jan-cerny
commented
2 years ago The same error happens also with all CIS, CUI, HIPPA, ISM_O profiles on both RHEL 8 and 9.
Closed jan-cerny closed 2 years ago
jan-cerny
commented
2 years ago The same error happens also with all CIS, CUI, HIPPA, ISM_O profiles on both RHEL 8 and 9.
jan-cerny
commented
2 years ago The issue is also affecting the execution of the "profile" mode of Automatúš, for many different profiles. Here is one example:
:: [ 08:54:12 ] :: [ BEGIN ] :: xccdf_org.ssgproject.content_profile_cis_workstation_l2 profile Ansible remediation test :: actually running 'python3 /tmp/tmp.UPAQUHcUPw/rpmbuild/BUILD/scap-security-guide-0.1.63/tests/test_suite.py profile --libvirt qemu:///system test_suite_vm --datastream /tmp/ssg-rhel9-ds.xml --xccdf-id scap_org.open-scap_cref_ssg-rhel9-xccdf-1.2.xml --mode online --remediate-using ansible xccdf_org.ssgproject.content_profile_cis_workstation_l2'
WARNING - You call Automatus using the legacy 'test_suite.py' script, use the 'automatus.py' instead
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /tmp/tmp.UPAQUHcUPw/logs/profile-custom-2022-06-25-0854/test_suite.log
INFO - Evaluation of the profile has passed: xccdf_org.ssgproject.content_profile_cis_workstation_l2 (initial stage).
ERROR - Ansible playbook remediation run has exited with return code 2 instead of expected 0
ERROR - Evaluation of the profile has failed: xccdf_org.ssgproject.content_profile_cis_workstation_l2 (remediation stage).
INFO - Rebooting domain 'test_suite_vm' before final scan.
INFO - Waiting for 30 seconds to let the system finish startup.
INFO - Evaluation of the profile has passed: xccdf_org.ssgproject.content_profile_cis_workstation_l2 (final stage).
WARNING - You call Automatus using the legacy 'test_suite.py' script, use the 'automatus.py' instead
Setting console output to log level INFOIf we take a look into the generated log into remediation verbose log, we see there the same fatal fail with authselect as in this issue description.
jan-cerny
commented
2 years ago This is very similar to https://github.com/ComplianceAsCode/content/issues/8741
mildas
commented
2 years ago Caused by #8250 - enable_authselect must have Ansible remediation implemented. Without the remediation, it is not possible to remediate any PAM rule.
@matejak fyi
yuumasato
commented
2 years ago This issue still persists, during last weekly productization run ALL RHEL8 Playbooks aborted. Between the affected profiles are ANSSI (all 4 levels), CIS (both levels and both workstation and sever), PCI-DSS, OSPP and STIG.
Example log from RHEL8 ANSSI minimal:
TASK [Select authselect profile] ***********************************************
fatal: [192.168.122.57]: FAILED! => {"changed": true, "cmd": ["authselect", "select", "sssd"], "delta": "0:00:00.025235", "end": "2022-07-02 06:32:09.315522", "msg": "non-zero return code", "rc": 4, "start": "2022-07-02 06:32:09.290287", "stderr": "[error] File [/etc/pam.d/system-auth] exists but it needs to be overwritten!\n[error] File [/etc/pam.d/password-auth] exists but it needs to be overwritten!\n[error] File [/etc/pam.d/fingerprint-auth] exists but it needs to be overwritten!\n[error] File [/etc/pam.d/smartcard-auth] exists but it needs to be overwritten!\n[error] File [/etc/pam.d/postlogin] exists but it needs to be overwritten!\n[error] File [/etc/nsswitch.conf] exists but it needs to be overwritten!\n[error] File that needs to be overwritten was found\n[error] Refusing to activate profile unless this file is removed or overwrite is requested.\n\nSome unexpected changes to the configuration were detected.\nUse --force parameter if you want to overwrite these changes.", "stderr_lines": ["[error] File [/etc/pam.d/system-auth] exists but it needs to be overwritten!", "[error] File [/etc/pam.d/password-auth] exists but it needs to be overwritten!", "[error] File [/etc/pam.d/fingerprint-auth] exists but it needs to be overwritten!", "[error] File [/etc/pam.d/smartcard-auth] exists but it needs to be overwritten!", "[error] File [/etc/pam.d/postlogin] exists but it needs to be overwritten!", "[error] File [/etc/nsswitch.conf] exists but it needs to be overwritten!", "[error] File that needs to be overwritten was found", "[error] Refusing to activate profile unless this file is removed or overwrite is requested.", "", "Some unexpected changes to the configuration were detected.", "Use --force parameter if you want to overwrite these changes."], "stdout": "", "stdout_lines": []}
...ignoring
TASK [Verify if PAM has been altered] ******************************************
fatal: [192.168.122.57]: FAILED! => {"changed": true, "cmd": ["rpm", "-qV", "pam"], "delta": "0:00:00.221651", "end": "2022-07-02 06:32:10.250004", "msg": "non-zero return code", "rc": 1, "start": "2022-07-02 06:32:10.028353", "stderr": "", "stderr_lines": [], "stdout": "missing /run/motd.d", "stdout_lines": ["missing /run/motd.d"]}
...ignoring
TASK [Informative message based on the authselect integrity check] *************
fatal: [192.168.122.57]: FAILED! => {
"assertion": "result_altered_authselect is success",
"changed": false,
"evaluated_to": false,
"msg": [
"Files in the 'pam' package have been altered, so the authselect configuration won't be forced."
]
}
PLAY RECAP *********************************************************************
192.168.122.57 : ok=24 changed=8 unreachable=0 failed=1 skipped=0 rescued=0 ignored=2 Most of the RHEL9 Playbooks finished successfully:
RHEL9 OSPP playbook:
TASK [Enable timer dnf-automatic] **********************************************
changed: [192.168.122.104]
TASK [Select authselect profile] ***********************************************
fatal: [192.168.122.104]: FAILED! => {"changed": true, "cmd": ["authselect", "select", "sssd"], "delta": "0:00:00.023592", "end": "2022-07-02 08:46:29.421263", "msg": "non-zero return code", "rc": 4, "start": "2022-07-02 08:46:29.397671", "stderr": "[error] File [/etc/pam.d/system-auth] exists but it needs to be overwritten!\n[error] File [/etc/pam.d/password-auth] exists but it needs to be overwritten!\n[error] File [/etc/pam.d/fingerprint-auth] exists but it needs to be overwritten!\n[error] File [/etc/pam.d/smartcard-auth] exists but it needs to be overwritten!\n[error] File [/etc/pam.d/postlogin] exists but it needs to be overwritten!\n[error] File [/etc/nsswitch.conf] exists but it needs to be overwritten!\n[error] File that needs to be overwritten was found\n[error] Refusing to activate profile unless this file is removed or overwrite is requested.\n\nSome unexpected changes to the configuration were detected.\nUse --force parameter if you want to overwrite these changes.", "stderr_lines": ["[error] File [/etc/pam.d/system-auth] exists but it needs to be overwritten!", "[error] File [/etc/pam.d/password-auth] exists but it needs to be overwritten!", "[error] File [/etc/pam.d/fingerprint-auth] exists but it needs to be overwritten!", "[error] File [/etc/pam.d/smartcard-auth] exists but it needs to be overwritten!", "[error] File [/etc/pam.d/postlogin] exists but it needs to be overwritten!", "[error] File [/etc/nsswitch.conf] exists but it needs to be overwritten!", "[error] File that needs to be overwritten was found", "[error] Refusing to activate profile unless this file is removed or overwrite is requested.", "", "Some unexpected changes to the configuration were detected.", "Use --force parameter if you want to overwrite these changes."], "stdout": "", "stdout_lines": []}
...ignoring
TASK [Verify if PAM has been altered] ******************************************
changed: [192.168.122.104]
TASK [Informative message based on the authselect integrity check] *************
ok: [192.168.122.104] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [Force authselect profile select] *****************************************
changed: [192.168.122.104]
TASK [Gather the package facts] ************************************************
ok: [192.168.122.104]
TASK [Check if system relies on authselect] ************************************
ok: [192.168.122.104]
TASK [Check the integrity of the current authselect profile] *******************
ok: [192.168.122.104]
TASK [Informative message based on the authselect integrity check result] ******
ok: [192.168.122.104] => {
"changed": false,
"msg": [
"authselect integrity check passed"
]
}
TASK [Get authselect current profile] ******************************************
ok: [192.168.122.104]
TASK [Define the current authselect profile as a local fact] *******************
skipping: [192.168.122.104]
TASK [Define the new authselect custom profile as a local fact] ****************
ok: [192.168.122.104]
TASK [Get authselect current features to also enable them in the custom profile] ***
ok: [192.168.122.104]
TASK [Check if any custom profile with the same name was already created in the past] ***
ok: [192.168.122.104]
TASK [Create a custom profile based on the current profile] ********************
changed: [192.168.122.104]
TASK [Ensure the desired configuration is updated in the custom profile] *******
ok: [192.168.122.104] => (item=/etc/authselect/custom/hardening/system-auth)
ok: [192.168.122.104] => (item=/etc/authselect/custom/hardening/password-auth)But some RHEL9 playbooks failed: RHEL9 STIG:
TASK [Check for expected pam_lastlog.so entry] *********************************
ok: [192.168.122.104]
TASK [Check if system relies on authselect] ************************************
ok: [192.168.122.104]
TASK [Check the integrity of the current authselect profile] *******************
fatal: [192.168.122.104]: FAILED! => {"changed": false, "cmd": ["authselect", "check"], "delta": "0:00:00.009378", "end": "2022-07-02 08:47:25.772406", "msg": "non-zero return code", "rc": 2, "start": "2022-07-02 08:47:25.763028", "stderr": "", "stderr_lines": [], "stdout": "System was not configured with authselect.", "stdout_lines": ["System was not configured with authselect."]}
...ignoring
TASK [Informative message based on the authselect integrity check result] ******
fatal: [192.168.122.104]: FAILED! => {
"assertion": "result_authselect_check_cmd is success",
"changed": false,
"evaluated_to": false,
"msg": [
"authselect integrity check failed. Remediation aborted!",
"This remediation could not be applied because the authselect profile is not intact.",
"It is not recommended to manually edit the PAM files when authselect is available.",
"In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
]
}
PLAY RECAP *********************************************************************
192.168.122.104 : ok=99 changed=14 unreachable=0 failed=1 skipped=38 rescued=0 ignored=1
Description of problem:
During productization test "/CoreOS/scap-security-guide/Sanity/test-ansible-playbook-run ANSSI", the Ansible playbooks abort prematurely due to an error in task "Check the integrity of the current authselect profile". This happens with all 4 ANSSI profiles (minimal, intermediary, enhanced, high).
SCAP Security Guide Version:
scap-security-guide-0.1.63-1.git46faa00.el9.noarch
Operating System Version:
RHEL 9.1.0, RHEL 8.7.0
Steps to Reproduce:
Actual Results:
The play aborts.
Expected Results:
the whole Playbook is executed and completed
Additional Information/Debugging Steps:
no