ansible-role-rhel9-cis vs. issues with password/authselect hardening

[TomKristenHansen]

Description of problem:

When we are running playbook ansible-role-rhel9-cis we have to exclude following to have a complete run;

   accounts_password_pam_pwhistory_remember_password_auth: false
   accounts_password_pam_pwhistory_remember_system_auth: false
   accounts_password_pam_retry: false
   accounts_password_set_max_life_existing: false
   accounts_passwords_pam_faillock_deny: false
   accounts_passwords_pam_faillock_unlock_time: false
   no_empty_passwords_etc_shadow: false
   set_password_hashing_algorithm_passwordauth: false
   set_password_hashing_algorithm_systemauth: false

Typically we get error as following; fatal: [ilp-gif-test01]: FAILED! => {"msg": "The conditional check 'authselect_current_profile is not match(\"custom/\")' failed. The error was: error while evaluating conditional (authselect_current_profile is not match(\"custom/\")): 'authselect_current_profile' is undefined\n\nThe error appears to be in '/mnt/share-gjk/et1119/ansible_hansen/RedHatOfficial_rhel9_cis_0.1.64/roles/RedHatOfficial.rhel9_cis/tasks/main.yml': line 1285, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n - authselect_current_profile is not match(\"custom/\")\n - name: 'Limit Password Reuse: password-auth - Check if any custom profile with the same name was already created'\n ^ here\nThis one looks easy to fix. It seems that there is a value started\nwith a quote, and the YAML parser is expecting to see the line ended\nwith the same kind of quote. For instance:\n\n when: \"ok\" in result.stdout\n\nCould be written as:\n\n when: '\"ok\" in result.stdout'\n\nOr equivalently:\n\n when: \"'ok' in result.stdout\"\n"}

SCAP Security Guide Version:

Operating System Version:

RHEL 9.2 x86_64

Steps to Reproduce:

1. 2. 3. 4.

Actual Results:

Expected Results:

Additional Information/Debugging Steps:

[marcusburghardt]

RedHatOfficial.rhel9_cis is currently aligned to 0.1.68 which includes many updates. Could you confirm the issue is resolved, please?

[TomKristenHansen]

Thank you for feedback!

I will do a test during this week, and share the result!

[TomKristenHansen]

I have now tested 0.1.68 and 0.1.69, and it looks better, i now only have to exclude following play to complete without errors; "accounts_password_set_max_life_existing" / ( accounts_password_set_max_life_existing: false )

Following error; TASK [RedHatOfficial.rhel9_cis : Change the maximum time period between password changes] ** failed: [ilp-gif-test01] (item=root) => {"ansible_loop_var": "item", "changed": false, "item": "root", "msg": "Unsupported parameters for (ansible.builtin.user) module: password_expire_max Supported parameters include: append, authorization, comment, create_home, expires, force, generate_ssh_key, group, groups, hidden, home, local, login_class, move_home, name, non_unique, password, password_lock, profile, remove, role, seuser, shell, skeleton, ssh_key_bits, ssh_key_comment, ssh_key_file, ssh_key_passphrase, ssh_key_type, state, system, uid, update_password"}

PLAY RECAP ***** ilp-gif-test01 : ok=209 changed=13 unreachable=0 failed=1 skipped=246 rescued=0 ignored=0

[TomKristenHansen]

I have also discovered here after several executions, that just sub part of role is executed without understanding why. E.g. following plays are not executed;

• sshd_enable_pam
• sshd_enable_warning_banner_net
• sshd_set_max_auth_tries
• mount_option_home_nodev
• mount_option_home_suid
• etc...

