Review set_nftables_loopback_traffic for RHEL7 #11529
Labels
Ansible
Ansible remediation update.
productization-issue
Issue found in upstream stabilization process.
Milestone
Description of problem:
The
set_nftables_loopback_traffic
apparently was never used in RHEL 7, specially wheniptables
is the default backend for RHEL 7. RHEL8 also usesfirewald
and this rule is not included in any RHEL8 profile. But the rule is supported on these systems and is included in the Datastream.Recently the Ansible remediation for this rule was updated (#11465) because the Ansible module
sysctl
belongs to different collections depending on the system version:ansible.posix
collection in RHEL8ansible.builtin
collection in RHEL7.So, the mentioned PR makes it correct for both versions.
This is not an issue when executing the respective playbooks for a local system, but could be a problema when the Ansible controller in one version tries to execute the Playbook for a client in another version.
SCAP Security Guide Version:
master and stabilization-0.1.72 as of 2024-02-01
Operating System Version:
RHEL7 and RHEL8
Steps to Reproduce:
Execute this process both on RHEL 7 and RHEL 8
2.a. ansible-playbook --syntax-check build/rhel7/fixes/ansible/set_nftables_loopback_traffic.yml
2.b. ansible-playbook --syntax-check build/rhel8/fixes/ansible/set_nftables_loopback_traffic.yml
Actual Results:
Example in RHEL 7:
ERROR! couldn't resolve module/action 'ansible.posix.sysctl'. This often indicates a misspelling, missing collection, or incorrect module path.
Expected Results:
No errors detected by ansible-playbook --syntax-check
Additional Information/Debugging Steps:
One option would be to not use FQCN for
sysctl
, but this is going against the Ansible best practices and might not be a good solution for the long-term. Also changing the module in this specific remediation doesn't seem worthwhile.The text was updated successfully, but these errors were encountered: