Make PAM macros more flexible to variables #12133
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
marcusburghardt
added
the
refactoring
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the trimmed diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_display_login_attempts' differs.
--- xccdf_org.ssgproject.content_rule_display_login_attempts
+++ xccdf_org.ssgproject.content_rule_display_login_attempts
@@ -2,7 +2,7 @@
if rpm --quiet -q pam; then
if [ -f /usr/bin/authselect ]; then
- if authselect list-features minimal | grep -q with-silent-lastlog; then
+ if authselect list-features sssd | grep -q with-silent-lastlog; then
if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
@@ -77,23 +77,23 @@
authselect apply-changes -b
fi
- if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then
+ if ! grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s*.*" "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"\[default=1\]"' \2/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1\[default=1\] \2/" "$PAM_FILE_PATH"
else
LAST_MATCH_LINE=$(grep -nP "^\s*session\s+.*pam_succeed_if\.so.*" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
- sed -i --follow-symlinks $LAST_MATCH_LINE' a session '"\[default=1\]"' pam_lastlog.so' "$PAM_FILE_PATH"
+ sed -i --follow-symlinks $LAST_MATCH_LINE" a session \[default=1\] pam_lastlog.so" "$PAM_FILE_PATH"
else
- echo 'session '"\[default=1\]"' pam_lastlog.so' >> "$PAM_FILE_PATH"
+ echo "session \[default=1\] pam_lastlog.so" >> "$PAM_FILE_PATH"
fi
fi
fi
# Check the option
- if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks '/\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH"
+ if ! grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s*.*\sshowfailed\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "/\s*session\s+\[default=1\]\s+pam_lastlog.so.*/ s/$/ showfailed/" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
@@ -136,8 +136,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*session.*'"\[default=1\]"'.*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s.*\bsilent\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*session.*\[default=1\].*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
@@ -181,23 +181,23 @@
authselect apply-changes -b
fi
- if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then
+ if ! grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s*.*" "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"\[default=1\]"' \2/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1\[default=1\] \2/" "$PAM_FILE_PATH"
else
LAST_MATCH_LINE=$(grep -nP "^\s*session\s+.*pam_succeed_if\.so.*" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
- sed -i --follow-symlinks $LAST_MATCH_LINE' a session '"\[default=1\]"' pam_lastlog.so' "$PAM_FILE_PATH"
+ sed -i --follow-symlinks $LAST_MATCH_LINE" a session \[default=1\] pam_lastlog.so" "$PAM_FILE_PATH"
else
- echo 'session '"\[default=1\]"' pam_lastlog.so' >> "$PAM_FILE_PATH"
+ echo "session \[default=1\] pam_lastlog.so" >> "$PAM_FILE_PATH"
fi
fi
fi
# Check the option
- if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks '/\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH"
+ if ! grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s*.*\sshowfailed\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "/\s*session\s+\[default=1\]\s+pam_lastlog.so.*/ s/$/ showfailed/" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
@@ -240,8 +240,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*session.*'"\[default=1\]"'.*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s.*\bsilent\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*session.*\[default=1\].*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_display_login_attempts' differs.
