From 95ca84c592fa3bf7fcf9a8c7eeeb5595eab040c1 Mon Sep 17 00:00:00 2001 From: "Gael Chamoulaud (Strider)" Date: Wed, 2 Dec 2020 16:27:25 +0100 Subject: [PATCH] Exit with zero status when denials are not found in audit log When no denials are found in the audit log file, grep will exit with 1 and this ansible task will be caught by the callback as a failed task. Change-Id: I95f782c02bdf3446f6b6e461973e8226a8d2a699 Signed-off-by: Gael Chamoulaud (Strider) --- validations_common/roles/validate_selinux/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/validations_common/roles/validate_selinux/tasks/main.yml b/validations_common/roles/validate_selinux/tasks/main.yml index d0ef3a0..0bda043 100644 --- a/validations_common/roles/validate_selinux/tasks/main.yml +++ b/validations_common/roles/validate_selinux/tasks/main.yml @@ -53,11 +53,11 @@ - name: Fetch denials from auditlog become: true - ignore_errors: true + failed_when: false changed_when: false shell: | set -o pipefail - grep denied {{ validate_selinux_audit_source }} > /tmp/denials.log + grep -i denied {{ validate_selinux_audit_source }} > /tmp/denials.log || (echo "No denials found in auditlog"; exit 0) - name: Get stat for denials.log stat: