Fix idempotency of rule 1.6.1; Modify behavior of changed_when if reb…

…oot is pending and skipped to allow idempotency to succeed Signed-off-by: Shawn Hardwick <[email protected]>
ansible-lockdown · Jul 3, 2024 · 1b4cfd9 · 1b4cfd9
1 parent bc59fae
commit 1b4cfd9
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 2 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -37,6 +37,9 @@ benchmark_version: v3.0.0
 # Whether to skip the reboot
 skip_reboot: true
 
+# Modify behavior of changed_when if reboot is pending and skipped to allow idempotency to succeed
+reboot_warning_changed_when: true
+
 ###
 ### Settings for associated Audit role using Goss
 ###

diff --git a/tasks/post.yml b/tasks/post.yml
@@ -23,7 +23,7 @@
             - skip_reboot
         ansible.builtin.debug:
             msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
-        changed_when: true
+        changed_when: reboot_warning_changed_when
 
       - name: "POST | Warning a reboot required but skip option set | warning count"
         when:

diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml
@@ -18,7 +18,7 @@
 
       - name: "1.6.1 | PATCH | Ensure system-wide crypto policy is not legacy"
         when:
-            - discovered_system_wide_crypto_policy.stdout not in rhel8cis_crypto_policy
+            - rhel8cis_full_crypto_policy not in discovered_system_wide_crypto_policy.stdout
         ansible.builtin.shell: |
             update-crypto-policies --set "{{ rhel8cis_full_crypto_policy }}"
             update-crypto-policies