Prevent Ansible Playbook termination in check mode

jan-cerny · jan-cerny · commit ea94e11d2f0b · 2026-04-24T10:03:06.000+02:00
Some Ansible Playbooks are terminating prematurely on some Ansible
Tasks where the `when` statement assumes that a systemd service
is installed. In normal mode, the installation is performed by
other tasks, but in check mode, the installation isn't executed
and the service isn't installed at the moment of checking the
service state. This manifests in the test
`/scanning/host-os/ansible-check/check-mode`.

Addressing:
```
Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld
trusted Zone Restricts IPv4 Loopback Traffic ({"msg": "The conditional
check 'ansible_facts.services['firewalld.service'].state == 'running''
failed. The error was: error while evaluating conditional
(ansible_facts.services['firewalld.service'].state == 'running'): 'dict
object' has no attribute 'firewalld.service'. 'dict object' has no
attribute 'firewalld.service'\n\nThe error appears to be in
'/usr/share/scap-security-guide/ansible/centos8-playbook-pci-dss.yml':
line 10070, column 7, but may\nbe elsewhere in the file depending on the
exact syntax problem.\n\nThe offending line appears to be:\n\n\n    -
name: Configure Firewalld to Restrict Loopback Traffic - Ensure
firewalld trusted\n      ^ here\n"})
```
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml
@@ -57,6 +57,6 @@
     name: auditd.service
     state: restarted
   when:
-    - ansible_facts.services["auditd.service"].state == "running"
+    - '"auditd.service" in ansible_facts.services and ansible_facts.services["auditd.service"].state == "running"'
     - (augenrules_syscall_auditing_rule_update_result.changed or
        auditctl_syscall_auditing_rule_update_result.changed)
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/ansible/shared.yml
@@ -67,4 +67,4 @@
   when:
     - (augenrules_audit_rules_privilege_function_update_result.changed or
        auditctl_audit_rules_privilege_function_update_result.changed)
-    - ansible_facts.services["auditd.service"].state == "running"
+    - '"auditd.service" in ansible_facts.services and ansible_facts.services["auditd.service"].state == "running"'
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
@@ -68,4 +68,4 @@
   when:
     - (augenrules_audit_rules_privilege_function_update_result.changed or
        auditctl_audit_rules_privilege_function_update_result.changed)
-    - ansible_facts.services["auditd.service"].state == "running"
+    - '"auditd.service" in ansible_facts.services and ansible_facts.services["auditd.service"].state == "running"'
diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/ansible/shared.yml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/ansible/shared.yml
@@ -20,4 +20,4 @@
   ansible.builtin.systemd:
     name: vsftpd.service
     state: restarted
-  when: banner_file_update_result.changed and ansible_facts.services["vsftpd.service"].state == "running"
+  when: banner_file_update_result.changed and "vsftpd.service" in ansible_facts.services and ansible_facts.services["vsftpd.service"].state == "running"
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
@@ -82,14 +82,14 @@
         - result_firewall_cmd_zones_names.stdout_lines is defined
         - result_firewall_cmd_zones_names.stdout_lines | length > 0
   when:
-    - ansible_facts.services['firewalld.service'].state == 'running'
-    - ansible_facts.services['NetworkManager.service'].state == 'running'
+    - "'firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state == 'running'"
+    - "'NetworkManager.service' in ansible_facts.services and ansible_facts.services['NetworkManager.service'].state == 'running'"
 
 - name: '{{{ rule_title }}} - Informative message based on services states'
   ansible.builtin.assert:
     that:
-      - ansible_check_mode or ansible_facts.services['firewalld.service'].state == 'running'
-      - ansible_check_mode or ansible_facts.services['NetworkManager.service'].state == 'running'
+      - "ansible_check_mode or ('firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state == 'running')"
+      - "ansible_check_mode or ('NetworkManager.service' in ansible_facts.services and ansible_facts.services['NetworkManager.service'].state == 'running')"
     fail_msg:
       - firewalld and NetworkManager services are not active. Remediation aborted!
       - This remediation could not be applied because it depends on firewalld and NetworkManager services running.
diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/ansible/shared.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/ansible/shared.yml
@@ -38,12 +38,12 @@
       when:
         - result_trusted_ipv4_restriction is changed or result_trusted_ipv6_restriction is changed
   when:
-    - ansible_facts.services['firewalld.service'].state == 'running'
+    - "'firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state == 'running'"
 
 - name: '{{{ rule_title }}} - Informative Message Based on Service State'
   ansible.builtin.assert:
     that:
-      - ansible_check_mode or ansible_facts.services['firewalld.service'].state == 'running'
+      - "ansible_check_mode or ('firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state == 'running')"
     fail_msg:
       - firewalld service is not active. Remediation aborted!
       - This remediation could not be applied because it depends on firewalld service running.
diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/ansible/shared.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/ansible/shared.yml
@@ -30,12 +30,12 @@
       when:
         - result_lo_interface_assignment is changed
   when:
-    - ansible_facts.services['firewalld.service'].state == 'running'
+    - "'firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state == 'running'"
 
 - name: '{{{ rule_title }}} - Informative Message Based on Service State'
   ansible.builtin.assert:
     that:
-      - ansible_check_mode or ansible_facts.services['firewalld.service'].state == 'running'
+      - "ansible_check_mode or ('firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state == 'running')"
     fail_msg:
       - firewalld service is not active. Remediation aborted!
       - This remediation could not be applied because it depends on firewalld service running.
diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/ansible/shared.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/ansible/shared.yml
@@ -13,7 +13,7 @@
   ansible.builtin.command: wicked ifdown {{ item }}
   loop: '{{ ansible_facts.interfaces }}'
   when:
-    - ansible_facts.services['wickedd.service'].state == 'running'
+    - "'wickedd.service' in ansible_facts.services and ansible_facts.services['wickedd.service'].state == 'running'"
     - 'item.startswith("wl")'
 
 - name: "{{{ rule_title }}} - Wicked Disable Wireless Network Interfaces"
@@ -23,7 +23,7 @@
     line: STARTMODE=off
   loop: '{{ ansible_facts.interfaces }}'
   when:
-    - ansible_facts.services['wickedd.service'].state == 'running'
+    - "'wickedd.service' in ansible_facts.services and ansible_facts.services['wickedd.service'].state == 'running'"
     - 'item.startswith("wl")'
 {{%- else %}}
 
@@ -40,4 +40,4 @@
   ansible.builtin.command: nmcli radio wifi off
   when:
     - "'NetworkManager' in ansible_facts.packages"
-    - ansible_facts.services['NetworkManager.service'].state == 'running'
+    - "'NetworkManager.service' in ansible_facts.services and ansible_facts.services['NetworkManager.service'].state == 'running'"
