search

ansible-lockdown / UBUNTU22-CIS

Ansible role for Ubuntu22 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
155 stars 68 forks source link

5.2.4 Script Fails if no SSH denied_users are Passed #165

Closed r0bc94 closed 8 months ago

r0bc94 commented 8 months ago

Describe the Issue In order to define the configuration for the ssh - Server, either AllowedUsers or DeniedUsers should be passed. However, when only specifying the ubtu22cis_sshd.allow_users variable and ignoring ubtu22cis_sshd.deny_users, the script fails.

In Tag Version 1.1.0, this was possible, however in version 1.2.0, the line |default('') which would return an empty string if the deny_users is unset was removed. See: https://github.com/ansible-lockdown/UBUNTU22-CIS/blob/devel/tasks/section_5/cis_5.2.x.yml#L99

Expected Behavior Do not fail if the variable ubtu22cis_sshd.deny_users is unset.

Actual Behavior Fails if ubtu22cis_sshd.deny_users is unset.

Control(s) Affected What controls are being affected by the issue

Environment (please complete the following information):

Additional Notes Anything additional goes here

Possible Solution Return an empty string if the denied_hosts is not set: 

 when: "ubtu22cis_sshd['deny_users']| default('') | length > 0"
r0bc94 commented 8 months ago

Hello @uk-bolly , thank you for addressing this issue. Since the fix is already merged, I will close this issue.