search

florianutz / Ubuntu1804-CIS

Ubuntu CIS Hardening Ansible Role
MIT License
212 stars 127 forks source link

Chrony fails when using --skip-tags=notscored #68

Closed JimKlapwijk closed 4 years ago

JimKlapwijk commented 4 years ago

Hi,

When I do a --skip-tags=notscored, the playbook fails: 

    openstack: TASK [Ubuntu1804-CIS : SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured] ***                                                                                                
    openstack: fatal: [default]: FAILED! => {"changed": false, "checksum": "4d3872fb5175198d51a5398e35d9388fdad54407", "msg": "Destination directory /etc/chrony does not exist"}

This is because the following steps are skipped when using chrony as daemon:

- name: "NOTSCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use"
  block:
      - name: "NOTSCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service install"
        apt:
            name: "{{ ubuntu1804cis_time_synchronization }}"
            state: present
            install_recommends: false

      - name: "NOTSCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service start"
        service:
            name: "{{ ubuntu1804cis_time_synchronization }}"
            state: started
            enabled: true

      - name: "NOTSCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service stop ntp"
        service:
            name: "{{ ntp_service[ansible_os_family] }}"
            state: stopped
            enabled: false
        when:
            - ubuntu1804cis_time_synchronization == "chrony"
            - ntpd_service_status.stdout == "loaded"

      - name: "NOTSCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service stop chrony"
        service:
            name: chronyd
            state: stopped
            enabled: false
        ignore_errors: true
        when:
            - ubuntu1804cis_time_synchronization == "ntp"
            - chronyd_service_status.stdout == "loaded"

  when:
      - ubuntu1804cis_rule_2_2_1_1
  tags:
      - level1
      - notscored
      - ntp
      - patch
      - rule_2.2.1.1

Can we remove the notscored tag?

florianutz commented 4 years ago

Looks like this is not the latest state. 2.2.1.1 is now SCORED. Can you please verify the issue with the latest release?

JimKlapwijk commented 4 years ago

You are correct, thanks.