Prelim task "Ensure auditd is installed" required for level 1 benchmarks is not executed if using only level1-server tag

[angaaruriakhil]

Describe the Issue

When trying to apply only level 1 benchmarks on an Ubuntu 22 machine, one can use the -t flag in the ansible playbook command to apply a tag so that only level 1 benchmarks will be applied to the host.

e.g.

-t 'level1-server'

If you do this, the prelim task "PRELIM | AUDIT | Audit conf and rules files | list files" defined here is skipped, , this is because it has the tag level2-server.

However, level 1 benchmark 4.1.4.5 (and maybe others) relies on this prelim task to run and define the audit conf files.

Other level 1 benchmarks also need auditd to be installed (checking for that is also a part of this block)

Expected Behavior Prelim tasks that are required for any level 1 benchmarks as well should not have the tag level2-server and therefore this prelim task should be run if level2-server tag is skipped or not included in the ansible-playbook command.

Workarounds

A workaround is to not use any tags, read through each benchmark and set each one to true and false if level 1 or not, but is a little tedious , hence where the use of tags make level 1 hardening straightforward and is preferred. (I have tested without tags and benchmark 4.1.4.5 successfully gets applied)

Another possible workaround is to set the tags in your ansible-playbook as both 'level1-server' and 'always' to ensure this prelim task executes (Tested this and it works, but I'm not sure if the 'always' tag will apply any level2 benchmarks)

Actual Behavior

You will get the following error when trying to apply benchmark 4.1.4.5:

TASK [/root/.ansible/roles/UBUNTU22-CIS : 4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive] ***
    azure-arm.build_vhd: fatal: [localhost]: FAILED! => {"msg": "'auditd_conf_files' is undefined"}

and if you don't have auditd installed, you'll get an error earlier on.

Control(s) Affected Level 1

Environment (please complete the following information):

• branch being used: devel
• Ansible Version: ansible (10.5.0), ansible-core_2.17.5
• Host Python Version: [e.g. Python 3.7.6]
• Ansible Server Python Version: [e.g. Python 3.7.6]

Possible Solution Amend tags accordingly in the prelim task or separate out the logic.

[uk-bolly]

hi @angaaruriakhil

Thank you for raising this issue, i am looking to get this addressed in an upcoming PR. Many thanks

uk-bolly

[uk-bolly]

hi @angaaruriakhil

Thank you again for this issue. The fix has been applied and is now in the main branch and release. I will close this issue, Please reopen if you feel this is not resolved.

Many thanks

uk-bolly