scap-security-guide/scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch

From 1c054ed40a4dbc2a48ffe7720d018c317cad8105 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 15 Feb 2022 14:12:55 +0100
Subject: [PATCH] Simply mask services that should be disabled

At some point Ansible started to return much more services in
ansible_facts.services, including services that are not installed.
This caused the task to think that the service exists, attempt to stop
and mask the service.
But systemd module fatal errors on non existing services, although the
module ends up masking the service in question.

The bash remediations simply mask the service, even if it is not
installed.
Let's do the same with Ansible, mask the service and ignore errors.

One down side is that every non-existing service is reported as an
error, which is ignored. But still a fatal error.
---
 shared/templates/service_disabled/ansible.template | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template
index 550ed563056..254f41ac7fd 100644
--- a/shared/templates/service_disabled/ansible.template
+++ b/shared/templates/service_disabled/ansible.template
@@ -6,16 +6,13 @@
 {{%- if init_system == "systemd" %}}
 - name: Disable service {{{ SERVICENAME }}}
   block:
-  - name: Gather the service facts
-    service_facts:
-
   - name: Disable service {{{ SERVICENAME }}}
     systemd:
       name: "{{{ DAEMONNAME }}}.service"
       enabled: "no"
       state: "stopped"
       masked: "yes"
-    when: '"{{{ DAEMONNAME }}}.service" in ansible_facts.services'
+    ignore_errors: 'yes'
 
 - name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
   command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket
Fix fatal errors on Anible service disabled tasks Resolves: rhbz#2014561 2022-02-15 18:10:19 +00:00			`From 1c054ed40a4dbc2a48ffe7720d018c317cad8105 Mon Sep 17 00:00:00 2001`
			`From: Watson Sato <wsato@redhat.com>`
			`Date: Tue, 15 Feb 2022 14:12:55 +0100`
			`Subject: [PATCH] Simply mask services that should be disabled`

			`At some point Ansible started to return much more services in`
			`ansible_facts.services, including services that are not installed.`
			`This caused the task to think that the service exists, attempt to stop`
			`and mask the service.`
			`But systemd module fatal errors on non existing services, although the`
			`module ends up masking the service in question.`

			`The bash remediations simply mask the service, even if it is not`
			`installed.`
			`Let's do the same with Ansible, mask the service and ignore errors.`

			`One down side is that every non-existing service is reported as an`
			`error, which is ignored. But still a fatal error.`
			`---`
			`shared/templates/service_disabled/ansible.template \| 5 +----`
			`1 file changed, 1 insertion(+), 4 deletions(-)`

			`diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template`
			`index 550ed563056..254f41ac7fd 100644`
			`--- a/shared/templates/service_disabled/ansible.template`
			`+++ b/shared/templates/service_disabled/ansible.template`
			`@@ -6,16 +6,13 @@`
			`{{%- if init_system == "systemd" %}}`
			`- name: Disable service {{{ SERVICENAME }}}`
			`block:`
			`- - name: Gather the service facts`
			`- service_facts:`
			`-`
			`- name: Disable service {{{ SERVICENAME }}}`
			`systemd:`
			`name: "{{{ DAEMONNAME }}}.service"`
			`enabled: "no"`
			`state: "stopped"`
			`masked: "yes"`
			`- when: '"{{{ DAEMONNAME }}}.service" in ansible_facts.services'`
			`+ ignore_errors: 'yes'`

			`- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"`
			`command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket`