1.4.2 - Ansible 2.12 Does Not Manage /etc/crontab

[ccravens]

Describe the Issue
Latest release of Ansible 2.12 seems to error out when managing /etc/crontab. When running step 1.4.2, Ansible 2.12 will error with the following message:

TASK [/RHEL8-CIS : 1.4.2 | L1 | PATCH | Ensure filesystem integrity is regularly checked] ***
fatal: [example.com]: FAILED! => {"changed": false, "msg": "Will not manage /etc/crontab via cron_file, see documentation."}

Please refer to: https://docs.ansible.com/ansible-core/devel/collections/ansible/builtin/cron_module.html

The assumption is that this file is exclusively managed by the module, do not use if the file contains multiple entries, NEVER use for /etc/crontab.

Expected Behavior
While a user can modify the rhel8cis_aide_cron.cron_file setting, I would expect default configurations to handle this due to potentially unknown behavior when modifying default configurations.

Actual Behavior
Ansible will error and not modify the /etc/crontab file

Control(s) Affected
1.4.2

Environment (please complete the following information):
Ansible 2.12.2

Additional Notes
None

Possible Solution
By updating the rhel8cis_aide_cron to the following, and creating a daily file within /etc/cron.d, the command works. However, I'm not sure if this is a valid approach.

# AIDE cron settings
rhel8cis_aide_cron:
    cron_user: root
    cron_file: /etc/cron.d/0daily   <<<< This is the only change required
    aide_job: '/usr/sbin/aide --check'
    aide_minute: 0
    aide_hour: 5
    aide_day: '*'
    aide_month: '*'
    aide_weekday: '*'

[uk-bolly]

Hi @ccravens

Thank you for taking the time to raise this issue, feedback that helps us to improve the benchmark.
With many clients setup in a variety of ways allowing this to be extended to a client specified location suitable for their site specific configuration. The use of vars found in defaults/main.yml have been designed in this way to be overridden based upon client/site requirements and superseded by variables elsewhere. At the same time as ensuring the core of the benchmark is still achieved.
While 2.12 and its updated module no longer allows updating to /etc/crontab, many users of the repository are on older versions of ansible, so don't experience this issue with defaults.
I will leave this issue open to be picked up for the location changed in the next release.

Many thanks once again.

uk-bolly

[breca]

Ran into this as well.

Instead of updating /etc/cron.d/0daily I'd probably target /etc/cron.d/cis_aide (or similar).

Thanks for identifying the issue, saved me some precious brain cells!

[georgenalen]

This was addressed in release 2.1.0