--- xccdf_org.ssgproject.content_rule_display_login_attempts
+++ xccdf_org.ssgproject.content_rule_display_login_attempts
@@ -40,7 +40,7 @@
- name: Ensure PAM Displays Last Logon/Access Notification - Collect the Available
authselect Features
ansible.builtin.command:
- cmd: authselect list-features minimal
+ cmd: authselect list-features sssd
register: result_authselect_available_features
changed_when: false
when:
@@ -281,11 +281,16 @@
when:
- result_authselect_present.stat.exists
+ - name: Ensure PAM Displays Last Logon/Access Notification - Define a fact for control
+ already filtered in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: '[default=1]'
+
- name: Ensure PAM Displays Last Logon/Access Notification - Check if expected PAM
module line is present in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*session\s+{{ '[default=1]' | regex_escape() }}\s+pam_lastlog.so\s*.*
+ regexp: ^\s*session\s+{{ pam_module_control | regex_escape() }}\s+pam_lastlog.so\s*.*
state: absent
check_mode: true
changed_when: false
@@ -310,7 +315,7 @@
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*session\s+).*(\bpam_lastlog.so.*)
- replace: \1[default=1] \2
+ replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
@@ -320,7 +325,7 @@
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
insertafter: ^\s*session\s+.*pam_succeed_if\.so.*
- line: session [default=1] pam_lastlog.so
+ line: session {{ pam_module_control }} pam_lastlog.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
@@ -340,33 +345,43 @@
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
+ - name: Ensure PAM Displays Last Logon/Access Notification - Define a fact for control
+ already filtered in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: '[default=1]'
+
- name: Ensure PAM Displays Last Logon/Access Notification - Check if the required
PAM module option is present in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*session\s+{{ '[default=1]' | regex_escape() }}\s+pam_lastlog.so\s*.*\sshowfailed\b
+ regexp: ^\s*session\s+{{ pam_module_control | regex_escape() }}\s+pam_lastlog.so\s*.*\sshowfailed\b
state: absent
check_mode: true
changed_when: false
- register: result_pam_module_showfailed_option_present
+ register: result_pam_module_display_login_attempts_option_present
- name: Ensure PAM Displays Last Logon/Access Notification - Ensure the "showfailed"
PAM option for "pam_lastlog.so" is included in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*session\s+{{ '[default=1]' | regex_escape() }}\s+pam_lastlog.so.*)
+ regexp: ^(\s*session\s+{{ pam_module_control | regex_escape() }}\s+pam_lastlog.so.*)
line: \1 showfailed
state: present
- register: result_pam_showfailed_add
- when:
- - result_pam_module_showfailed_option_present.found == 0
+ register: result_pam_display_login_attempts_add
+ when:
+ - result_pam_module_display_login_attempts_option_present.found == 0
+
+ - name: Ensure PAM Displays Last Logon/Access Notification - Define a fact for control
+ already filtered in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: '[default=1]'
- name: Ensure PAM Displays Last Logon/Access Notification - Ensure the "silent"
option from "pam_lastlog.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
- regexp: (.*session.*{{ '[default=1]' | regex_escape() }}.*pam_lastlog.so.*)\bsilent\b=?[0-9a-zA-Z]*(.*)
+ regexp: (.*session.*{{ pam_module_control | regex_escape() }}.*pam_lastlog.so.*)\bsilent\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when: '"pam" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
@@ -71,8 +71,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\baudit\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\baudit\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\baudit\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\baudit\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
@@ -322,6 +322,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Account Lockouts Must Be Logged - Define a fact for control already filtered
+ in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Account Lockouts Must Be Logged - Ensure the "audit" option from "pam_faillock.so"
is not present in {{ pam_file_path }}
ansible.builtin.replace:
@@ -489,6 +494,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Account Lockouts Must Be Logged - Define a fact for control already filtered
+ in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Account Lockouts Must Be Logged - Ensure the "audit" option from "pam_faillock.so"
is not present in {{ pam_file_path }}
ansible.builtin.replace:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
@@ -8,7 +8,7 @@
var_password_pam_remember_control_flag="$(echo $var_password_pam_remember_control_flag | cut -d \, -f 1)"
if [ -f /usr/bin/authselect ]; then
- if authselect list-features minimal | grep -q with-pwhistory; then
+ if authselect list-features sssd | grep -q with-pwhistory; then
if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
@@ -50,33 +50,33 @@
PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
authselect apply-changes -b
- if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
