search

ansible-lockdown / UBUNTU22-CIS

Ansible role for Ubuntu22 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
181 stars 80 forks source link

Error on handler rule_4_1_3_21. Not added in tags parameters. #216

Closed txsastre closed 5 months ago

txsastre commented 6 months ago

i've executed the playlist with this args :

--tags rule_1.1.1.1,rule_1.1.1.2,rule_1.1.1.3,rule_1.1.2.1,rule_1.1.2.2,rule_1.1.2.3,rule_1.1.2.4,rule_1.1.9,rule_1.1.3.1,rule_1.1.3.2,rule_1.1.3.3,rule_1.1.8.1,rule_1.1.8.2,rule_1.1.8.3,rule_1.2.1,rule_1.2.2,rule_1.3.1,rule_1.4.1,rule_1.4.2,rule_1.4.3,rule_1.5.1,rule_1.5.2,rule_1.5.4,rule_1.6.1.1,rule_1.6.1.2,rule_1.6.1.3,rule_1.7.1,rule_1.7.2,rule_1.7.3,rule_1.7.4,rule_1.7.5,rule_1.7.6,rule_1.8.1,rule_1.8.2,rule_1.8.3,rule_1.8.4,rule_1.8.5,rule_1.8.6,rule_1.8.7,rule_2.1.1.1,rule_2.1.1.1,rule_2.1.1.1,rule_2.2.1,rule_2.2.2.,rule_2.2.3.,rule_2.2.4,rule_2.2.5,rule_2.2.6,rule_2.2.7,rule_2.2.8,rule_2.2.9,rule_2.2.10,rule_2.2.11,rule_2.2.12,rule_2.2.13,rule_2.2.14,rule_2.2.15,rule_2.2.16,rule_2.3.1,rule_2.3.2,rule_2.3.3,rule_2.3.4,rule_2.3.5,rule_2.3.6,rule_3.1.1,rule_3.2.1,rule_3.2.2,rule_3.3.2,rule_3.3.3,rule_3.3.4,rule_3.3.5,rule_3.3.6,rule_3.3.7,rule_3.3.8,rule_3.3.9,rule_4.1.1.1,rule_4.1.1.2,rule_4.1.1.3,rule_4.1.1.1,rule_4.1.1.2,rule_4.1.1.3,rule_4.1.2.1,rule_4.1.3.4,rule_4.1.3.8,rule_4.1.3.5,rule_4.1.3.14,rule_4.1.3.12,rule_4.1.3.11,rule_4.1.3.9,rule_4.1.3.7,rule_4.1.3.6,rule_4.1.3.10,rule_4.1.3.13,rule_4.1.3.1,rule_4.1.3.19,rule_4.1.3.20,rule_5.1.1,rule_5.1.2,rule_5.1.3,rule_5.1.4,rule_5.1.5,rule_5.1.6,rule_5.1.7,rule_5.1.8,rule_5.2.1,rule_5.2.2,rule_5.2.5,rule_5.2.12,rule_5.2.18,rule_5.2.11,rule_5.2.8,rule_5.2.7,rule_5.2.9,rule_5.2.10,rule_5.2.14,rule_5.2.22,rule_5.2.21,rule_5.2.17,rule_5.4.1,rule_5.4.2,rule_5.4.3,rule_5.4.4,rule_5.5.1.2,rule_5.5.1.1,rule_5.5.1.3,rule_5.5.1.4,rule_5.5.1.5,rule_5.5.2,rule_5.5.3,rule_5.5.4,rule_5.5.5,rule_5.3.4,rule_6.1.1,rule_6.1.5,rule_6.1.3,rule_6.1.7,rule_6.1.2,rule_6.1.6,rule_6.1.4,rule_6.1.8,rule_6.1.9,rule_6.1.10,rule_6.1.11,rule_6.1.12,rule_6.1.13,rule_6.2.1,rule_6.2.2,rule_6.2.3,rule_6.2.4,rule_6.2.5,rule_6.2.6,rule_6.2.7,rule_6.2.8,rule_6.2.9,rule_6.2.10,rule_6.2.11,rule_6.2.12,rule_6.2.13,rule_6.2.14,rule_6.2.15,rule_6.2.16,rule_6.2.17, -l SRV1-UBU -K

At the end I received this error running handlers, I can see that is related to 4.1.3.21, but I haven't set in the tag playbook Trying again, adding rule_4_1_3_21 and now it works

RUNNING HANDLER [/home/hal/ansible/hardening/UBUNTU22-CIS-devel : Auditd rules reload] **** fatal: [SRV1-UBU]: FAILED! => {"msg": "The conditional check '\"No change\" not in ubtu22cis_rule_4_1_3_21_augen_check.stdout' failed. The error was: error while evaluating conditional (\"No change\" not in ubtu22cis_rule_4_1_3_21_augen_check.stdout): 'ubtu22cis_rule_4_1_3_21_augen_check' is undefined. 'ubtu22cis_rule_4_1_3_21_augen_check' is undefined\n\nThe error appears to be in '/home/hal/ansible/hardening/UBUNTU22-CIS-devel/handlers/main.yml': line 113, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Auditd rules reload\n ^ here\n"}

uk-bolly commented 6 months ago

hi @txsastre

Thank you for the issue , we do ask for information regarding ansible version and branch etc to assist us with investigation if you can let us know that may assist. In the example you have shown tags are generally not used to that extent. Every control has the ability to be turned on or off with the use of variables normally either via inventory, group vars or however you have set it up. This is will give you greater control with many controls also having other variables you can set. could i suggest that you set the controls you don't want to run to false and see how that works.

I hope that helps

Regards

uk-bolly

txsastre commented 6 months ago

Hi there, sorry about not informing before.

I was just testing some parameters an once it has worked I added all of them in a bad way as i can see, can you point me where can I set the controls to false ? is it in UBUNTU22-CIS-devel ->defaults -> main.yml ?

Related to the branch, i just donwloaded the scripts from devel (default)

the ansible controller is a Debian 12

ansible [core 2.16.3] config file = None configured module search path = ['/home/hal/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /home/hal/.local/lib/python3.11/site-packages/ansible ansible collection location = /home/hal/.ansible/collections:/usr/share/ansible/collections executable location = /usr/bin/ansible python version = 3.11.8 (main, Feb 7 2024, 21:52:08) [GCC 13.2.0] (/usr/bin/python3) jinja version = 3.1.2 libyaml = True

uk-bolly commented 5 months ago

hi @txsastre

I believe that this issue has been addressed and the fix merged, I will close this issue, please feel free to reopen or raise a new one if this particular problem still exists.

Many thanks

uk-bolly