UBTU-20-010461 - usb-storage remediation doesn't pass benchmark

[kfiresmith]

Describe the Issue
There's a minor change needed at https://github.com/ansible-lockdown/UBUNTU20-STIG/blob/devel/tasks/fix-cat2.yml#L3046. You set /bin/true while the benchmark checks for /bin/false, and thus becomes a finding.

Expected Behavior
V-251505 should pass benchmark

Actual Behavior
V-251505 fails benchmark with:

Tests:	
false (All child tests must be true.)
[false (/etc/modprobe.d contains a file that contains 'install usb-storage /bin/false')

Control(s) Affected
V-251505

Environment (please complete the following information):
All below items are N/A, see line link to fix-cat2.yaml...

• branch being used: [e.g. devel]
• Ansible Version: [e.g. 2.10]
• Host Python Version: [e.g. Python 3.7.6]
• Ansible Server Python Version: [e.g. Python 3.7.6]
• Additional Details:

Additional Notes
Anything additional goes here

Possible Solution
Enter a suggested fix here

[uk-bolly]

hi @kfiresmith

Thank you for the feedback, This has been a long standing issue with /bin/false vs /bin/true. Many details allow either when reading specific details, in this case it does ask for /bin/false.
However with true and false both having the same impact the difference is purely down to the return code at boot time.
with bin/false it will return a non 0 return code meaning that there will be failures logged at boot time (when there shouldn't be as it is as expected), where as bin/true give a 0 return code meaning this is desired and expected.
This has been a long going discussion with STIG and the community either should be acceptable when it comes to auditing.

I hope that makes sense?

Thanks

uk-bolly