search

ansible-lockdown / RHEL9-STIG

Ansible playbook for RHEL9 Disa STIG
MIT License
10 stars 12 forks source link

RHEL-09-251040: Remediation tasks appear broken #1

Closed PrymalInstynct closed 4 months ago

PrymalInstynct commented 7 months ago

Describe the Issue When testing this role I have been unable to apply RHEL-09-251040 without the remediation tasks failing

Expected Behavior All tasks associated with RHEL-09-251040 complete successfully

Actual Behavior The task fails

TASK [RHEL9-STIG : MEDIUM | RHEL-09-251040 | PATCH | RHEL 9 network interfaces must not be in promiscuous mode.] ********************************************************************************************************************************************
Saturday 16 March 2024  08:19:48 -0600 (0:00:00.156)       0:00:14.819 ******** 
fatal: [rocky9-stig.prymal.linux]: FAILED! => {"msg": "The conditional check 'item not in rhel9stig_promisc_if' failed. The error was: error while evaluating conditional (item not in rhel9stig_promisc_if): 'item' is undefined. 'item' is undefined

The error appears to be in '/home/zimmermanc/Projects/cybersecurity/RHEL9-STIG/tasks/Cat2/RHEL-09-25xxxx.yml': line 195, column 7, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

    - name: \"MEDIUM | RHEL-09-251040 | PATCH | RHEL 9 network interfaces must not be in promiscuous mode.\"
    -       ^ here
    "}

Control(s) Affected RHEL-09-251040

Environment (please complete the following information):

Additional Notes I tried to set the defaults/main.yml variable rhel9stig_promisc_if to lo and eth0 to see if for some reason the tasks are expecting the value within that variable to be set to an actual interface on the remote host but I got the same results. I have just disabled this tasks to work around the problem.

Possible Solution No ideas

fallenpixel commented 6 months ago 
  block:
    - name: "MEDIUM | RHEL-09-251040 | PATCH | RHEL 9 network interfaces must not be in promiscuous mode."
      when:
        - item not in rhel9stig_promisc_if
        - rhel9stig_disruption_high
      ansible.builtin.lineinfile:
        create: true
        line: PROMISC=NO
        regexp: ^(?i)PROMISC=(YES|TRUE|NO|FALSE)
        path: "/etc/sysconfig/network-scripts/ifcfg-{{ item }}"
      notify: Restart_NetworkManager
      loop: "{{ ansible_facts.interfaces }}"

    - name: "MEDIUM | RHEL-09-251040 | PATCH | RHEL 9 network interfaces must not be in promiscuous mode."
      when:
        - not rhel9stig_disruption_high
        - item not in rhel9stig_promisc_if
      ansible.builtin.debug:
        msg: "Warning!! You have interfaces set to promicious mode no in the exception list"

    - name: "MEDIUM | RHEL-09-251040 | PATCH | RHEL 9 network interfaces must not be in promiscuous mode."
      when:
        - not rhel9stig_disruption_high
        - item not in rhel9stig_promisc_if
      ansible.builtin.import_tasks:
        file: warning_facts.yml

This block seems to be the root cause of this issue. I think I see the intention here, where this block is looping over ansible_facts.interface, but only the lineinfile is looping, not the entire block.