Sle15 fix ansible cis remediations

Dockerfiles/test_suite-sle15

@@ -7,7 +7,7 @@ ARG ADDITIONAL_PACKAGES
 
 RUN true \
         && zypper --non-interactive in openssh-clients openssh-server openscap-utils \
-        python3 python3-rpm tar \
+        python3 python3-rpm tar gawk\
         $ADDITIONAL_PACKAGES \
 && true
 

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/ansible/shared.yml

@@ -16,4 +16,4 @@
   ansible.builtin.command:
     cmd: chage --warndays {{ var_accounts_password_warn_age_login_defs }} {{ item }}
   with_items: '{{ result_pass_warn_age_user_names.stdout_lines }}'
-  when: result_pass_warn_age_user_names.stdout_lines | length > 0
+  when: result_pass_warn_age_user_names is not skipped and result_pass_warn_age_user_names.stdout_lines | length > 0

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/ansible/shared.yml

@@ -6,14 +6,14 @@
 
 {{{ ansible_instantiate_variables("var_account_disable_post_pw_expiration") }}}
 
-- name: Collect users with not correct INACTIVE parameter set 
+- name: Collect users with not correct INACTIVE parameter set
   ansible.builtin.command:
     cmd: awk -F':' '(($7 > {{ var_account_disable_post_pw_expiration }} || $7 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow
   register: user_names
   changed_when: false
 
-- name: Change the period of inactivity 
+- name: Change the period of inactivity
   ansible.builtin.command:
     cmd: chage --inactive {{ var_account_disable_post_pw_expiration }} {{ item }}
   with_items: '{{ user_names.stdout_lines }}'
-  when: user_names.stdout_lines | length > 0
+  when: user_names is not skipped and user_names.stdout_lines | length > 0

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/tests/correct_set_post_pw.pass.sh

@@ -9,7 +9,7 @@ useradd $TEST_USER
 sed -E -i "s/($TEST_USER:)(.*)/\1\$6\$exIFis0tobKRcGBk\$b.UR.Z8h96FdxJ1bgA\/vhdnp0Lsm488swdILNguQX\/5qH5hdmClyYb5xk3TpELXWzr4JOiTlHfRkPsXSjMPjv0:19396:1:60:7:$INACTIVE_VALUE::/" /etc/shadow
 
 # ensure existing users with a password defined also have the correct value defined
-users_to_set=($(awk -v var=\"$INACTIVE_VALUE\" -F: '(($7 > var || $7 == \"\") && $2 ~ /^\$/) {print $1}' /etc/shadow))
+users_to_set=($(awk -v var=\"$INACTIVE_VALUE\" -F: '(($7 > var || $7 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow))
 for user in ${users_to_set[@]};
 do
    chage --inactive $INACTIVE_VALUE $user

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/tests/incorrect_set_post_pw.fail.sh

@@ -9,7 +9,7 @@ useradd $TEST_USER
 sed -E -i "s/($TEST_USER:)(.*)/\1\$6\$exIFis0tobKRcGBk\$b.UR.Z8h96FdxJ1bgA\/vhdnp0Lsm488swdILNguQX\/5qH5hdmClyYb5xk3TpELXWzr4JOiTlHfRkPsXSjMPjv0:19396:1:60:7:$INACTIVE_VALUE::/" /etc/shadow
 
 # ensure existing users with a password defined also have the incorrect value defined
-users_to_set=($(awk -v var=\"$INACTIVE_VALUE\" -F: '(($7 <= var || $7 == \"\") && $2 ~ /^\$/) {print $1}' /etc/shadow))
+users_to_set=($(awk -v var=\"$INACTIVE_VALUE\" -F: '(($7 <= var || $7 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow))
 for user in ${users_to_set[@]};
 do
    chage --inactive $INACTIVE_VALUE $user

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/tests/one_incorrect_set_post_pw.fail.sh

@@ -6,7 +6,7 @@ INCORRECT_VALUE=60
 TEST_USER="cac_testuser"
 