Command for executing playbook; ansible-playbook_ -i "ilp-gif-test01," playbook_rhel9_cis.yml

Playbook content; `- hosts: ilp-gif-test01 become: true roles:

• role: RedHatOfficial.rhel9_cis

  ------------------------------------------------------------------

  Variables

  ------------------------------------------------------------------

  var_accounts_maximum_age_login_defs: '365' var_accounts_minimum_age_login_defs: '7' var_accounts_password_warn_age_login_defs: '30' var_authselect_profile: minimal var_multiple_time_servers: 0.ntp.cosng.net,1.ntp.cosng.net,2.ntp.cosng.net,3.ntp.cosng.net,4.ntp.cosng.net,5.ntp.cosng.net,6.ntp.cosng.net,7.ntp.cosng.net,8.ntp.cosng.net var_password_pam_minlen: '20'

  ------------------------------------------------------------------

  Exclude - audit/auditd

  ------------------------------------------------------------------

  audit_rules_dac_modification_chmod: false audit_rules_dac_modification_chown: false audit_rules_dac_modification_fchmod: false audit_rules_dac_modification_fchmodat: false audit_rules_dac_modification_fchown: false audit_rules_dac_modification_fchownat: false audit_rules_dac_modification_fremovexattr: false audit_rules_dac_modification_fsetxattr: false audit_rules_dac_modification_lchown: false audit_rules_dac_modification_lremovexattr: false audit_rules_dac_modification_lsetxattr: false audit_rules_dac_modification_removexattr: false audit_rules_dac_modification_setxattr: false audit_rules_execution_chacl: false audit_rules_execution_chcon: false audit_rules_execution_setfacl: false audit_rules_file_deletion_events_rename: false audit_rules_file_deletion_events_renameat: false audit_rules_file_deletion_events_unlink: false audit_rules_file_deletion_events_unlinkat: false audit_rules_immutable: false audit_rules_kernel_module_loading_create: false audit_rules_kernel_module_loading_delete: false audit_rules_kernel_module_loading_finit: false audit_rules_kernel_module_loading_init: false audit_rules_kernel_module_loading_query: false audit_rules_login_events_faillock: false audit_rules_login_events_lastlog: false audit_rules_mac_modification: false audit_rules_mac_modification_usr_share: false audit_rules_media_export: false audit_rules_networkconfig_modification: false audit_rules_privileged_commands: false audit_rules_privileged_commands_kmod: false audit_rules_privileged_commands_usermod: false audit_rules_session_events: false audit_rules_suid_auid_privilege_function : false audit_rules_sysadmin_actions: false audit_rules_time_adjtimex: false audit_rules_time_clock_settime: false audit_rules_time_settimeofday: false audit_rules_time_stime: false audit_rules_time_watch_localtime: false audit_rules_unsuccessful_file_modification_creat: false audit_rules_unsuccessful_file_modification_ftruncate: false audit_rules_unsuccessful_file_modification_open: false audit_rules_unsuccessful_file_modification_openat: false audit_rules_unsuccessful_file_modification_truncate: false audit_rules_usergroup_modification_group: false audit_rules_usergroup_modification_gshadow: false audit_rules_usergroup_modification_opasswd: false audit_rules_usergroup_modification_passwd: false audit_rules_usergroup_modification_shadow: false audit_sudo_log_events: false auditd_data_retention_action_mail_acct: false auditd_data_retention_admin_space_left_action: false auditd_data_retention_max_log_file: false auditd_data_retention_max_log_file_action: false auditd_data_retention_space_left_action: false

  ------------------------------------------------------------------

  Exclude - banner text

  ------------------------------------------------------------------

  banner_etc_issue: false banner_etc_issue_net: false banner_etc_motd: false

  ------------------------------------------------------------------

  Exclude - firewalld

  ------------------------------------------------------------------

  service_firewalld_enabled: false

  ------------------------------------------------------------------

  Exclude - sudo

  ------------------------------------------------------------------

  sudo_require_authentication: false sudo_require_reauthentication: false

  ------------------------------------------------------------------

  Exclude - failing module in RedHatOfficial_rhel9_cis_0.1.68

  ------------------------------------------------------------------

  accounts_password_set_max_life_existing: false'

Any idea why not all plays are executed like in version 0.1.67?

[TomKristenHansen]

After some more testing, since we do not use firewalld as service, I was able to run a successful playbook by changing this;

from: service_firewalld_enabled: false

to: firewalld_loopback_traffic_restricted : false firewalld_loopback_traffic_trusted: false service_firewalld_enabled: false

Wish it could be more clear error messages :-)