search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.18k stars 696 forks source link

ansible-role-rhel8-cis fails to apply with issues with "Limit Password Reuse: password-auth" #10757

Open matthewmgamble opened 1 year ago

matthewmgamble commented 1 year ago

Description of problem:

TASK [RedHatOfficial.rhel8_cis : Limit Password Reuse: password-auth - Check if any custom profile with the same name was already created] ***** fatal: [localhost]: FAILED! => {"msg": "The conditional check 'authselect_current_profile is not match(\"custom/\")' failed. The error was: error while evaluating conditional (authselect_current_profile is not match(\"custom/\")): 'authselect_current_profile' is undefined. 'authselect_current_profile' is undefined\n\nThe error appears to be in '/root/.ansible/roles/RedHatOfficial.rhel8_cis/tasks/main.yml': line 2179, column 11, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n - authselect_current_profile is not match(\"custom/\")\n - name: \"Limit Password Reuse: password-auth - Check if any custom profile with the same name was already created\"\n ^ here\nThis one looks easy to fix. It seems that there is a value started\nwith a quote, and the YAML parser is expecting to see the line ended\nwith the same kind of quote. For instance:\n\n when: \"ok\" in result.stdout\n\nCould be written as:\n\n when: '\"ok\" in result.stdout'\n\nOr equivalently:\n\n when: \"'ok' in result.stdout\"\n"}

SCAP Security Guide Version:

Latest version from GitHub

Operating System Version:

RHEL 8.8

Steps to Reproduce:

  1. execute command ansible-galaxy install RedHatOfficial.rhel8_cis
  2. create a basic playbook that contains the role:
  1. check playbook with command ansible-playbook -i "localhost," -c local --check playbook.yml
  2. Failure

Actual Results:

See error message above - command fails to execute do to an unset variable, but reading the yaml file it appears the variable should be set.

Expected Results:

Profile should apply without errors

Additional Information/Debugging Steps:

marcusburghardt commented 1 year ago

RedHatOfficial.rhel8_cis is currently aligned to 0.1.68 which includes many updates. Could you confirm the issue is resolved, please?

myMarck commented 1 year ago

I have the same error on RedHat 8.8 and it is not resolved with 0.1.68

marcusburghardt commented 1 year ago

I have the same error on RedHat 8.8 and it is not resolved with 0.1.68

Thanks for the updated. I will take a look on this.

marcusburghardt commented 1 year ago

I can reproduce this issue. The relevant rule here is accounts_password_pam_pwhistory_remember_password_auth I will investigate the cause.

marcusburghardt commented 1 year ago

The issue may be related to https://github.com/ComplianceAsCode/content/pull/11117 and https://github.com/ComplianceAsCode/content/issues/11104