content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

ansible-role-rhel8-cis fails to apply with issues with "Limit Password Reuse: password-auth"

Open matthewmgamble opened this issue 1 year ago • 5 comments

Description of problem:

TASK [RedHatOfficial.rhel8_cis : Limit Password Reuse: password-auth - Check if any custom profile with the same name was already created] ***************************************************************************************************** fatal: [localhost]: FAILED! => {"msg": "The conditional check 'authselect_current_profile is not match("custom/")' failed. The error was: error while evaluating conditional (authselect_current_profile is not match("custom/")): 'authselect_current_profile' is undefined. 'authselect_current_profile' is undefined\n\nThe error appears to be in '/root/.ansible/roles/RedHatOfficial.rhel8_cis/tasks/main.yml': line 2179, column 11, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n - authselect_current_profile is not match("custom/")\n - name: "Limit Password Reuse: password-auth - Check if any custom profile with the same name was already created"\n ^ here\nThis one looks easy to fix. It seems that there is a value started\nwith a quote, and the YAML parser is expecting to see the line ended\nwith the same kind of quote. For instance:\n\n when: "ok" in result.stdout\n\nCould be written as:\n\n when: '"ok" in result.stdout'\n\nOr equivalently:\n\n when: "'ok' in result.stdout"\n"}

SCAP Security Guide Version:

Latest version from GitHub

Operating System Version:

RHEL 8.8

Steps to Reproduce:

  1. execute command ansible-galaxy install RedHatOfficial.rhel8_cis
  2. create a basic playbook that contains the role:
  • hosts: all roles:
    • { role: RedHatOfficial.rhel8_cis }
  1. check playbook with command ansible-playbook -i "localhost," -c local --check playbook.yml
  2. Failure

Actual Results:

See error message above - command fails to execute do to an unset variable, but reading the yaml file it appears the variable should be set.

Expected Results:

Profile should apply without errors

Additional Information/Debugging Steps:

matthewmgamble avatar Jun 26 '23 19:06 matthewmgamble

RedHatOfficial.rhel8_cis is currently aligned to 0.1.68 which includes many updates. Could you confirm the issue is resolved, please?

marcusburghardt avatar Aug 03 '23 09:08 marcusburghardt

I have the same error on RedHat 8.8 and it is not resolved with 0.1.68

myMarck avatar Aug 03 '23 12:08 myMarck

I have the same error on RedHat 8.8 and it is not resolved with 0.1.68

Thanks for the updated. I will take a look on this.

marcusburghardt avatar Aug 03 '23 12:08 marcusburghardt

I can reproduce this issue. The relevant rule here is accounts_password_pam_pwhistory_remember_password_auth I will investigate the cause.

marcusburghardt avatar Sep 12 '23 08:09 marcusburghardt

The issue may be related to https://github.com/ComplianceAsCode/content/pull/11117 and https://github.com/ComplianceAsCode/content/issues/11104

marcusburghardt avatar Sep 15 '23 12:09 marcusburghardt