 # ensure existing users with a password defined have the correct value defined
-users_to_set=($(awk -v var=\"$INACTIVE_VALUE\" -F: '(($7 <= var || $7 == \"\") && $2 ~ /^\$/) {print $1}' /etc/shadow))
+users_to_set=($(awk -v var=\"$INACTIVE_VALUE\" -F: '(($7 <= var || $7 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow))
 for user in ${users_to_set[@]};
 do
    chage --inactive $INACTIVE_VALUE $user

linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/ansible/shared.yml

@@ -10,14 +10,15 @@
 - name:  {{{ rule_title }}} - Ensure all AppArmor Profiles are enforcing
   ansible.builtin.command: aa-enforce /etc/apparmor.d/*
 
-- name: {{{ rule_title }}} - Collect unconfined processes 
+- name: {{{ rule_title }}} - Collect unconfined processes
   ansible.builtin.command: aa-unconfined
   register: unconfined_processes
 
-- name: {{{ rule_title }}} - Provide details about unconfined processes 
-  ansible.builtin.assert: 
+- name: {{{ rule_title }}} - Provide details about unconfined processes
+  ansible.builtin.assert:
     that:
-       - unconfined_processes.stdout_lines | length > 0 
+       - unconfined_processes.stdout_lines | length > 0
     success_msg: "The process {{ item }} may need to have a profile created or activated for them and then be restarted."
     fail_msg: ""
   with_items: "{{ unconfined_processes.stdout_lines }}"
+  when: unconfined_processes is not skipped

linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/ansible/shared.yml

@@ -9,22 +9,23 @@
 - name: {{{ rule_title }}} - Ensure all AppArmor Profiles are reloaded
   ansible.builtin.command: apparmor_parser -q -r /etc/apparmor.d/
 
-- name: {{{ rule_title }}} - Set all AppArmor profiles to enforce mode 
+- name: {{{ rule_title }}} - Set all AppArmor profiles to enforce mode
   ansible.builtin.command: aa-enforce /etc/apparmor.d/*
   when: var_apparmor_mode == 'enforce'
 
 - name: {{{ rule_title }}} - Set all AppArmor profiles to complain mode
   ansible.builtin.command: aa-complain /etc/apparmor.d/*
-  when: var_apparmor_mode == 'complain'   
+  when: var_apparmor_mode == 'complain'
 
-- name: {{{ rule_title }}} - Collect unconfined processes 
+- name: {{{ rule_title }}} - Collect unconfined processes
   ansible.builtin.command: aa-unconfined
   register: unconfined_processes
 
-- name: {{{ rule_title }}} - Provide details about unconfined processes 
-  ansible.builtin.assert: 
+- name: {{{ rule_title }}} - Provide details about unconfined processes
+  ansible.builtin.assert:
     that:
-       - unconfined_processes.stdout_lines | length > 0 
+       - unconfined_processes.stdout_lines | length > 0
     success_msg: "The process {{ item }} may need to have a profile created or activated for them and then be restarted."
     fail_msg: ""
   with_items: "{{ unconfined_processes.stdout_lines }}"
+  when: unconfined_processes is not skipped

linux_os/guide/system/network/network-nftables/set_nftables_base_chain/ansible/shared.yml

@@ -6,7 +6,7 @@
 
 #Name of the table
 {{{ ansible_instantiate_variables("var_nftables_table") }}}
-#Familiy of the table 
+#Family of the table
 {{{ ansible_instantiate_variables("var_nftables_family") }}}
 #Name(s) of base chain
 {{{ ansible_instantiate_variables("var_nftables_base_chain_names") }}}
@@ -16,7 +16,7 @@
 {{{ ansible_instantiate_variables("var_nftables_base_chain_hooks") }}}
 #Priority
 {{{ ansible_instantiate_variables("var_nftables_base_chain_priorities") }}}
-#Policy 
+#Policy
 {{{ ansible_instantiate_variables("var_nftables_base_chain_policies") }}}
 
 - name: {{{ rule_title }}} - Check Existence of Nftables Table
@@ -27,7 +27,7 @@
 
 - name: {{{ rule_title }}} - Set NFTables Table
   ansible.builtin.command: nft create table {{ var_nftables_family }} {{ var_nftables_table }}
-  when: existing_nftables.rc > 0
+  when: existing_nftables is not skipped and existing_nftables.rc > 0
 
 - name: {{{ rule_title }}} - Add Base Chains
   ansible.builtin.command: nft 'add chain {{ var_nftables_family }} {{ var_nftables_table }} {{ item.0 }} { type {{ item.1 }} hook {{ item.2 }} priority {{ item.3 }} ; policy {{ item.4 }} ; }'

linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/ansible/shared.yml

@@ -29,4 +29,8 @@
 
 - name: Implement IPv6 loopback rules
   ansible.builtin.command: nft add rule inet filter input ip6 saddr ::1 counter drop
-  when: ipv6_status.rc == 0 or sysctl_ipv6_all.found > 0 or sysctl_ipv6_default.found > 0
+  when:
+    - ipv6_status is not skipped
+    - sysctl_ipv6_default is not skipped
+    - sysctl_ipv6_all is not skipped
+    - ipv6_status.rc == 0 or sysctl_ipv6_all.found > 0 or sysctl_ipv6_default.found > 0

linux_os/guide/system/network/network-nftables/set_nftables_table/ansible/shared.yml

@@ -7,10 +7,12 @@
 {{{ ansible_instantiate_variables("var_nftables_family") }}}
 {{{ ansible_instantiate_variables("var_nftables_table") }}}
 
-- name: Collect Existing Nftables 
+- name: Collect Existing Nftables
   ansible.builtin.command: nft list tables
   register: existing_nftables
 
 - name: Set Nftable Table
   ansible.builtin.command: nft create table {{ var_nftables_family }} {{ var_nftables_table }}
-  when: existing_nftables.stdout_lines | length == 0
+  when:
+    - existing_nftables is not skipped
+    - existing_nftables.stdout_lines | length == 0

products/sle12/profiles/cis.profile

@@ -21,10 +21,11 @@ description: |-
 
 selections:
     - cis_sle12:all:l2_server
-    # Exclude from CIS profile all rules related to ntp and timesyncd and keep only 
+    # Exclude from CIS profile all rules related to ntp and timesyncd and keep only
     # rules related to chrony
     - '!ntpd_configure_restrictions'
     - '!ntpd_run_as_ntp_user'
     - '!ntpd_specify_remote_server'
     - '!service_ntpd_enabled'
     - '!service_timesyncd_enabled'
+    - '!service_timesyncd_configured'

products/sle12/profiles/cis_server_l1.profile

@@ -21,10 +21,11 @@ description: |-
 
 selections:
     - cis_sle12:all:l1_server
-    # Exclude from CIS profile all rules related to ntp and timesyncd and keep only 
+    # Exclude from CIS profile all rules related to ntp and timesyncd and keep only
     # rules related to chrony
     - '!ntpd_configure_restrictions'
     - '!ntpd_run_as_ntp_user'
     - '!ntpd_specify_remote_server'
     - '!service_ntpd_enabled'
     - '!service_timesyncd_enabled'
+    - '!service_timesyncd_configured'

products/sle12/profiles/cis_workstation_l1.profile

@@ -21,10 +21,11 @@ description: |-
 
 selections:
     - cis_sle12:all:l1_workstation
-    # Exclude from CIS profile all rules related to ntp and timesyncd and keep only 
+    # Exclude from CIS profile all rules related to ntp and timesyncd and keep only
     # rules related to chrony
     - '!ntpd_configure_restrictions'
     - '!ntpd_run_as_ntp_user'
     - '!ntpd_specify_remote_server'
-    - '!service_ntpd_enabled' 
+    - '!service_ntpd_enabled'
     - '!service_timesyncd_enabled'
+    - '!service_timesyncd_configured'

