ansible-collection-hardening
ansible-collection-hardening copied to clipboard
Add pam.d flags to maintain compatiblity with FreeIPA deployments.
Description
FreeIPA uses authselect to enforce various system policies, such as creating a home directory or enabling sudo support for users. dev-sec.os_hardening unconditionally overrides various system links such as:
-
/etc/pam.d/rhel_auth.j2
-
/etc/pam.d/password-auth
-
/etc/pam.d/system-auth
This breaks FreeIPA, as the authselect tool expects the system to be in a particular state. This makes use of dev-sec-os_hardening tricky when used in conjunction with FreeIPA domain management.
Solution
Add additional flags to control this behaviour as FreeIPA assumes it has control over pam.d once deployed.
Alternatives
Add additional variables to supply a path that overrides the pam.d links.
Additional information
This is the output of sudo authselect enable-feature with-mkhomedir
on a AlmaLinux 9.3 Server after joining a FreeIPA domain:
[error] Link [/etc/pam.d/system-auth] does not point to [/etc/authselect/system-auth]
[error] [/etc/pam.d/system-auth] was not created by authselect!
[error] Link [/etc/pam.d/password-auth] does not point to [/etc/authselect/password-auth]
[error] [/etc/pam.d/password-auth] was not created by authselect!
[error] Unexpected changes to the configuration were detected.
[error] Refusing to activate profile unless those changes are removed or overwrite is requested.
Unable to enable feature [17]: File exists