Control 3.1.1 | Disable IPv6 does not work using sysctl

Question

Control 3.1.1 | Disable IPv6 does not work using sysctl

julianmaze opened this issue 9 months ago · 1 comments

Describe the Issue
When setting the variable ubtu22cis_ipv6_disable to sysctl the playbook fails to execute. This is due to a when clause on the previous task that is invalid due to a previous skipped task.

azure-arm.linux_mktpl: TASK [mindpointgroup.ubuntu22_cis/ : 3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Replace ipv6.disable if it exists] ***
azure-arm.linux_mktpl: skipping: [default]
azure-arm.linux_mktpl:
azure-arm.linux_mktpl: TASK [mindpointgroup.ubuntu22_cis/ : 3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Check grub cmdline linux] ***
azure-arm.linux_mktpl: skipping: [default]
azure-arm.linux_mktpl:
azure-arm.linux_mktpl: TASK [mindpointgroup.ubuntu22_cis/ : 3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist] ***
azure-arm.linux_mktpl: fatal: [default]: FAILED! => {"msg": "The conditional check ''ipv6.disable' not in ubtu22cis_3_1_1_cmdline_settings.stdout' failed. The error was: error while evaluating conditional ('ipv6.disable' not in ubtu22cis_3_1_1_cmdline_settings.stdout): 'dict object' has no attribute 'stdout'. 'dict object' has no attribute 'stdout'\n\nThe error appears to be in '/runner_dir/image-pipeline/image-pipeline/ansible_roles/mindpointgroup.ubuntu22_cis/tasks/section_3/cis_3.1.x.yml': line 22, column 9, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n      - name: \"3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist\"\n        ^ here\n"}

The variable ubtu22cis_3_1_1_cmdline_settings is registered during the task named 3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Check grub cmdline linux

Expected Behavior

Task 3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist is skipped successfully
Task 3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Remove net.ipv6.conf.all.disable_ipv6 runs successfully to disable IPv6

Actual Behavior
Task 3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist fails to evaulate the when clause of its task.

Control(s) Affected
Control 3.1.1

Environment (please complete the following information):

branch being used: 1.3.5
Ansible Version: 2.16
Host Python Version: Python3.10
Ansible Server Python Version: NA
Additional Details: NA

Additional Notes
NA

Possible Solution
Use nested blocks for the grub tasks. The nested block will have a when clause of when: ubtu22cis_ipv6_disable == 'grub' and the tasks in the block can further be configured with the appropriate when clauses.

Answer 1 · 2024-04-09T08:19:02.000Z

hi @julian1059

I believe that this issue has been addressed and the fix merged,
I will close this issue, please feel free to reopen or raise a new one if this particular problem still exists.

Many thanks

uk-bolly