question - skipping: [127.0.0.1] => ?

[ghost]

Hello,

just a quick question, new to this tool and ansible ( sorry for the dumb question )- but i have noticed there is a load of skipping on tasks, what is the reason for this ?

i do use some of the following exclusions but they are for the other tasks.

  vars:
    cis_level_1_exclusions:
      - 1.3.1 #Don't install AIDE
      - 5.4.4 #Don't set umask to 027
      - 3.6.1 #Don't install iptables
      - 3.6.2 #Don't set default firewall policy to "DROP"
      - 3.6.3 #Don't configure loopback traffic in firewall policy
      - 3.6.4 #Don't set iptables outbound configuration
      - 3.6.5 #Don't set iptables rules for open ports
      - 3.4.2 #Don't set hosts.allow
      - 3.4.3 #Don't set hosts.deny

amazon-ebs: TASK [cis-amazon-linux : 4.1.8 Ensure login and logout events are collected (Verify registered output matches)] ***
    amazon-ebs: skipping: [127.0.0.1] => (item=# 4.1.8 Ensure login and logout events are collected)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /var/log/lastlog -p wa -k logins)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /var/run/faillock/ -p wa -k logins)
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.9 Ensure session initiation information is collected (Scored)] ***
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.9 Ensure session initiation information is collected(Verify registered output matches)] ***
    amazon-ebs: skipping: [127.0.0.1] => (item=# 4.1.9 Ensure login and logout events are collected)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /var/run/utmp -p wa -k session)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /var/log/wtmp -p wa -k session)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /var/log/btmp -p wa -k session)
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.10 Ensure discretionary access control permission modification events are collected (Scored)] ***
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.10 Ensure discretionary access control permission modification events are collected (Scored)(Verify registered output matches)] ***
    amazon-ebs: skipping: [127.0.0.1] => (item=# 4.1.10 Ensure discretionary access control permission modification events are collected)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod)
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected (Scored)] ***
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected(Verify registered output matches)] ***
    amazon-ebs: skipping: [127.0.0.1] => (item=# 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access)
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.13 Ensure successful file system mounts are collected (Scored)] ***
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.13 Ensure successful file system mounts are collected (Scored)(Verify registered output matches)] ***
    amazon-ebs: skipping: [127.0.0.1] => (item=# 4.1.13 Ensure successful file system mounts are collected (Scored))
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts)
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.14 Ensure file deletion events by users are collected (Scored)] ***
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.14 Ensure file deletion events by users are collected(Verify registered output matches)] ***
    amazon-ebs: skipping: [127.0.0.1] => (item=# 4.1.14 Ensure file deletion events by users are collected)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete)
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.15 Ensure changes to system administration scope (sudoers) is collected (Scored)] ***
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.15 Ensure changes to system administration scope (sudoers) is collected(Verify registered output matches)] ***
    amazon-ebs: skipping: [127.0.0.1] => (item=# 4.1.15 Ensure changes to system administration scope (sudoers) is collected)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /etc/sudoers -p wa -k scope)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /etc/sudoers.d -p wa -k scope)
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.16 Ensure system administrator actions (sudolog) are collected (Scored)] ***
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.16 Ensure system administrator actions (sudolog) are collected(Verify registered output matches)] ***
    amazon-ebs: skipping: [127.0.0.1] => (item=# 4.1.16 Ensure system administrator actions (sudolog) are collected)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /var/log/sudo.log -p wa -k actions)
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.17 Ensure kernel module loading and unloading is collected (Scored)] ***
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.17 Ensure kernel module loading and unloading is collected(Verify registered output matches)] ***
    amazon-ebs: skipping: [127.0.0.1] => (item=# 4.1.17 Ensure kernel module loading and unloading is collected)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /sbin/insmod -p x -k modules)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /sbin/rmmod -p x -k modules)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /sbin/modprobe -p x -k modules)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit arch=b64 -S init_module -S delete_module -k modules)
