From 10f889d105aa4deb160ff95799f7b93ed80a8265 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 4 Apr 2023 13:34:21 -0300 Subject: [PATCH 1/3] Fix authselect check task The a7cdf351071949a488c21de07fa2a341263abea8 caused an Ansible task to fail by replacing the "ignore_errors" parameter by "failed_when" with an additional condition. The intention was to satisfy ansible-lint. However the task is used only to collect information and should never cause a fatal error in Ansible Playbook. Instead, the result is properly tested in subsequent tasks. This commit keeps the "failed_when" parameter in order to satisfy the ansible-lint but change the condition to false. --- shared/macros/10-ansible.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 8636c6e662d..ddef95e7d6f 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -748,7 +748,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul cmd: authselect check register: result_authselect_check_cmd changed_when: false - failed_when: result_authselect_check_cmd.rc not in [0, 3, 4] + failed_when: false - name: '{{{ rule_title }}} - Informative message based on the authselect integrity check result' ansible.builtin.assert: From f7d55451986af0ea7b229eb54a42dc5cca373825 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 4 Apr 2023 13:44:12 -0300 Subject: [PATCH 2/3] Fix tasks in ansible_sssd_ldap_config The 733ef1ff839a4c0a545881fb7f6b5d63439f7a9d caused an Ansible task to fail by replacing the "ignore_errors" parameter by "failed_when" with an additional condition. The intention was to satisfy ansible-lint. However the task is used only to collect information and should not cause a fatal error in Ansible Playbook. Instead, the result is properly tested in subsequent tasks. This commit keeps the "failed_when" parameter in order to satisfy the ansible-lint but change the condition to false. --- shared/macros/10-ansible.jinja | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index ddef95e7d6f..317e2d97e22 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -641,15 +641,15 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul - name: "Test for id_provider different than Active Directory (ad)" command: grep -qzosP '[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$' /etc/sssd/sssd.conf register: test_id_provider - failed_when: test_id_provider.rc not in [0, 1] - changed_when: False + failed_when: false + changed_when: false check_mode: no - name: "Test for domain group" command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf register: test_grep_domain - failed_when: test_grep_domain.rc not in [0, 1] - changed_when: False + failed_when: false + changed_when: false check_mode: no - name: "Add default domain group and set {{{ parameter }}} in sssd configuration (if no domain there)" From 2db452864a6d84a34d87021b67d35b15260e2451 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 4 Apr 2023 13:48:59 -0300 Subject: [PATCH 3/3] Fix change in enable_authselect Ansible remediation The a7cdf351071949a488c21de07fa2a341263abea8 changed the Ansible Playbook behavior aiming to satisfy the ansible-lint. However, the change allowed a task intended to only collect information to cause a fatal error in the Playbook. The taks should not cause fatal error because its result is intentionally tested by subsequent tasks. --- .../guide/system/accounts/enable_authselect/ansible/shared.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml index 2e841362c54..c6df7c511b9 100644 --- a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml +++ b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml @@ -10,7 +10,7 @@ ansible.builtin.command: cmd: authselect select "{{ var_authselect_profile }}" register: result_authselect_select - failed_when: result_authselect_select.rc not in [0, 4] + failed_when: false - name: Verify if PAM has been altered ansible.builtin.command: