search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.22k stars 698 forks source link

Ansible remediation on Ubuntu looks for wrong PAM files #11817

Open naugler opened 7 months ago

naugler commented 7 months ago

Description of problem:

fatal error when executing ansible-playbook on Ubuntu 20.04 with ubuntu2004-playbook-stig.yml: error while evaluating conditional (result_pam_faillock_is_enabled.found == 0): 'dict object' has no attribute 'found'

/etc/pam.d/system-auth does not exist, I think Ubuntu uses /etc/pam.d/common-auth instead? /etc/pam.d/password-auth does not exist, I think Ubuntu uses /etc/pam.d/common-password instead?

SCAP Security Guide Version:

0.1.72

Operating System Version:

Ubuntu 20.04

Steps to Reproduce:

  1. ansible-playbook -i localhost, -c local /opt/ssg/ansible/ubuntu2004-playbook-stig.yml

Actual Results:

TASK [Account Lockouts Must Be Logged - Check if pam_faillock.so is already enabled] **************************************************************************************************************************************************************
ok: [localhost]

TASK [Account Lockouts Must Be Logged - Enable pam_faillock.so preauth editing PAM files] *********************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The conditional check 'result_pam_faillock_is_enabled.found == 0' failed. The error was: error while evaluating conditional (result_pam_faillock_is_enabled.found == 0): 'dict object' has no attribute 'found'\n\nThe error appears to be in '/opt/ssg/ansible/ubuntu2004-playbook-stig.yml': line 767, column 9, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n      - name: Account Lockouts Must Be Logged - Enable pam_faillock.so preauth editing\n        ^ here\n"}

Expected Results:

task success

Additional Information/Debugging Steps:

authselect tool is not present

ansible [core 2.12.10]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.10 (default, Nov 22 2023, 10:22:35) [GCC 9.4.0]
  jinja version = 2.10.1
  libyaml = True
dodys commented 7 months ago

Ansible remediation is not supported by Canonical, therefore it is known that many rules fail because of missing proper ansible scripts. If you have the time and is looking to contribute, please submit pull requests