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.18 Ensure the audit configuration is immutable (Scored)] ***
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.18 Ensure the audit configuration is immutable(Verify registered output matches)] ***
    amazon-ebs: skipping: [127.0.0.1] => (item=# 4.1.18 Ensure the audit configuration is immutable)
    amazon-ebs: skipping: [127.0.0.1] => (item=-e 2)
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 6.1.1 - Audit system file permissions] ****************
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 6.1.1 - Audit system file permissions] ****************
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 6.1.1 - Audit system file permissions] ****************
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.1.2- Check if CIS audit.d configuration file exists] ***
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.1.2 Ensure system is disabled when audit logs are full (Scored)] ***
    amazon-ebs: skipping: [127.0.0.1] => (item={'regexp': 'space_left_action = SYSLOG', 'line': 'space_left_action = email'})
    amazon-ebs: skipping: [127.0.0.1] => (item={'regexp': 'admin_space_left_action = SUSPEND', 'line': 'admin_space_left_action = halt'})
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.1.3- Check if CIS audit.d configuration file exists] ***
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.1.3 Ensure audit logs are not automatically deleted (Scored)] ***
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.2 Ensure auditd service is enabled (Scored)] ******
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.2 Ensure auditd service is enabled (Scored)] ******
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.4 Ensure events that modify date and time information are collected (Scored)] ***
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.4 Ensure events that modify date and time information are collected (Scored)(Verify registered output matches)] ***
    amazon-ebs: skipping: [127.0.0.1] => (item=# 4.1.4 Ensure events that modify date and time information are collected)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b64 -S clock_settime -k time-change)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b32 -S clock_settime -k time-change)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /etc/localtime -p wa -k time-change)
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.5 Ensure events that modify user/group information are collected(Scored)] ***
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.5 Ensure events that modify user/group information are collected(Scored)(Verify registered output matches)] ***
    amazon-ebs: skipping: [127.0.0.1] => (item=# 4.1.5 Ensure events that modify date and time information are collected)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /etc/group -p wa -k identity)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /etc/passwd -p wa -k identity)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /etc/gshadow -p wa -k identity)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /etc/shadow -p wa -k identity)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /etc/security/opasswd -p wa -k identity)
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.6 Ensure events that modify the system's network environment are collected(Scored)] ***
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.6 Ensure events that modify the system's network environment are collected(Scored)(Verify registered output matches)] ***
    amazon-ebs: skipping: [127.0.0.1] => (item=# 4.1.6 Ensure events that modify date and time information are collected)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale)
    amazon-ebs: skipping: [127.0.0.1] => (item=-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /etc/issue -p wa -k system-locale)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /etc/issue.net -p wa -k system-locale)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /etc/sysconfig/network -p wa -k system-locale)
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected(Scored)] ***
    amazon-ebs: skipping: [127.0.0.1]
    amazon-ebs:
    amazon-ebs: TASK [cis-amazon-linux : 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected(Scored)(Verify registered output matches)] ***
    amazon-ebs: skipping: [127.0.0.1] => (item=# 4.1.7 Ensure events that modify date and time information are collected)
    amazon-ebs: skipping: [127.0.0.1] => (item=-w /etc/selinux/ -p wa -k MAC-policy)```

[chandanchowdhury]

Hey @steven-cuthill-otm, my advisor says, no question is dumb question and your question actually made me dig deeper and find things that need to be worked on.

In short, the skipping can happen for multiple reasons. For example,

• ignore_errors was true and the task returned error
• execution of the task depends on condition(s) and returned false

For the cases you mentioned above, the main.yml in default directory has cis_apply_level_2_profile set to false and the main.yml in tasks directory will only run tasks from level-2.yml when cis_apply_level_2_profile is true and hence the skipping.

Try to set cis_apply_level_2_profile to true and in either your playbook or in the main.yml of default and see what happens.

Hope this answers your question, please feel free to ask any follow up question.

[ghost]

Many Thanks