+ if ! grep -qP "^\s*password\s+$var_password_pam_remember_control_flag\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1$var_password_pam_remember_control_flag \2/" "$PAM_FILE_PATH"
else
LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
- sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "$PAM_FILE_PATH"
+ sed -i --follow-symlinks $LAST_MATCH_LINE" a password $var_password_pam_remember_control_flag pam_pwhistory.so" "$PAM_FILE_PATH"
else
- echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "$PAM_FILE_PATH"
+ echo "password $var_password_pam_remember_control_flag pam_pwhistory.so" >> "$PAM_FILE_PATH"
fi
fi
fi
fi
else
- if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/password-auth"; then
+ if ! grep -qP "^\s*password\s+$var_password_pam_remember_control_flag\s+pam_pwhistory.so\s*.*" "/etc/pam.d/password-auth"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/password-auth")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "/etc/pam.d/password-auth"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1$var_password_pam_remember_control_flag \2/" "/etc/pam.d/password-auth"
else
LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/password-auth" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
- sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "/etc/pam.d/password-auth"
+ sed -i --follow-symlinks $LAST_MATCH_LINE" a password $var_password_pam_remember_control_flag pam_pwhistory.so" "/etc/pam.d/password-auth"
else
- echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "/etc/pam.d/password-auth"
+ echo "password $var_password_pam_remember_control_flag pam_pwhistory.so" >> "/etc/pam.d/password-auth"
fi
fi
fi
@@ -125,8 +125,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
@@ -168,20 +168,20 @@
authselect apply-changes -b
fi
- if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
+ if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1requisite \2/" "$PAM_FILE_PATH"
else
- echo 'password '"requisite"' pam_pwhistory.so' >> "$PAM_FILE_PATH"
+ echo "password requisite pam_pwhistory.so" >> "$PAM_FILE_PATH"
fi
fi
# Check the option
- if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*\sremember\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_remember"'/' "$PAM_FILE_PATH"
+ if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*\sremember\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "/\s*password\s+requisite\s+pam_pwhistory.so.*/ s/$/ remember=$var_password_pam_remember/" "$PAM_FILE_PATH"
else
- sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_remember"' \3/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember=)[[:alnum:]]+\s*(.*)/\1\2$var_password_pam_remember \3/" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
@@ -51,7 +51,7 @@
- name: 'Limit Password Reuse: password-auth - Collect the available authselect features'
ansible.builtin.command:
- cmd: authselect list-features minimal
+ cmd: authselect list-features sssd
register: result_authselect_available_features
changed_when: false
when:
@@ -289,12 +289,17 @@
when:
- result_authselect_present.stat.exists
+ - name: 'Limit Password Reuse: password-auth - Define a fact for control already
+ filtered in case filters are used'
+ ansible.builtin.set_fact:
+ pam_module_control: '{{ var_password_pam_remember_control_flag.split(",")[0]
+ }}'
+
- name: 'Limit Password Reuse: password-auth - Check if expected PAM module line
is present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ '{{ var_password_pam_remember_control_flag.split(",")[0]
- }}' | regex_escape() }}\s+pam_pwhistory.so\s*.*
+ regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
@@ -319,7 +324,7 @@
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
- replace: \1{{ var_password_pam_remember_control_flag.split(",")[0] }} \2
+ replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
@@ -329,8 +334,7 @@
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
insertafter: ^password.*requisite.*pam_pwquality\.so
- line: password {{ var_password_pam_remember_control_flag.split(",")[0]
- }} pam_pwhistory.so
+ line: password {{ pam_module_control }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
@@ -559,6 +563,11 @@
when:
- result_authselect_present.stat.exists
+ - name: 'Limit Password Reuse: password-auth - Define a fact for control already
+ filtered in case filters are used'
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: 'Limit Password Reuse: password-auth - Ensure the "remember" option
from "pam_pwhistory.so" is not present in {{ pam_file_path }}'
ansible.builtin.replace:
@@ -740,11 +749,16 @@
when:
- result_authselect_present.stat.exists
+ - name: 'Limit Password Reuse: password-auth - Define a fact for control already
+ filtered in case filters are used'
+ ansible.builtin.set_fact:
+ pam_module_control: requisite
+
- name: 'Limit Password Reuse: password-auth - Check if expected PAM module line
is present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*
+ regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
@@ -769,7 +783,7 @@
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
- replace: \1requisite \2
+ replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
@@ -778,7 +792,7 @@
line is included in {{ pam_file_path }}'
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
- line: password requisite pam_pwhistory.so
+ line: password {{ pam_module_control }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
@@ -797,38 +811,45 @@
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
+ - name: 'Limit Password Reuse: password-auth - Define a fact for control already
+ filtered in case filters are used'
+ ansible.builtin.set_fact:
+ pam_module_control: requisite
+
- name: 'Limit Password Reuse: password-auth - Check if the required PAM module
option is present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b
+ regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b
state: absent
check_mode: true
changed_when: false
- register: result_pam_module_remember_option_present
+ register: result_pam_module_accounts_password_pam_pwhistory_remember_password_auth_option_present
- name: 'Limit Password Reuse: password-auth - Ensure the "remember" PAM option
for "pam_pwhistory.so" is included in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so.*)
+ regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so.*)
line: \1 remember={{ var_password_pam_remember }}
state: present
- register: result_pam_remember_add
- when:
- - result_pam_module_remember_option_present.found == 0
+ register: result_pam_accounts_password_pam_pwhistory_remember_password_auth_add
+ when:
+ - result_pam_module_accounts_password_pam_pwhistory_remember_password_auth_option_present.found
+ == 0
- name: 'Limit Password Reuse: password-auth - Ensure the required value for "remember"
PAM option from "pam_pwhistory.so" in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
+ regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
line: \1\2={{ var_password_pam_remember }} \3
- register: result_pam_remember_edit
- when:
- - result_pam_module_remember_option_present.found > 0
+ register: result_pam_accounts_password_pam_pwhistory_remember_password_auth_edit
+ when:
+ - result_pam_module_accounts_password_pam_pwhistory_remember_password_auth_option_present.found
+ > 0
- name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
ansible.builtin.command:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
@@ -8,7 +8,7 @@
var_password_pam_remember_control_flag="$(echo $var_password_pam_remember_control_flag | cut -d \, -f 1)"
if [ -f /usr/bin/authselect ]; then
- if authselect list-features minimal | grep -q with-pwhistory; then
+ if authselect list-features sssd | grep -q with-pwhistory; then
if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
@@ -50,33 +50,33 @@
PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
authselect apply-changes -b
- if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
+ if ! grep -qP "^\s*password\s+$var_password_pam_remember_control_flag\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1$var_password_pam_remember_control_flag \2/" "$PAM_FILE_PATH"
else
LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
- sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "$PAM_FILE_PATH"
+ sed -i --follow-symlinks $LAST_MATCH_LINE" a password $var_password_pam_remember_control_flag pam_pwhistory.so" "$PAM_FILE_PATH"
else
- echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "$PAM_FILE_PATH"
+ echo "password $var_password_pam_remember_control_flag pam_pwhistory.so" >> "$PAM_FILE_PATH"
fi
fi
fi
fi
else
- if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/system-auth"; then
+ if ! grep -qP "^\s*password\s+$var_password_pam_remember_control_flag\s+pam_pwhistory.so\s*.*" "/etc/pam.d/system-auth"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "/etc/pam.d/system-auth"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1$var_password_pam_remember_control_flag \2/" "/etc/pam.d/system-auth"
else
LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/system-auth" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
- sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "/etc/pam.d/system-auth"
+ sed -i --follow-symlinks $LAST_MATCH_LINE" a password $var_password_pam_remember_control_flag pam_pwhistory.so" "/etc/pam.d/system-auth"
else
- echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "/etc/pam.d/system-auth"
+ echo "password $var_password_pam_remember_control_flag pam_pwhistory.so" >> "/etc/pam.d/system-auth"
fi
fi
fi
@@ -125,8 +125,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
@@ -168,20 +168,20 @@
authselect apply-changes -b
fi
- if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
+ if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1requisite \2/" "$PAM_FILE_PATH"
else
- echo 'password '"requisite"' pam_pwhistory.so' >> "$PAM_FILE_PATH"
+ echo "password requisite pam_pwhistory.so" >> "$PAM_FILE_PATH"
fi
fi
# Check the option
- if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*\sremember\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_remember"'/' "$PAM_FILE_PATH"
+ if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*\sremember\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "/\s*password\s+requisite\s+pam_pwhistory.so.*/ s/$/ remember=$var_password_pam_remember/" "$PAM_FILE_PATH"
else
- sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_remember"' \3/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember=)[[:alnum:]]+\s*(.*)/\1\2$var_password_pam_remember \3/" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
@@ -51,7 +51,7 @@
- name: 'Limit Password Reuse: system-auth - Collect the available authselect features'
ansible.builtin.command:
- cmd: authselect list-features minimal
+ cmd: authselect list-features sssd
register: result_authselect_available_features
changed_when: false
when:
@@ -289,12 +289,17 @@
when:
- result_authselect_present.stat.exists
+ - name: 'Limit Password Reuse: system-auth - Define a fact for control already filtered
+ in case filters are used'
+ ansible.builtin.set_fact:
+ pam_module_control: '{{ var_password_pam_remember_control_flag.split(",")[0]
+ }}'
+
- name: 'Limit Password Reuse: system-auth - Check if expected PAM module line is
present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ '{{ var_password_pam_remember_control_flag.split(",")[0]
- }}' | regex_escape() }}\s+pam_pwhistory.so\s*.*
+ regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
@@ -319,7 +324,7 @@
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
- replace: \1{{ var_password_pam_remember_control_flag.split(",")[0] }} \2
+ replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
@@ -329,8 +334,7 @@
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
insertafter: ^password.*requisite.*pam_pwquality\.so
- line: password {{ var_password_pam_remember_control_flag.split(",")[0]
- }} pam_pwhistory.so
+ line: password {{ pam_module_control }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
@@ -559,6 +563,11 @@
when:
- result_authselect_present.stat.exists
+ - name: 'Limit Password Reuse: system-auth - Define a fact for control already
+ filtered in case filters are used'
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: 'Limit Password Reuse: system-auth - Ensure the "remember" option from
"pam_pwhistory.so" is not present in {{ pam_file_path }}'
ansible.builtin.replace:
@@ -739,11 +748,16 @@
when:
- result_authselect_present.stat.exists
+ - name: 'Limit Password Reuse: system-auth - Define a fact for control already filtered
+ in case filters are used'
+ ansible.builtin.set_fact:
+ pam_module_control: requisite
+
- name: 'Limit Password Reuse: system-auth - Check if expected PAM module line is
present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*
+ regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
@@ -768,7 +782,7 @@
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
- replace: \1requisite \2
+ replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
@@ -777,7 +791,7 @@
is included in {{ pam_file_path }}'
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
- line: password requisite pam_pwhistory.so
+ line: password {{ pam_module_control }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
@@ -796,38 +810,45 @@
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
+ - name: 'Limit Password Reuse: system-auth - Define a fact for control already filtered
+ in case filters are used'
+ ansible.builtin.set_fact:
+ pam_module_control: requisite
+
- name: 'Limit Password Reuse: system-auth - Check if the required PAM module option
is present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b
+ regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b
state: absent
check_mode: true
changed_when: false
- register: result_pam_module_remember_option_present
+ register: result_pam_module_accounts_password_pam_pwhistory_remember_system_auth_option_present
- name: 'Limit Password Reuse: system-auth - Ensure the "remember" PAM option for
"pam_pwhistory.so" is included in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so.*)
+ regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so.*)
line: \1 remember={{ var_password_pam_remember }}
state: present
- register: result_pam_remember_add
- when:
- - result_pam_module_remember_option_present.found == 0
+ register: result_pam_accounts_password_pam_pwhistory_remember_system_auth_add
+ when:
+ - result_pam_module_accounts_password_pam_pwhistory_remember_system_auth_option_present.found
+ == 0
- name: 'Limit Password Reuse: system-auth - Ensure the required value for "remember"
PAM option from "pam_pwhistory.so" in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
+ regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
line: \1\2={{ var_password_pam_remember }} \3
- register: result_pam_remember_edit
- when:
- - result_pam_module_remember_option_present.found > 0
+ register: result_pam_accounts_password_pam_pwhistory_remember_system_auth_edit
+ when:
+ - result_pam_module_accounts_password_pam_pwhistory_remember_system_auth_option_present.found
+ > 0
- name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
ansible.builtin.command:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
@@ -9,7 +9,7 @@
if [ -f /usr/bin/authselect ]; then
- if authselect list-features minimal | grep -q with-pwhistory; then
+ if authselect list-features sssd | grep -q with-pwhistory; then
if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
@@ -51,33 +51,33 @@
PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
authselect apply-changes -b
- if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
+ if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1requisite \2/" "$PAM_FILE_PATH"
else
LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
- sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwhistory.so' "$PAM_FILE_PATH"
+ sed -i --follow-symlinks $LAST_MATCH_LINE" a password requisite pam_pwhistory.so" "$PAM_FILE_PATH"
else
- echo 'password '"requisite"' pam_pwhistory.so' >> "$PAM_FILE_PATH"
+ echo "password requisite pam_pwhistory.so" >> "$PAM_FILE_PATH"
fi
fi
fi
fi
else
- if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/system-auth"; then
+ if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "/etc/pam.d/system-auth"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "/etc/pam.d/system-auth"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1requisite \2/" "/etc/pam.d/system-auth"
else
LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/system-auth" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
- sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwhistory.so' "/etc/pam.d/system-auth"
+ sed -i --follow-symlinks $LAST_MATCH_LINE" a password requisite pam_pwhistory.so" "/etc/pam.d/system-auth"
else
- echo 'password '"requisite"' pam_pwhistory.so' >> "/etc/pam.d/system-auth"
+ echo "password requisite pam_pwhistory.so" >> "/etc/pam.d/system-auth"
fi
fi
fi
@@ -126,8 +126,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
@@ -169,20 +169,20 @@
authselect apply-changes -b
fi
- if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
+ if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1requisite \2/" "$PAM_FILE_PATH"
else
- echo 'password '"requisite"' pam_pwhistory.so' >> "$PAM_FILE_PATH"
+ echo "password requisite pam_pwhistory.so" >> "$PAM_FILE_PATH"
fi
fi
# Check the option
- if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*\sremember\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_unix_remember"'/' "$PAM_FILE_PATH"
+ if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*\sremember\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "/\s*password\s+requisite\s+pam_pwhistory.so.*/ s/$/ remember=$var_password_pam_unix_remember/" "$PAM_FILE_PATH"
else
- sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_unix_remember"' \3/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember=)[[:alnum:]]+\s*(.*)/\1\2$var_password_pam_unix_remember \3/" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
@@ -43,7 +43,7 @@
- name: Limit Password Reuse - Collect the available authselect features
ansible.builtin.command:
- cmd: authselect list-features minimal
+ cmd: authselect list-features sssd
register: result_authselect_available_features
changed_when: false
when:
@@ -271,11 +271,16 @@
when:
- result_authselect_present.stat.exists
+ - name: Limit Password Reuse - Define a fact for control already filtered in case
+ filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: requisite
+
- name: Limit Password Reuse - Check if expected PAM module line is present in {{
pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*
+ regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
@@ -300,7 +305,7 @@
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
- replace: \1requisite \2
+ replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
@@ -310,7 +315,7 @@
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
insertafter: ^password.*requisite.*pam_pwquality\.so
- line: password requisite pam_pwhistory.so
+ line: password {{ pam_module_control }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
@@ -529,6 +534,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Limit Password Reuse - Define a fact for control already filtered in
+ case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Limit Password Reuse - Ensure the "remember" option from "pam_pwhistory.so"
is not present in {{ pam_file_path }}
ansible.builtin.replace:
@@ -702,11 +712,16 @@
when:
- result_authselect_present.stat.exists
+ - name: Limit Password Reuse - Define a fact for control already filtered in case
+ filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: requisite
+
- name: Limit Password Reuse - Check if expected PAM module line is present in {{
pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*
+ regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
@@ -731,7 +746,7 @@
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
- replace: \1requisite \2
+ replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
@@ -740,7 +755,7 @@
in {{ pam_file_path }}
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
- line: password requisite pam_pwhistory.so
+ line: password {{ pam_module_control }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
@@ -759,38 +774,45 @@
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
+ - name: Limit Password Reuse - Define a fact for control already filtered in case
+ filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: requisite
+
- name: Limit Password Reuse - Check if the required PAM module option is present
in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b
+ regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b
state: absent
check_mode: true
changed_when: false