products/sle12/profiles/cis_workstation_l2.profile

@@ -21,10 +21,11 @@ description: |-
 
 selections:
     - cis_sle12:all:l2_workstation
-    # Exclude from CIS profile all rules related to ntp and timesyncd and keep only 
+    # Exclude from CIS profile all rules related to ntp and timesyncd and keep only
     # rules related to chrony
     - '!ntpd_configure_restrictions'
     - '!ntpd_run_as_ntp_user'
     - '!ntpd_specify_remote_server'
     - '!service_ntpd_enabled'
     - '!service_timesyncd_enabled'
+    - '!service_timesyncd_configured'

products/sle15/profiles/cis.profile

@@ -21,10 +21,11 @@ description: |-
 
 selections:
     - cis_sle15:all:l2_server
-# Exclude from CIS profile all rules related to ntp and timesyncd and keep only 
+# Exclude from CIS profile all rules related to ntp and timesyncd and keep only
 # rules related to chrony
     - '!ntpd_configure_restrictions'
     - '!ntpd_run_as_ntp_user'
     - '!ntpd_specify_remote_server'
-    - '!service_ntpd_enabled'    
+    - '!service_ntpd_enabled'
     - '!service_timesyncd_enabled'
+    - '!service_timesyncd_configured'

products/sle15/profiles/cis_server_l1.profile

@@ -21,10 +21,11 @@ description: |-
 
 selections:
     - cis_sle15:all:l1_server
-# Exclude from CIS profile all rules related to ntp and timesyncd and keep only 
+# Exclude from CIS profile all rules related to ntp and timesyncd and keep only
 # rules related to chrony
     - '!ntpd_configure_restrictions'
     - '!ntpd_run_as_ntp_user'
     - '!ntpd_specify_remote_server'
-    - '!service_ntpd_enabled'    
+    - '!service_ntpd_enabled'
     - '!service_timesyncd_enabled'
+    - '!service_timesyncd_configured'

products/sle15/profiles/cis_workstation_l1.profile

@@ -21,10 +21,11 @@ description: |-
 
 selections:
     - cis_sle15:all:l1_workstation
-# Exclude from CIS profile all rules related to ntp and timesyncd and keep only 
+# Exclude from CIS profile all rules related to ntp and timesyncd and keep only
 # rules related to chrony
     - '!ntpd_configure_restrictions'
     - '!ntpd_run_as_ntp_user'
     - '!ntpd_specify_remote_server'
-    - '!service_ntpd_enabled'    
+    - '!service_ntpd_enabled'
     - '!service_timesyncd_enabled'
+    - '!service_timesyncd_configured'

products/sle15/profiles/cis_workstation_l2.profile

@@ -21,10 +21,11 @@ description: |-
 
 selections:
     - cis_sle15:all:l2_workstation
-# Exclude from CIS profile all rules related to ntp and timesyncd and keep only 
+# Exclude from CIS profile all rules related to ntp and timesyncd and keep only
 # rules related to chrony
     - '!ntpd_configure_restrictions'
     - '!ntpd_run_as_ntp_user'
     - '!ntpd_specify_remote_server'
-    - '!service_ntpd_enabled'    
+    - '!service_ntpd_enabled'
     - '!service_timesyncd_enabled'
+    - '!service_timesyncd_configured'

shared/templates/mount_option/ansible.template

@@ -38,6 +38,7 @@
     - ["{{{ MOUNTPOINT }}}", "{{{ FILESYSTEM }}}", "{{{ TYPE }}}", "defaults"]
   when:
     - ("{{{ TABFILE }}}" | length == 0)
+    - device_name.stdout is defined and device_name.stdout_lines is defined
     - (device_name.stdout | length == 0)
 
 - name: "{{{ rule_title }}}: Make sure {{{ MOUNTOPTION }}} option is part of the to {{{ MOUNTPOINT }}} options"
@@ -58,4 +59,5 @@
     state: "mounted"
     fstype: "{{ mount_info.fstype }}"
   when:
+    - mount_info is defined
     - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("{{{ TABFILE }}}" | length == 0)