content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Ansible remediation on Ubuntu looks for wrong PAM files

Open naugler opened this issue 1 year ago • 1 comments

Description of problem:

fatal error when executing ansible-playbook on Ubuntu 20.04 with ubuntu2004-playbook-stig.yml: error while evaluating conditional (result_pam_faillock_is_enabled.found == 0): 'dict object' has no attribute 'found'

/etc/pam.d/system-auth does not exist, I think Ubuntu uses /etc/pam.d/common-auth instead? /etc/pam.d/password-auth does not exist, I think Ubuntu uses /etc/pam.d/common-password instead?

SCAP Security Guide Version:

0.1.72

Operating System Version:

Ubuntu 20.04

Steps to Reproduce:

  1. ansible-playbook -i localhost, -c local /opt/ssg/ansible/ubuntu2004-playbook-stig.yml

Actual Results:

TASK [Account Lockouts Must Be Logged - Check if pam_faillock.so is already enabled] **************************************************************************************************************************************************************
ok: [localhost]

TASK [Account Lockouts Must Be Logged - Enable pam_faillock.so preauth editing PAM files] *********************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The conditional check 'result_pam_faillock_is_enabled.found == 0' failed. The error was: error while evaluating conditional (result_pam_faillock_is_enabled.found == 0): 'dict object' has no attribute 'found'\n\nThe error appears to be in '/opt/ssg/ansible/ubuntu2004-playbook-stig.yml': line 767, column 9, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n      - name: Account Lockouts Must Be Logged - Enable pam_faillock.so preauth editing\n        ^ here\n"}

Expected Results:

task success

Additional Information/Debugging Steps:

authselect tool is not present

ansible [core 2.12.10]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.10 (default, Nov 22 2023, 10:22:35) [GCC 9.4.0]
  jinja version = 2.10.1
  libyaml = True

naugler avatar Apr 13 '24 16:04 naugler

Ansible remediation is not supported by Canonical, therefore it is known that many rules fail because of missing proper ansible scripts. If you have the time and is looking to contribute, please submit pull requests

dodys avatar Apr 16 '24 19:04 dodys