- register: result_pam_module_remember_option_present
+ register: result_pam_module_accounts_password_pam_unix_remember_option_present
- name: Limit Password Reuse - Ensure the "remember" PAM option for "pam_pwhistory.so"
is included in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so.*)
+ regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so.*)
line: \1 remember={{ var_password_pam_unix_remember }}
state: present
- register: result_pam_remember_add
- when:
- - result_pam_module_remember_option_present.found == 0
+ register: result_pam_accounts_password_pam_unix_remember_add
+ when:
+ - result_pam_module_accounts_password_pam_unix_remember_option_present.found ==
+ 0
- name: Limit Password Reuse - Ensure the required value for "remember" PAM option
from "pam_pwhistory.so" in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
+ regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
line: \1\2={{ var_password_pam_unix_remember }} \3
- register: result_pam_remember_edit
- when:
- - result_pam_module_remember_option_present.found > 0
+ register: result_pam_accounts_password_pam_unix_remember_edit
+ when:
+ - result_pam_module_accounts_password_pam_unix_remember_option_present.found >
+ 0
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
@@ -73,8 +73,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\baudit\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\baudit\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\baudit\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\baudit\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
@@ -340,6 +340,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Account Lockouts Must Be Logged - Define a fact for control already filtered
+ in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Account Lockouts Must Be Logged - Ensure the "audit" option from "pam_faillock.so"
is not present in {{ pam_file_path }}
ansible.builtin.replace:
@@ -507,6 +512,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Account Lockouts Must Be Logged - Define a fact for control already filtered
+ in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Account Lockouts Must Be Logged - Ensure the "audit" option from "pam_faillock.so"
is not present in {{ pam_file_path }}
ansible.builtin.replace:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -78,8 +78,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdeny\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdeny\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\bdeny\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\bdeny\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -392,6 +392,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Lock Accounts After Failed Password Attempts - Define a fact for control
+ already filtered in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option
from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
@@ -564,6 +569,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Lock Accounts After Failed Password Attempts - Define a fact for control
+ already filtered in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option
from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
@@ -73,8 +73,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\beven_deny_root\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\beven_deny_root\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
@@ -370,6 +370,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Configure the root Account for Failed Password Attempts - Define a fact
+ for control already filtered in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Configure the root Account for Failed Password Attempts - Ensure the "even_deny_root"
option from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
@@ -542,6 +547,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Configure the root Account for Failed Password Attempts - Define a fact
+ for control already filtered in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Configure the root Account for Failed Password Attempts - Ensure the "even_deny_root"
option from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
@@ -78,8 +78,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdir\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdir\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\bdir\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\bdir\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
@@ -366,6 +366,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Lock Accounts Must Persist - Define a fact for control already filtered
+ in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Lock Accounts Must Persist - Ensure the "dir" option from "pam_faillock.so"
is not present in {{ pam_file_path }}
ansible.builtin.replace:
@@ -530,6 +535,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Lock Accounts Must Persist - Define a fact for control already filtered
+ in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Lock Accounts Must Persist - Ensure the "dir" option from "pam_faillock.so"
is not present in {{ pam_file_path }}
ansible.builtin.replace:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
