BJSmithIEEE
commented
6 months ago Regarding usbguard, the current approach isn't a handler.
I.e., it is NOT in the main YAML for Handlers. https://github.com/ansible-lockdown/RHEL8-STIG/blob/18d8335a420f91849a4e69cfe5371c15eddf9615/handlers/main.yml
The service enable/restart is in the control itself.
For consistency, and so things aren't problematic during the execution of the Ansible Playbook, and left until the very end, it might make sense to move to the main YAML for Handlers. If so, the control would be RHEL-08-040141 (rhel_08_040141).
- name: restart usbguard
ansible.builtin.service:
name: usbguard
state: restarted
when:
- rhel_08_040141
uk-bolly
Describe the Issue Handlers should verify that any service to be restarted has the STIG rule to enable that service is true, and not false.
I.e., Handlers may 'trip' if 'reconfigured' under one or more (1+) control(s), but another control could actually enable the service. This is a very common scenario
E.g., fapolicyd is covered by multiple Findings/IDs -- e.g., RHEL-08-040135, 040136 & 040137). One or more (1+) may notify to restart fapolicyd.
Indeed, at least (1) control, RHEL-08-040137 which reconfigures fapolicyd https://github.com/ansible-lockdown/RHEL8-STIG/blob/18d8335a420f91849a4e69cfe5371c15eddf9615/tasks/fix-cat2.yml#L6478
Will notify the fapolicyd handler to restart in at least two (2) cases. https://github.com/ansible-lockdown/RHEL8-STIG/blob/18d8335a420f91849a4e69cfe5371c15eddf9615/tasks/fix-cat2.yml#L6495 https://github.com/ansible-lockdown/RHEL8-STIG/blob/18d8335a420f91849a4e69cfe5371c15eddf9615/tasks/fix-cat2.yml#L6510
And this is the handler notified. https://github.com/ansible-lockdown/RHEL8-STIG/blob/18d8335a420f91849a4e69cfe5371c15eddf9615/handlers/main.yml#L55
But only one (1), different control, RHEL-08-040136, defines if RHEL8 fapolicyd is actually enabled, in addition to other controls to configure fapolicyd and possibly notify. https://github.com/ansible-lockdown/RHEL8-STIG/blob/18d8335a420f91849a4e69cfe5371c15eddf9615/tasks/fix-cat2.yml#L6462
Currently there is no such conditional on RHEL-08-040136 (rhel_08_040136), and fapolicyd -- even if not running, and not enabled to run, not even after Ansible Lockdown -- will execute. So if the enable control is set to false, then the handler for fapolicyd (restarted) should NOT restart fapolicyd blindly.
Expected Behavior
For services with a STIG rule to enable, that STIG rule should be checked if true.
E.g., Handler should actually check if rhel-08-040136 is defined as true, and fapolicyd is enabled, before restarting it.
https://github.com/ansible-lockdown/RHEL8-STIG/blob/18d8335a420f91849a4e69cfe5371c15eddf9615/handlers/main.yml#L55
Actual Behavior
Ansible-Lockdown restarts service that is not enabled, and was explicitly set to false in the site.yml variable or other file. In some cases, this may prevent further playbook execution and/or interaction, especially given the system is not rebooted by default.
E.g., like fapolicyd, no further execution could occur, and all logins are rejected, once restarted. usbguard could be another if the KB/Mouse serial has not been recorded/saved.
Control(s) Affected Will vary based on service, but for fapolicyd
And the Handler: https://github.com/ansible-lockdown/RHEL8-STIG/blob/18d8335a420f91849a4e69cfe5371c15eddf9615/handlers/main.yml#L55
Environment (please complete the following information):
Possible Solution As above, add a simple conditional at a minimum. E.g., with fapolicyd
https://github.com/ansible-lockdown/RHEL8-STIG/blob/18d8335a420f91849a4e69cfe5371c15eddf9615/handlers/main.yml#L55