use failed_when:false for Ansible register: checks

Using ignore_errors leads to user-visible fatal errors produced by ansible-playbook: TASK [Enable FIPS Mode - Check to See the Current Status of FIPS Mode] ********* fatal: [192.168.122.178]: FAILED! => {"changed": false, "cmd": ["/usr/bin/fips-mode-setup", "--check"] ... These are indistinguishable from actually terminating fatal errors (to a log-reading script) that need to be investigated. Using failed_when avoids those, while still registering the output for use by other checks, as done by many other checks: $ grep -i 'failed_when: false' -r linux_os/ | wc -l 25 Signed-off-by: Jiri Jaburek <comps@nomail.dom>
ComplianceAsCode · Apr 2, 2024 · 40fdde4 · 40fdde4
1 parent 695c283
commit 40fdde4
Show file tree

Hide file tree

Showing 6 changed files with 6 additions and 6 deletions.
diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
@@ -6,7 +6,7 @@
 - name: "Test for domain group"
   command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
-  ignore_errors: yes
+  failed_when: false
   changed_when: False
   check_mode: no
 

diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
@@ -8,7 +8,7 @@
 - name: "Test for domain group"
   command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
-  ignore_errors: yes
+  failed_when: false
   changed_when: False
   check_mode: no
 

diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
@@ -6,7 +6,7 @@
 - name: "Test for domain group"
   command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
-  ignore_errors: yes
+  failed_when: false
   changed_when: False
   check_mode: no
 

diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
@@ -8,7 +8,7 @@
 - name: "Test for domain group"
   command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
-  ignore_errors: yes
+  failed_when: false
   changed_when: False
   check_mode: no
 

diff --git a/...-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/ansible/shared.yml b/...-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/ansible/shared.yml
@@ -26,7 +26,7 @@
   ansible.builtin.command:
     cmd: semanage fcontext -a -t faillog_t "{{ var_accounts_passwords_pam_faillock_dir }}(/.*)?"
   register: result_accounts_passwords_pam_faillock_dir_semanage
-  ignore_errors: yes
+  failed_when: false
   changed_when:
     - result_accounts_passwords_pam_faillock_dir_semanage.rc == 0
 

diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml
@@ -8,7 +8,7 @@
 - name: "{{{ rule_title }}} - Check to See the Current Status of FIPS Mode"
   ansible.builtin.command: /usr/bin/fips-mode-setup --check
   register: is_fips_enabled
-  ignore_errors: yes
+  failed_when: false
   changed_when: false
 
 - name: "{{{ rule_title }}} - Enable FIPS Mode"