search

ansible-lockdown / RHEL8-CIS

Ansible role for Red Hat 8 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
274 stars 169 forks source link

4.4.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | authselect_files" #401

Closed dirkvdplas closed 1 month ago

dirkvdplas commented 4 months ago

Describe the Issue Problem with pamd module in roles/RHEL8-CIS/tasks/section_4/cis_4.4.3.3.x.yml Execution of the role breaks on task "4.4.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | authselect_files" when authselect is used. This seems to be related to an open bug in ansible pam.d module. See: https://github.com/ansible-collections/community.general/issues/5850

Expected Behavior we expect task "4.4.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | authselect_files" to execute successfully under all circumstances

Actual Behavior Error message: TASK [/home/user/basic-server/playbooks/roles/RHEL8-CIS : 4.4.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | authselect_files] *************************************************** changed: [ddu-inc-av001.dns.local] => (item=password) An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AttributeError: 'NoneType' object has no attribute 'group' failed: [ddu-inc-av001.dns.local] (item=system) => {"ansible_loop_var": "item", "changed": false, "item": "system", "module_stderr": "", "module_stdout": "Traceback (most recent call last):\r\n File \"/home/ansibleremote/.ansible/tmp/ansible-tmp-1721726801.685471-19786-137749426330207/AnsiballZ_pamd.py\", line 107, in <module>\r\n _ansiballz_main()\r\n File \"/home/ansibleremote/.ansible/tmp/ansible-tmp-1721726801.685471-19786-137749426330207/AnsiballZ_pamd.py\", line 99, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/home/ansibleremote/.ansible/tmp/ansible-tmp-1721726801.685471-19786-137749426330207/AnsiballZ_pamd.py\", line 48, in invoke_module\r\n run_name='__main__', alter_sys=True)\r\n File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\r\n return _run_module_code(code, init_globals, run_name, mod_spec)\r\n File \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\r\n mod_name, mod_spec, pkg_name, script_name)\r\n File \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\r\n exec(code, run_globals)\r\n File \"/tmp/ansible_community.general.pamd_payload_gt0ts_4s/ansible_community.general.pamd_payload.zip/ansible_collections/community/general/plugins/modules/pamd.py\", line 853, in <module>\r\n File \"/tmp/ansible_community.general.pamd_payload_gt0ts_4s/ansible_community.general.pamd_payload.zip/ansible_collections/community/general/plugins/modules/pamd.py\", line 791, in main\r\n File \"/tmp/ansible_community.general.pamd_payload_gt0ts_4s/ansible_community.general.pamd_payload.zip/ansible_collections/community/general/plugins/modules/pamd.py\", line 434, in __init__\r\n File \"/tmp/ansible_community.general.pamd_payload_gt0ts_4s/ansible_community.general.pamd_payload.zip/ansible_collections/community/general/plugins/modules/pamd.py\", line 347, in rule_from_string\r\nAttributeError: 'NoneType' object has no attribute 'group'\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

Control(s) Affected What controls are being affected by the issue

Environment (please complete the following information):

Additional Notes This seems to be related to an open bug in ansible pam.d module. See: https://github.com/ansible-collections/community.general/issues/5850

related authselect settings in roles/RHEL8-CIS/defaults/main.yml: `rhel8cis_allow_authselect_updates: true

rhel8cis_authselect_pkg_update: false rhel8cis_authselect_custom_profile_create: true rhel8cis_authselect_custom_profile_select: true rhel8cis_authselect: custom_profile_name: 'vdns_cis_hardened_profile' default_file_to_copy: "sssd --symlink-meta" options: with-sudo with-faillock without-nullok with-pwhistory`

Possible Solution As alternative for ansible pamd module maybe lineinfile can be used?

uk-bolly commented 3 months ago

hi @dirkvdplas

Thank you for taking the time to raise this issue, there is a slightly newer approach taken for authselect in the new branch august_issues which i am currently working on. I am hoping this simplifies things and makes it more accessible for all the options that we are aware of. I hope to get this pushed up tomorrow for testing and merge to devel.

kindest regards

uk-bolly

uk-bolly commented 1 month ago

Merged to main new fix. many thanks

uk-bolly