ansible-lockdown/RHEL6-STIG

REGRESSION: The ypbind service must not be running

bbaassssiiee opened this issue · 4 comments

This audit used to work

  • name: V-38604 Medium The ypbind service must not be running
    service: name=ypbind state=stopped enabled=no
    register: ypbind_test
    when: ypbind_test.msg is defined and "'FAIL' not in ypbind_test.msg"
    tags: [ 'cat2' , 'V-38604' , 'insecure_services' , 'ypbind' ]

now the below fails when ypbind is not there..

  • name: "MEDIUM | V-38604 | AUDIT | The ypbind service must not be running."
    command: chkconfig "ypbind" --list
    changed_when: no
    ignore_errors: yes
    always_run: yes
    register: ypbind_service_audit
    tags:
    - medium
    - V-38604
    - patch
    - cat2
    - ypbind
    - services

@bbaassssiiee Did you run the preliminary tasks (-t prelim_tasks)? One of the tasks is to enumerate services on the system. I added a conditonal statement to the task to only run if ypbind is a listed service on the system, which was missing from the tasks before. These tasks will fail if preliminary tasks aren't run since the sysv_services is undefined.

TASK: [RHEL6-STIG | PRELIM | List SysV services] ******************************
<192.168.20.20> REMOTE_MODULE command chkconfig --list | sed '/^$/ d ; /xinetd based services:/ d ; /^ / d' | awk '{print $1}' #USE_SHELL
ok: [web] => {"changed": false, "cmd": "chkconfig --list | sed '/^$/ d ; /xinetd based services:/ d ; /^\t/ d' | awk '{print $1}'", "delta": "0:00:00.033213", "end": "2016-05-11 19:53:39.994963", "rc": 0, "start": "2016-05-11 19:53:39.961750", "stderr": "", "stdout": "abrt-ccpp\nabrtd\nacpid\natd\nauditd\nblk-availability\ncgconfig\ncgred\ncrond\nip6tables\nipsec\niptables\nkdump\nlvm2-monitor\nmdmonitor\nmessagebus\nnetconsole\nnetfs\nnetwork\nnfs-rdma\nntpd\nntpdate\npostfix\npsacct\nquota_nld\nrdisc\nrdma\nrestorecond\nrsyslog\nsaslauthd\nsshd\nsysstat\nudev-post\nvboxadd\nvboxadd-service\nvboxadd-x11", "stdout_lines": ["abrt-ccpp", "abrtd", "acpid", "atd", "auditd", "blk-availability", "cgconfig", "cgred", "crond", "ip6tables", "ipsec", "iptables", "kdump", "lvm2-monitor", "mdmonitor", "messagebus", "netconsole", "netfs", "network", "nfs-rdma", "ntpd", "ntpdate", "postfix", "psacct", "quota_nld", "rdisc", "rdma", "restorecond", "rsyslog", "saslauthd", "sshd", "sysstat", "udev-post", "vboxadd", "vboxadd-service", "vboxadd-x11"], "warnings": []}

Looks like a forgotten ignore_errors: yes in an AUDIT action...

Fixed in devel.