditional check for rhel7stig_gui, and handle the condition with rhel_07_040730. This will allow it's removal only if explicitly mentioned by setting rhel_07_040730 to false.

Thanks :)