search

ansible-lockdown / RHEL9-CIS

Ansible role for Red Hat 9 CIS Baseline
https://ansible-lockdown.readthedocs.io
MIT License
113 stars 86 forks source link

rhel9cis_authselect['options'] #144

Closed ipruteanu-sie closed 2 months ago

ipruteanu-sie commented 9 months ago

Question What was the original intention of this dict variable:

rhel9cis_authselect:
    custom_profile_name: custom-profile
    default_file_to_copy: "sssd --symlink-meta"                            
    options: with-sudo with-faillock without-nullok                       *****

I totally agree that 5.4.2 rule only mentions with-faillock.

      - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
        ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock"
        when: rhel9cis_authselect_custom_profile_select

However, if I understand correctly the role of the option key-value pair: options: with-sudo with-faillock without-nullok, we could use it similarly as in this Tenable example: # authselect select custom/custom-profile with-sudo with-faillock without-nullok :

      - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
        ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }}  {{ rhel9cis_authselect['options'] }}"
        when: rhel9cis_authselect_custom_profile_select

Environment (please complete the following information): N/A

uk-bolly commented 2 months ago

hi @ipruteanu-sie

This Issue has been merged to devel and into main branch. I will therefore close this issue. Please feel free to reopen if you feel its not as expected.

Many thanks again for your time

uk-bolly