@@ -73,8 +73,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\blocal_users_only\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\blocal_users_only\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\blocal_users_only\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\blocal_users_only\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
@@ -351,6 +351,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Enforce pam_faillock for Local Accounts Only - Define a fact for control
+ already filtered in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Enforce pam_faillock for Local Accounts Only - Ensure the "local_users_only"
option from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
@@ -523,6 +528,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Enforce pam_faillock for Local Accounts Only - Define a fact for control
+ already filtered in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Enforce pam_faillock for Local Accounts Only - Ensure the "local_users_only"
option from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
@@ -78,8 +78,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bfail_interval\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bfail_interval\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\bfail_interval\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\bfail_interval\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
@@ -375,6 +375,11 @@
when:
- result_authselect_present.stat
... The diff is trimmed here ... |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
I moved it to draft while I investigate the issues reported in CI tests. |
marcusburghardt
force-pushed
the
pam_macros_variables
branch
from
3542168
to
e3a7916
Compare
It may exist cases where variables are passed to these macros. In this case the variables can now be resolved. Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
When the option parameter is passed as an Ansible variable, the resulting Playbook will break. Now the registers are not impacted by the format of the parameters. Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
For the remove_pam_module_option_configuration macro an empty control argument is already treated by the macro. Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
marcusburghardt
force-pushed
the
pam_macros_variables
branch
from
408120a
to
4376311
Compare
There are PAM related rules where more than one control is allowed for an specific PAM module. In this case, an Ansible variable is passed to the macro including filters, such as in rule accounts_password_pam_pwhistory_remember_password_auth. The respective macros were updated to properly deal with these cases.
marcusburghardt
force-pushed
the
pam_macros_variables
branch
from
4376311
to
4a28512
Compare
|
Change in Ansible Please consider using more suitable Ansible module than |
The minimal profile is not present in containers, for example. On the other hand, the sssd profile is already used in many test scenarios and seems to be present both in contaiers and VMs used in CI tests.
It will be replaced by a profile called local. But the sssd profile will continue there and therefore will be used to check the available authselect features. It doesn't affect the existing rules since used features are part of both profiles. https://fedoramagazine.org/authselect-in-fedora-linux-40-migrating-to-the-new-local-profile/ Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
marcusburghardt
force-pushed
the
pam_macros_variables
branch
from
abb87be
to
c1e2d24
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
Change in Ansible Please consider using more suitable Ansible module than |
|
Code Climate has analyzed commit c1e2d24 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
jan-cerny
reviewed
Jul 15, 2024
| - name: '{{{ rule_title }}} - Define a fact for control already filtered in case filters are used' | ||
| ansible.builtin.set_fact: | ||
| pam_module_control: '{{{ control }}}' | ||
|
|
||
| - name: '{{{ rule_title }}} - Check if expected PAM module line is present in {{{ pam_file }}}' |
There was a problem hiding this comment.
I am not sure if it's a problem but in build/rhel8/fixes/ansible/accounts_password_pam_pwhistory_remember_password_auth.yml this gets translated to
754 - name: 'Limit Password Reuse: password-auth - Check if expected PAM module line
755 is present in {{ pam_file_path }}'
Is it fine?
There was a problem hiding this comment.
Yes, the Ansible variable will be translated during the Playbook execution.
jan-cerny
approved these changes
Jul 16, 2024
marcusburghardt
added
the
Highlight
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
It may exist cases where variables are passed to these macros
accounts_password_pam_pwhistory_remember_password_authIn some cases it these variables were not resolved in Bash macros and the Playbooks were breaking.
These macros can now properly use the variables.
Rationale:
More flexibility for PAM settings.
Review Hints:
These macros are used by many rules.
Nothing is expected to break with these changes, but lets check the CI tests.
Just for information: https://fedoramagazine.org/authselect-in-fedora-linux-40-migrating-to-the-new-local-profile/