Step 6.2.11 fails due to bad matching of nologin in /etc/passwd

Describe the Issue When running the playbook using tag --level1-workstation step 6.2.11 throws an error

failed: [pquevedo-ideapad] (item=/proc) => {"ansible_loop_var": "item", "changed": false, "cmd": "/usr/bin/setfacl -d -m group::rx /proc", "item": "/proc", "msg": "setfacl: /proc: Operation not supported", "rc": 1, "stderr": "setfacl: /proc: Operation not supported\n", "stderr_lines": ["setfacl: /proc: Operation not supported"], "stdout": "", "stdout_lines": []}

It looks like for whatever reason, the paths in that machines /etc/passwd file use /sbin/nologin while $ which nologin returns /usr/sbin/nologin. I have no idea why this is though, maybe I botched something in a previous run of the playbook.

Here is a snippet of the machines passwd file

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/sbin/nologin
bin:x:2:2:bin:/bin:/sbin/nologin
sys:x:3:3:sys:/dev:/sbin/nologin

Expected Behavior

Should only modify /home/pquevedo

Actual Behavior

It modifies all the paths listed in /etc/passwd

TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : 6.2.11 | PATCH | Ensure local interactive user home directories exist | Create dir if absent] **************************************************************
task path: /home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS/tasks/section_6/cis_6.2.x.yml:324
ok: [pquevedo-ideapad] => (item=pquevedo) => {"ansible_loop_var": "item", "changed": false, "gid": 1000, "group": "pquevedo", "item": {"dir": "/home/pquevedo", "gecos": "pquevedo,,,", "gid": 1000, "id": "pquevedo", "password": "x", "shell": "/bin/bash", "uid": 1000}, "mode": "0750", "owner": "pquevedo", "path": "/home/pquevedo", "size": 4096, "state": "directory", "uid": 1000}

TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : 6.2.11 | PATCH | Ensure local interactive user home directories exist | Set group ACL] *********************************************************************
task path: /home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS/tasks/section_6/cis_6.2.x.yml:336
ok: [pquevedo-ideapad] => (item=/usr/sbin) => {"acl": ["user::rwx", "group::r-x", "other::r-x"], "ansible_loop_var": "item", "changed": false, "item": "/usr/sbin", "msg": "group::rx is present"}
ok: [pquevedo-ideapad] => (item=/bin) => {"acl": ["user::rwx", "group::r-x", "other::r-x"], "ansible_loop_var": "item", "changed": false, "item": "/bin", "msg": "group::rx is present"}
ok: [pquevedo-ideapad] => (item=/dev) => {"acl": ["user::rwx", "group::r-x", "other::r-x"], "ansible_loop_var": "item", "changed": false, "item": "/dev", "msg": "group::rx is present"}
ok: [pquevedo-ideapad] => (item=/usr/games) => {"acl": ["user::rwx", "group::r-x", "other::r-x"], "ansible_loop_var": "item", "changed": false, "item": "/usr/games", "msg": "group::rx is present"}
ok: [pquevedo-ideapad] => (item=/var/cache/man) => {"acl": ["user::rwx", "group::r-x", "other::r-x"], "ansible_loop_var": "item", "changed": false, "item": "/var/cache/man", "msg": "group::rx is present"}
ok: [pquevedo-ideapad] => (item=/var/spool/lpd) => {"acl": ["user::rwx", "group::r-x", "other::r-x"], "ansible_loop_var": "item", "changed": false, "item": "/var/spool/lpd", "msg": "group::rx is present"}
ok: [pquevedo-ideapad] => (item=/var/mail) => {"acl": ["user::rwx", "group::r-x", "other::r-x"], "ansible_loop_var": "item", "changed": false, "item": "/var/mail", "msg": "group::rx is present"}
ok: [pquevedo-ideapad] => (item=/var/spool/news) => {"acl": ["user::rwx", "group::r-x", "other::r-x"], "ansible_loop_var": "item", "changed": false, "item": "/var/spool/news", "msg": "group::rx is present"}
ok: [pquevedo-ideapad] => (item=/var/spool/uucp) => {"acl": ["user::rwx", "group::r-x", "other::r-x"], "ansible_loop_var": "item", "changed": false, "item": "/var/spool/uucp", "msg": "group::rx is present"}
ok: [pquevedo-ideapad] => (item=/bin) => {"acl": ["user::rwx", "group::r-x", "other::r-x"], "ansible_loop_var": "item", "changed": false, "item": "/bin", "msg": "group::rx is present"}
ok: [pquevedo-ideapad] => (item=/var/www) => {"acl": ["user::rwx", "group::r-x", "other::r-x"], "ansible_loop_var": "item", "changed": false, "item": "/var/www", "msg": "group::rx is present"}
ok: [pquevedo-ideapad] => (item=/var/backups) => {"acl": ["user::rwx", "group::r-x", "other::r-x"], "ansible_loop_var": "item", "changed": false, "item": "/var/backups", "msg": "group::rx is present"}
ok: [pquevedo-ideapad] => (item=/var/list) => {"acl": ["user::rwx", "group::r-x", "other::r-x"], "ansible_loop_var": "item", "changed": false, "item": "/var/list", "msg": "group::rx is present"}
ok: [pquevedo-ideapad] => (item=/run/ircd) => {"acl": ["user::rwx", "group::r-x", "other::r-x"], "ansible_loop_var": "item", "changed": false, "item": "/run/ircd", "msg": "group::rx is present"}
...

Control(s) Affected

6.2.11

Environment (please complete the following information):

branch being used: devel
Ansible Version: 2.13.13
Host Python Version: 3.10.12
Ansible Server Python Version: 3.8.10
Additional Details:

Additional Notes

Possible Solution

Maybe change the prelim step to match *sbin/nologin instead?

https://github.com/ansible-lockdown/UBUNTU22-CIS/blob/eed742b760d1305de81a5304c60e975f891e8aa2/tasks/prelim.yml#L170

grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/false") { print $6 }'

ansible-lockdown / UBUNTU22-CIS

Step 6.2.11 fails due to bad matching of nologin in /etc/passwd #135