Control 3.1.1 | Disable IPv6 does not work using sysctl

[julianmaze]

Describe the Issue When setting the variable ubtu22cis_ipv6_disable to sysctl the playbook fails to execute. This is due to a when clause on the previous task that is invalid due to a previous skipped task.

azure-arm.linux_mktpl: TASK [mindpointgroup.ubuntu22_cis/ : 3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Replace ipv6.disable if it exists] ***
azure-arm.linux_mktpl: skipping: [default]
azure-arm.linux_mktpl:
azure-arm.linux_mktpl: TASK [mindpointgroup.ubuntu22_cis/ : 3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Check grub cmdline linux] ***
azure-arm.linux_mktpl: skipping: [default]
azure-arm.linux_mktpl:
azure-arm.linux_mktpl: TASK [mindpointgroup.ubuntu22_cis/ : 3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist] ***
azure-arm.linux_mktpl: fatal: [default]: FAILED! => {"msg": "The conditional check ''ipv6.disable' not in ubtu22cis_3_1_1_cmdline_settings.stdout' failed. The error was: error while evaluating conditional ('ipv6.disable' not in ubtu22cis_3_1_1_cmdline_settings.stdout): 'dict object' has no attribute 'stdout'. 'dict object' has no attribute 'stdout'\n\nThe error appears to be in '/runner_dir/image-pipeline/image-pipeline/ansible_roles/mindpointgroup.ubuntu22_cis/tasks/section_3/cis_3.1.x.yml': line 22, column 9, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n      - name: \"3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist\"\n        ^ here\n"}

The variable ubtu22cis_3_1_1_cmdline_settings is registered during the task named 3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Check grub cmdline linux

Expected Behavior

• Task 3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist is skipped successfully
• Task 3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Remove net.ipv6.conf.all.disable_ipv6 runs successfully to disable IPv6

Actual Behavior Task 3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist fails to evaulate the when clause of its task.

Control(s) Affected Control 3.1.1

Environment (please complete the following information):

• branch being used: 1.3.5
• Ansible Version: 2.16
• Host Python Version: Python3.10
• Ansible Server Python Version: NA
• Additional Details: NA

Additional Notes NA

Possible Solution Use nested blocks for the grub tasks. The nested block will have a when clause of when: ubtu22cis_ipv6_disable == 'grub' and the tasks in the block can further be configured with the appropriate when clauses.

[uk-bolly]

hi @julian1059

I believe that this issue has been addressed and the fix merged, I will close this issue, please feel free to reopen or raise a new one if this particular problem still exists.

Many thanks

uk-bolly