Fix only_rules filtering for STIG and CIS roles - rules execute regardless of filter #31
Description
Problem
The windows_manage_stig_only_rules and windows_manage_cis_only_rules parameters do not correctly filter which compliance rules are executed. When passing a list of specific V-IDs/rule IDs, ALL rules execute instead of only the specified ones.
Root Causes
Three distinct bugs were identified:
1. CIS Role: Missing | list filter (Jinja2 generator issue)
# Bug: select() returns a generator, length on generator returns 0
select('match', '^2\.2\.') | length > 0
# Fix: Convert generator to list first
select('match', '^2\.2\.') | list | length > 0
File: roles/windows_manage_cis/tasks/main.yml (8 occurrences)2. STIG Role: Missing only_rules filter on AUDIT and Record tasks
The SCORED tasks had the filter, but AUDIT-Get and Record tasks looped through ALL controls regardless of the filter parameter.
Files: All 6 STIG task files
3. STIG Role: Record tasks append entire matrix on each loop iteration
# Bug: Each iteration appends ALL items (17 iterations × 40 items = 680 records)
windows_manage_stig_results: "{{ results + (ALL_ITEMS | map('combine', {...}) | list) }}"
loop: "{{ ALL_ITEMS }}"
# Fix: Append only current item (17 iterations × 1 item = 17 records)
windows_manage_stig_results: "{{ results + [current_item | combine({...})] }}"
Files: All 6 STIG task files
Files Changed
┌────────────────────────────────────────────────────────────┬────────────────────────────────────────────────────────────┐
│ File │ Changes │
├────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ roles/windows_manage_cis/tasks/main.yml │ Add list filter before length (8 occurrences) │
├────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ roles/windows_manage_stig/tasks/account_policies.yml │ Add filter to AUDIT-Get and Record tasks; fix Record logic │
├────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ roles/windows_manage_stig/tasks/audit_policies.yml │ Add filter to SCORED and Record tasks; fix Record logic │
├────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ roles/windows_manage_stig/tasks/registry_settings.yml │ Add filter to AUDIT-Get and Record tasks; fix Record logic │
├────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ roles/windows_manage_stig/tasks/security_options.yml │ Add filter to AUDIT-Get and Record tasks; fix Record logic │
├────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ roles/windows_manage_stig/tasks/system_services.yml │ Add filter to AUDIT-Get and Record tasks; fix Record logic │
├────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ roles/windows_manage_stig/tasks/user_rights_assignment.yml │ Add filter to AUDIT-Get and Record tasks; fix Record logic │
└────────────────────────────────────────────────────────────┴────────────────────────────────────────────────────────────┘Backward Compatibility
Fully preserved. When only_rules is empty or undefined, all controls execute as before.