search

ansible-lockdown / RHEL9-CIS

Ansible role for Red Hat 9 CIS Baseline
https://ansible-lockdown.readthedocs.io
MIT License
113 stars 86 forks source link

auth-select options variable not used #156

Closed ipruteanu-sie closed 6 months ago

ipruteanu-sie commented 7 months ago

Overall Review of Changes: Other OS flavors have required extra-options for authselect profiles. Currently, it seems this is not needed.

Issue Fixes:

155

Enhancements: Please list any enhancements/features that are not open issue tickets

How has this been tested?: N/A

uk-bolly commented 7 months ago

hi @ipruteanu-sie

We are seeing errors in a merge conflict for this PR. If you can resync to resolve this happy to look at this further.

Many thanks

uk-bolly

ipruteanu-sie commented 7 months ago

@uk-bolly: I fixed the conflict for this rule, but I'm planning to close this PR. What I noticed in a CIS report:

1) In a CIS report, one can notice the remediation of 5.4.2 specifies:

# authselect enable-feature with-faillock
# authselect apply-changes

However, current impl here is different.

Even more, there's NO real check from their part on other authselect options(other than with-faillock), even if we're currently using them:

The rule name says it all, rule deals with faillock:

5.4.2 Ensure authselect includes with-faillock

#

2) There's indeed an example in 5.4.1, about a custom-profile selection, which includes the other two extra-options, so probably the two extra ones won't hurt: image

uk-bolly commented 6 months ago

hi @ipruteanu-sie

I can see we still have a large number of PRs open from you, but they all seem to have a huge number of commits assigned for a change to one or two files and is getting very confusing to read when trying to review what is actually changing. NOt sure why we see this number as it doesn't seem right. I have incorporated a lot of issues and changes in to the latest devel branch, could i suggest that we close the current ones and work through the issues to see what is left outstanding. Happy to work with you to resolve the rest that is outstanding.

Kindest regards

uk-bolly

ipruteanu-sie commented 6 months ago

Hi @uk-bolly , I think I was incorrectly performing some rebase-commands. Thanks for your message and sorry for the confusion.

For current PR, despite current devel does not include the approach suggested in issue #155, we can put it aside(since CIS is still happy, even if we add the extra-options): image