search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.17k stars 686 forks source link

`accounts_password_pam_unix_remember` ansible remediation errors after `argument_missing.fail.sh` test #9141

Closed mildas closed 2 years ago

mildas commented 2 years ago

Description of problem:

accounts_password_pam_unix_remember ansible remediation returns code 2 after argument_missing.fail.sh test scenario.

SCAP Security Guide Version:

11974e4

Operating System Version:

RHEL 7.9

Steps to Reproduce:

  1. python3 tests/test_suite.py rule --libvirt qemu:///session test-suite-rhel7 --datastream build/ssg-rhel7-ds.xml --remediate-using ansible --no-report accounts_password_pam_unix_remember

Actual Results:

INFO - xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
INFO - Script argument_missing.fail.sh using profile (all) OK
ERROR - Ansible playbook remediation run has exited with return code 2 instead of expected 0
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember'.
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK

Expected Results:

No errors

Additional Information/Debugging Steps:

I was not able to reproduce it on my own VM, but in failed test run is this output:

TASK [Limit Password Reuse - Check if required PAM module line is present in /etc/pam.d/system-auth with different control] ***
ok: [192.168.122.220] => {"backup": "", "changed": false, "found": 0, "msg": ""}

TASK [Limit Password Reuse - Ensure the correct control for the required PAM module line in /etc/pam.d/system-auth] ***
skipping: [192.168.122.220] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [Limit Password Reuse - Ensure the required PAM module line is included in /etc/pam.d/system-auth] ***
changed: [192.168.122.220] => {"backup": "", "changed": true, "msg": "line added"}

TASK [Limit Password Reuse - Ensure the authselect custom profile changes are applied after module line changes] ***
fatal: [192.168.122.220]: FAILED! => {"changed": false, "cmd": "authselect apply-changes -b --backup=after-hardening-pam_pwhistory.so.backup", "msg": "[Errno 2] No such file or directory", "rc": 2}
marcusburghardt commented 2 years ago

This was fixed by https://github.com/ComplianceAsCode/content/pull/9128. Is it possible to repeat the test with the current master? The PR was merged on Tuesday (12.07.2022)

mildas commented 2 years ago

We will test it in next productization run i 2days and close if it's fine there.

yuumasato commented 2 years ago

I haven't seen this issue.