search

ansible-lockdown / RHEL8-CIS

Ansible role for Red Hat 8 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
268 stars 165 forks source link

fatal error in 4.4.2.3 | AUDIT | Ensure pam_pwquality module is enabled: 'rhel8cis_pwquality_enabled' is undefined #397

Closed dirkvdplas closed 2 months ago

dirkvdplas commented 3 months ago

Describe the Issue I experience a fatal error on task 4.4.2.3 | AUDIT | Ensure pam_pwquality module is enabled

Expected Behavior I expect role to continue without errors

Actual Behavior I started role as follows: ansible-playbook -i ../hosts_acc -l myhost.local -e '{ "rhel8cis_level_2": false, "rhel8cis_rule_1_2_2": false, "rhel8cis_rule_1_2_3": false, "rhel8cis_disruption_high": true }' roles/RHEL8-CIS/site.yml -K -t rhel8cis_section4,rhel8cis_section6

fatal: [myhost.local]: FAILED! => {"changed": false, "cmd": "grep -P -- '\bpam_pwquality\.so\b' /etc/pam.d/{password,system}-auth\n", "delta": "0:00:00.005387", "end": "2024-07-17 17:46:34.586817", "failed_when_result": "The conditional check 'rhel8cis_pwquality_enabled.rc not in [ 0, 1 ]' failed. The error was: error while evaluating conditional (rhel8cis_pwquality_enabled.rc not in [ 0, 1 ]): 'rhel8cis_pwquality_enabled' is undefined. 'rhel8cis_pwquality_enabled' is undefined", "msg": "", "rc": 0, "start": "2024-07-17 17:46:34.581430", "stderr": "", "stderr_lines": [], "stdout": "/etc/pam.d/password-auth:password requisite pam_pwquality.so local_users_only\n/etc/pam.d/system-auth:password requisite pam_pwquality.so local_users_only", "stdout_lines": ["/etc/pam.d/password-auth:password requisite pam_pwquality.so local_users_only", "/etc/pam.d/system-auth:password requisite

Control(s) Affected 4.4.2.3

Environment (please complete the following information):

Additional Notes The variable rhel8cis_pwquality_enabled is missing completely

Possible Solution Sorry, I am lacking expert knowledge to present a solution

dirkvdplas commented 3 months ago

Thanks. I spotted another typo with variable rhel8cis_authselect_pam_unix => discovered_authselect_pam_unix . Can you correct that one as well?

uk-bolly commented 3 months ago

Thanks. I spotted another typo with variable rhel8cis_authselect_pam_unix => discovered_authselect_pam_unix . Can you correct that one as well?

Superb, consider it done. Not sure how i didn't catch that one

thank you again

uk-bolly

uk-bolly commented 2 months ago

hi @dirkvdplas

Thank you again for your time regarding this issue. You should find that this fix was merged into devel and is now in the main branch. I will close this issue, please feel free to reopen if this is not resolved as expected.

Many thanks

uk-bolly