search

ansible-lockdown / UBUNTU22-CIS

Ansible role for Ubuntu22 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
181 stars 80 forks source link

Dead code in role due to missing variable `ubtu22cis_auditd_uid_exclude` #79

Closed bgro closed 1 year ago

bgro commented 1 year ago

Describe the Issue There is code in the role that is only executed, if the variable ubtu22cis_auditd_uid_exclude contains an iterable value. However, the variable is never set anywhere.

Expected Behavior Either add the variable (then the respective code has to be added) or remove the code (it sets up logging exceptions for users specified in ubtu22cis_auditd_uid_exclude.

Actual Behavior Code regarding per-user audit-exceptions is never executed.

Control(s) Affected In a sense all audit-related measures.

Environment (please complete the following information):

Additional Notes

Possible Solution Either add the variable (then the respective code has to be added) or remove the code (it sets up logging exceptions for users specified in ubtu22cis_auditd_uid_exclude.

uk-bolly commented 1 year ago

hi @bgro

Thank you for taking the time to raise this issue. This is a slightly more advanced option added to enable uids to be excluded from being logged. I am suggesting making it clearer with the following

e.g. defaults/main.yml

## Advanced option found in auditd post
## users whose actions are not logged by auditd
ubtu22cis_allow_auditd_uid_user_exclusions: false
# add a list of uids
ubtu22cis_auditd_uid_exclude:
- 1999

tasks/auditd.yml suggest conditional changes to just have

when:
      - ubtu22cis_allow_auditd_uid_user_exclusions

I will raise the branch for this now for testing

many thanks

uk-bolly

uk-bolly commented 1 year ago

branch issue#79#80

refers

thanks

uk-bolly

bgro commented 1 year ago

Thank you for the very timely treatment!