Hi, The "when" statement is used to prevent execution of certain Ansible tasks on Docker containers. It's unrelated to virtual machines. I admit the variable name is confusing, but they're embedded in Ansible. I think we need a comment or document this somewhere.
Regards On Tue, Feb 11, 2020 at 6:56 PM Link, Henry L II CTR USN NIWC ATLANTIC SC (USA) <henry.l.link1....@navy.mil> wrote: > > Good afternoon! I am new to this list, and would normally lurk a bit more > first, but I have a question I am hoping the community might be able to help > me with. > > > > I have been reviewing the ansible playbook content for the NIAP OSPP for RHEL > 8 on the following site: > > > > https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-index.html > > > > And I came across what has been labeled the “[DRAFT] DISA STIG for Red Hat > Enterprise Linux 8” > > It just so happens to mirror the NIAP OSPP guidance, no surprise there for a > first draft. However, a large number of the tasks in the playbook are > restricted with the WHEN statement: > > > > - when: ansible_virtualization_role != "guest" or ansible_virtualization_type > != "docker" > > > > These filters are from the original NIAP OSPP ansible guidance as well. > > Does anyone have an understanding why these tasks are filtered out for > virtual machines? The text guidance makes no mention why these would be > excluded, and in fact other code snippets (e.g. the bash scripts) don’t > include an exclusion like this. Even in cases like CCE-81024-2, I’ve never > had issues with enabling this on virtual guests in the past (in VMWare, mind > you), but items like CCE-82297-3 (tipc disable) or CCE-80834-5 (sctp disable) > they don’t cause any significant issues for a virtual guest where these are > disabled. (My interest is in use in a DoD implementation, and though there is > no STIG yet, I am negotiating with our accrediting body on appropriate > controls until the STIG is available.) > > > > If anyone has any further insight why these were restricted with “when” > directives in the ansible role/playbook for Draft STIG and NIAP, thank you in > advance. For my part, I’m removing the clause for my implementation, but > wanted to see what the original reason was and if it was something I should > be aware of to avoid any future unforeseen issues. > > > > v/r > > Henry Link > > _______________________________________________ > scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org > To unsubscribe send an email to > scap-security-guide-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org -- Jan Černý Security Technologies | Red Hat, Inc. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
