Why can't these fail?

[smiller171]

I can't find any tasks checking the registered vars, and yet these tasks are set to never fail. As far as I can tell these are scored rules that are being allowed to pass unchecked.

Ubuntu1604-CIS/tasks/section1.yml

Lines 313 to 339 in 8b12f24

	- name: "SCORED | 1.1.5 | PATCH | Ensure separate partition exists for /var"
	shell: mount | grep "on /var "
	register: var_mounted
	changed_when: false
	failed_when: false
	when:
	- ubuntu1604cis_rule_1_1_5
	tags:
	- level2
	- scored
	- patch
	- rule_1.1.5
	- skip_ansible_lint
	- name: "SCORED | 1.1.6 | PATCH | Ensure separate partition exists for /var/tmp"
	shell: mount | grep "on /var/tmp "
	register: var_tmp_mounted
	changed_when: false
	failed_when: false
	when:
	- ubuntu1604cis_rule_1_1_6
	tags:
	- level2
	- scored
	- patch
	- rule_1.1.6
	- skip_ansible_lint

Ubuntu1604-CIS/tasks/section1.yml

Lines 363 to 403 in 8b12f24

	- name: "SCORED | 1.1.10 | PATCH | Ensure separate partition exists for /var/log"
	shell: mount | grep "on /var/log "
	register: var_log_mounted
	changed_when: false
	failed_when: false
	when:
	- ubuntu1604cis_rule_1_1_10
	tags:
	- level2
	- scored
	- patch
	- rule_1.1.10
	- skip_ansible_lint
	- name: "SCORED | 1.1.11 | PATCH | Ensure separate partition exists for /var/log/audit"
	shell: mount | grep "on /var/log/audit "
	register: var_log_audit_mounted
	changed_when: false
	failed_when: false
	when:
	- ubuntu1604cis_rule_1_1_11
	tags:
	- level2
	- scored
	- patch
	- rule_1.1.11
	- skip_ansible_lint
	- name: "SCORED | 1.1.12 | PATCH | Ensure separate partition exists for /home"
	shell: mount | grep "on /home "
	register: home_mounted
	changed_when: false
	failed_when: false
	when:
	- ubuntu1604cis_rule_1_1_12
	tags:
	- level2
	- scored
	- patch
	- rule_1.1.12
	- skip_ansible_lint

[florianutz]

I know about that issue. But at the moment I have no idea for a feasible solution. Furthermore that option doesn't make sense for cloud systems. There is just one partition by default.
From my point of view, this must be configured when installing the system and should not be done afterwards by a hardening script.
There are two options to improve that:

• The role generate a local log with the status of the recommended partitions
• The role fails when there are no mount points (and we disable this checks by default)

[smiller171]

@florianutz I think the right thing to do here is to fail if the check isn't skipped, but to skip it by default. IMO by setting failed_when to false you're just wasting CPU cycles by checking at all.