attempting to disable ctrl-alt-del reboot always skips

Bug #1787048 reported by om on 2018-08-14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Kevin Carter

Bug Description

At the bottom is the code-snipit of the faulty code, it assumes the systemctl status returns 0 or 3, in which case I am experiencing it to return 3 all the time.

To fix I would simply just run the mask command without checking if it were mask'd to begin with.

Testing on my local RHEL7 (yum updated as of aug-09):

#### disabling the symlink

# systemctl unmask
Removed symlink /etc/systemd/system/

#### check return code of status
# systemctl status; echo $?
● - Reboot
   Loaded: loaded (/usr/lib/systemd/system/; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:systemd.special(7)

#### enabling the symlink
# systemctl mask
Created symlink from /etc/systemd/system/ to /dev/null.

#### check return code of status
systemctl status; echo $?
   Loaded: masked (/dev/null; bad)
   Active: inactive (dead)

#### file: ansible-hardening/tasks/rhel7stig/misc.yml
#### line number: 38-58

# This returns an exit code of 0 if it's running, 3 if it's masked.
- name: Check if is already masked
  command: systemctl status
  register: cad_mask_check
  check_mode: no
  changed_when: False
  failed_when: cad_mask_check.rc not in [0,3]
    - always

- name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled
  command: systemctl mask
    - security_rhel7_disable_ctrl_alt_delete | bool
    - cad_mask_check.rc != 3
    - reload systemd
    - high
    - misc
    - V-71993

Mohammed Naser (mnaser) wrote :

This should be fixed by using instead

Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Kevin Carter (kevin-carter)
tags: added: low-hanging-fruit

Fix proposed to branch: master

Changed in openstack-ansible:
status: Confirmed → In Progress

Submitter: Zuul
Branch: master

commit 111f48b2f670353f51476817420893950aef3609
Author: Kevin Carter <email address hidden>
Date: Tue Aug 21 11:31:01 2018 -0500

    Correct issue with ansible hardening and systemd

    The systemd command does not have a stable api and can return different
    codes when executed. This change converts the task to query the target
    unit and disable it if it exists to a single systemd task using the
    ansible module.

    Closes-Bug: #1787048
    Change-Id: I74c43839cd7d3a8620a0fb8e405fbc3f6a0f44d0
    Signed-off-by: Kevin Carter <email address hidden>

Changed in openstack-ansible:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers