search

ansible-lockdown / RHEL9-CIS

Ansible role for Red Hat 9 CIS Baseline
https://ansible-lockdown.readthedocs.io
MIT License
109 stars 86 forks source link

Bugfix 5 3 4 against issue #176 #177

Closed RoboPickle closed 6 months ago

RoboPickle commented 6 months ago

Overall Review

tasks/main.yml was altered to handle the user not being found in /etc/shadow.
The grep has been changed.

(grep {{ ansible_env.SUDO_USER }} /etc/shadow || echo 'not found:not found') | awk -F: '{print $2}'

In the event that the user is not found in /etc/shadow then the response "not found:not found" is given. This is then picked up by the following block to skip the password checking. A debug message is used to alert the user that this is happening.

An additional check is now being made for local accounts to check that the account has not been locked. This is achieved by checking for a single "!" at the beginning of the password hash.

Also updated dictionary in 6.1.11 to convert vars to dictionary to avoid deprecation warning.

Issue Fixes:

Fixes #176: Using an AD account to connect to host incorrectly fails rule 5.3.4

Enhancements:

Fixes #168 DEPRECATION WARNING is generating when play task 6.1.11 | AUDIT | Ensure no ungrouped files or directories exist

How has this been tested?:

Tested against a minimally configured Alma Linux 9 VM.

  1. Created a new user with an unset password.
    • Local account check passes. Unset password is then detected and play fails.
  2. Add a password to new user.
    • Local account check passes. Password check then passes and play continues.
  3. Lock the account. Password hash now starts with "!"
    • Second password check is triggered and play fails.
  4. Updated VM to join AD realm. Use AD account.
    • The first local account check returns not found. Local password checks are skipped and play continues.

Addendum: 6.1.11 Deprecation warning during audit. Updated vars to dictionary and deprecation warning avoided.

More details on testing are available if required.

uk-bolly commented 6 months ago

hi @RoboPickle

This is a great update, thank you for taking the time, could you possibly add the empty line before each named task just for consistency. You will find the vars deprecation should have already nbeen picked up as well in and earlier PR.

Many thanks

uk-bolly

RoboPickle commented 6 months ago

Hi,

You are most welcome. I've added the blank lines which actually makes a real difference with the readability.

I missed that the deprecation was already handled by another PR!

Thanks

John