Merge pull request #445 from ansible-lockdown/fix_021350

rhel7stig_boot_part variable now discovered
ansible-lockdown · Nov 21, 2023 · 212f524 · 212f524
2 parents 9943f97 + 6e7329b
commit 212f524
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 17 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -693,7 +693,7 @@ rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1,
 
 rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}"
 
-rhel7stig_boot_part: "{{ rhel_07_boot_part.stdout }}"
+rhel7stig_boot_part: /boot
 
 rhel7stig_legacy_boot_path: '/boot/grub2/'
 rhel7stig_efi_boot_path: '/boot/efi/EFI/'

diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml
@@ -456,6 +456,7 @@
                   insert: true
               when:
                   - rhel7stig_boot_part not in ['/', '']
+                  - item.uuid is defined
                   - not ansible_check_mode or
                     rhel7_stig_grub_template is not changed
               notify: confirm grub2 user cfg
@@ -474,9 +475,9 @@
                   - ansible_check_mode
                   - rhel_07_021350_audit is failed
               failed_when:
-                  - rhel_07_021350_audit is failed
-                  - not ansible_check_mode or
-                    rhel_07_021350_audit.rc > 1
+                  - rhel_07_021350_audit.rc not in [ 0, 1 ]
+                  - not ansible_check_mode
+
               when:
                   - not ansible_check_mode or
                     rhel7_stig_grub_template is not changed

diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml
@@ -1554,7 +1554,7 @@
       label: "{{ rhel7stig_passwd_label }}"
   when:
       - rhel_07_020620
-      - rhel7stig_interactive_uid_start | int <= item.uid
+      - item.uid >= rhel7stig_interactive_uid_start | int
   tags:
       - RHEL-07-020620
       - CAT2

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -300,18 +300,6 @@
       - RHEL-07-031000
       - RHEL-07-031010
 
-- name: "PRELIM | RHEL-07-021350 | Check if /boot or /boot/efi reside on separate partitions"
-  ansible.builtin.shell: df --output=target /boot | tail -n 1
-  changed_when: false
-  check_mode: false
-  register: rhel_07_boot_part
-  when:
-      - rhel_07_021350
-  tags:
-      - cat1
-      - high
-      - RHEL-07-021350
-
 - name: "PRELIM | RHEL-07-030300 | RHEL-07-030310 | RHEL-07-030320 | RHEL-07-030321 | Install audit remote plugin."
   ansible.builtin.package:
       name: audispd-plugins