diff --git a/scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch b/scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch new file mode 100644 index 0000000..7103ed1 --- /dev/null +++ b/scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch @@ -0,0 +1,44 @@ +From 1c054ed40a4dbc2a48ffe7720d018c317cad8105 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 15 Feb 2022 14:12:55 +0100 +Subject: [PATCH] Simply mask services that should be disabled + +At some point Ansible started to return much more services in +ansible_facts.services, including services that are not installed. +This caused the task to think that the service exists, attempt to stop +and mask the service. +But systemd module fatal errors on non existing services, although the +module ends up masking the service in question. + +The bash remediations simply mask the service, even if it is not +installed. +Let's do the same with Ansible, mask the service and ignore errors. + +One down side is that every non-existing service is reported as an +error, which is ignored. But still a fatal error. +--- + shared/templates/service_disabled/ansible.template | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template +index 550ed563056..254f41ac7fd 100644 +--- a/shared/templates/service_disabled/ansible.template ++++ b/shared/templates/service_disabled/ansible.template +@@ -6,16 +6,13 @@ + {{%- if init_system == "systemd" %}} + - name: Disable service {{{ SERVICENAME }}} + block: +- - name: Gather the service facts +- service_facts: +- + - name: Disable service {{{ SERVICENAME }}} + systemd: + name: "{{{ DAEMONNAME }}}.service" + enabled: "no" + state: "stopped" + masked: "yes" +- when: '"{{{ DAEMONNAME }}}.service" in ansible_facts.services' ++ ignore_errors: 'yes' + + - name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket" + command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 21a8329..1b31c50 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -6,7 +6,7 @@ Name: scap-security-guide Version: 0.1.60 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -57,6 +57,7 @@ Patch39: scap-security-guide-0.1.61-grub2_rule_desc_update-PR_8184.patch Patch40: scap-security-guide-0.1.61-grub2_template_fix-PR_8180.patch Patch41: scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch Patch42: scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch +Patch43: scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch BuildRequires: libxslt BuildRequires: expat @@ -143,6 +144,9 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md %endif %changelog +* Tue Feb 15 2022 Watson Sato - 0.1.60-4 +- Fix Ansible service disabled tasks (RHBZ#2014561) + * Mon Feb 14 2022 Gabriel Becker - 0.1.60-3 - Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403) - Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2045403)