-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create Ansible macro for authselect backup command #9128
Create Ansible macro for authselect backup command #9128
Conversation
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_display_login_attempts' differs:
--- old datastream
+++ new datastream
@@ -133,11 +133,10 @@
- authselect_current_profile is not match("custom/")
- not result_authselect_custom_profile_present.stat.exists
- - name: Ensure PAM Displays Last Logon/Access Notification - Ensure a backup of
- current authselect profile before selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -166,10 +165,10 @@
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the authselect
- custom profile changes are applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -228,11 +227,12 @@
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the authselect
- custom profile changes are applied after module line changes
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_lastlog.so.backup
- when:
+ - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
- (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
is defined and result_pam_module_edit.changed)
when:
@@ -261,10 +261,10 @@
when:
- result_pam_module_showfailed_option_present.found == 0
- - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the authselect
- custom profile changes are applied
+ - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect changes
+ are applied
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- (result_pam_showfailed_add is defined and result_pam_showfailed_add.changed)
@@ -404,11 +404,10 @@
- authselect_current_profile is not match("custom/")
- not result_authselect_custom_profile_present.stat.exists
- - name: Ensure PAM Displays Last Logon/Access Notification - Ensure a backup of
- current authselect profile before selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -437,10 +436,10 @@
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the authselect
- custom profile changes are applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -462,10 +461,10 @@
replace: \1\2
register: result_pam_option_removal
- - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the authselect
- custom profile changes are applied
+ - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect changes
+ are applied
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-pam_lastlog.so-silent-removal.backup
+ cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs:
--- old datastream
+++ new datastream
@@ -143,11 +143,9 @@
- authselect_current_profile is not match("custom/")
- not result_authselect_custom_profile_present.stat.exists
- - name: 'Limit Password Reuse: password-auth - Ensure a backup of current authselect
- profile before selecting the custom profile'
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -176,10 +174,9 @@
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- - name: 'Limit Password Reuse: password-auth - Ensure the authselect custom profile
- changes are applied'
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -238,11 +235,11 @@
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- - name: 'Limit Password Reuse: password-auth - Ensure the authselect custom profile
- changes are applied after module line changes'
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_pwhistory.so.backup
- when:
+ - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
- (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
is defined and result_pam_module_edit.changed)
when:
@@ -282,10 +279,9 @@
when:
- result_pam_module_remember_option_present.found > 0
- - name: 'Limit Password Reuse: password-auth - Ensure the authselect custom profile
- changes are applied'
+ - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- (result_pam_remember_add is defined and result_pam_remember_add.changed) or
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs:
--- old datastream
+++ new datastream
@@ -143,11 +143,9 @@
- authselect_current_profile is not match("custom/")
- not result_authselect_custom_profile_present.stat.exists
- - name: 'Limit Password Reuse: system-auth - Ensure a backup of current authselect
- profile before selecting the custom profile'
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -176,10 +174,9 @@
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- - name: 'Limit Password Reuse: system-auth - Ensure the authselect custom profile
- changes are applied'
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -238,11 +235,11 @@
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- - name: 'Limit Password Reuse: system-auth - Ensure the authselect custom profile
- changes are applied after module line changes'
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_pwhistory.so.backup
- when:
+ - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
- (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
is defined and result_pam_module_edit.changed)
when:
@@ -282,10 +279,9 @@
when:
- result_pam_module_remember_option_present.found > 0
- - name: 'Limit Password Reuse: system-auth - Ensure the authselect custom profile
- changes are applied'
+ - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- (result_pam_remember_add is defined and result_pam_remember_add.changed) or
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember' differs:
--- old datastream
+++ new datastream
@@ -132,11 +132,9 @@
- authselect_current_profile is not match("custom/")
- not result_authselect_custom_profile_present.stat.exists
- - name: Limit Password Reuse - Ensure a backup of current authselect profile before
- selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: Limit Password Reuse - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -163,10 +161,9 @@
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- - name: Limit Password Reuse - Ensure the authselect custom profile changes are
- applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: Limit Password Reuse - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -225,11 +222,11 @@
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- - name: Limit Password Reuse - Ensure the authselect custom profile changes are
- applied after module line changes
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_pwhistory.so.backup
- when:
+ - name: Limit Password Reuse - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
- (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
is defined and result_pam_module_edit.changed)
when:
@@ -269,10 +266,9 @@
when:
- result_pam_module_remember_option_present.found > 0
- - name: Limit Password Reuse - Ensure the authselect custom profile changes are
- applied
+ - name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- (result_pam_remember_add is defined and result_pam_remember_add.changed) or
@@ -406,11 +402,9 @@
- authselect_current_profile is not match("custom/")
- not result_authselect_custom_profile_present.stat.exists
- - name: Limit Password Reuse - Ensure a backup of current authselect profile before
- selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: Limit Password Reuse - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -437,10 +431,9 @@
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- - name: Limit Password Reuse - Ensure the authselect custom profile changes are
- applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: Limit Password Reuse - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -499,11 +492,11 @@
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- - name: Limit Password Reuse - Ensure the authselect custom profile changes are
- applied after module line changes
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_pwhistory.so.backup
- when:
+ - name: Limit Password Reuse - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
- (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
is defined and result_pam_module_edit.changed)
when:
@@ -543,10 +536,9 @@
when:
- result_pam_module_remember_option_present.found > 0
- - name: Limit Password Reuse - Ensure the authselect custom profile changes are
- applied
+ - name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- (result_pam_remember_add is defined and result_pam_remember_add.changed) or
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs:
--- old datastream
+++ new datastream
@@ -82,10 +82,10 @@
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-faillock")
- - name: Lock Accounts After Failed Password Attempts - Ensure changes are applied
- after enabling a feature
+ - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
+ are applied
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs:
--- old datastream
+++ new datastream
@@ -79,10 +79,10 @@
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-faillock")
- - name: Configure the root Account for Failed Password Attempts - Ensure changes
- are applied after enabling a feature
+ - name: Configure the root Account for Failed Password Attempts - Ensure authselect
+ changes are applied
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs:
--- old datastream
+++ new datastream
@@ -72,10 +72,10 @@
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-faillock")
- - name: Enforce pam_faillock for Local Accounts Only - Ensure changes are applied
- after enabling a feature
+ - name: Enforce pam_faillock for Local Accounts Only - Ensure authselect changes
+ are applied
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs:
--- old datastream
+++ new datastream
@@ -77,10 +77,10 @@
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-faillock")
- - name: Set Interval For Counting Failed Password Attempts - Ensure changes are
- applied after enabling a feature
+ - name: Set Interval For Counting Failed Password Attempts - Ensure authselect changes
+ are applied
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs:
--- old datastream
+++ new datastream
@@ -82,10 +82,10 @@
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-faillock")
- - name: Set Lockout Time for Failed Password Attempts - Ensure changes are applied
- after enabling a feature
+ - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
+ are applied
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth' differs:
--- old datastream
+++ new datastream
@@ -127,10 +127,9 @@
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM password complexity module is enabled in password-auth - Ensure
- a backup of current authselect profile before selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -160,9 +159,9 @@
- result_pam_authselect_select_profile is not skipped
- name: Ensure PAM password complexity module is enabled in password-auth - Ensure
- the authselect custom profile changes are applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -223,10 +222,11 @@
> 1
- name: Ensure PAM password complexity module is enabled in password-auth - Ensure
- the authselect custom profile changes are applied after module line changes
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_pwquality.so.backup
- when:
+ authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
- (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
is defined and result_pam_module_edit.changed)
when:
@@ -234,9 +234,9 @@
- result_pam_line_present.found == 0
- name: Ensure PAM password complexity module is enabled in password-auth - Ensure
- the authselect custom profile changes are applied
+ authselect changes are applied
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- (result_pam__add is defined and result_pam__add.changed) or (result_pam__edit
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth' differs:
--- old datastream
+++ new datastream
@@ -127,10 +127,9 @@
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM password complexity module is enabled in system-auth - Ensure
- a backup of current authselect profile before selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -160,9 +159,9 @@
- result_pam_authselect_select_profile is not skipped
- name: Ensure PAM password complexity module is enabled in system-auth - Ensure
- the authselect custom profile changes are applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -223,10 +222,11 @@
> 1
- name: Ensure PAM password complexity module is enabled in system-auth - Ensure
- the authselect custom profile changes are applied after module line changes
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_pwquality.so.backup
- when:
+ authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
- (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
is defined and result_pam_module_edit.changed)
when:
@@ -234,9 +234,9 @@
- result_pam_line_present.found == 0
- name: Ensure PAM password complexity module is enabled in system-auth - Ensure
- the authselect custom profile changes are applied
+ authselect changes are applied
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- (result_pam__add is defined and result_pam__add.changed) or (result_pam__edit
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth' differs:
--- old datastream
+++ new datastream
@@ -137,11 +137,10 @@
- authselect_current_profile is not match("custom/")
- not result_authselect_custom_profile_present.stat.exists
- - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure a backup
- of current authselect profile before selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -170,10 +169,10 @@
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure the authselect
- custom profile changes are applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -231,11 +230,12 @@
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure the authselect
- custom profile changes are applied after module line changes
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_unix.so.backup
- when:
+ - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
- (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
is defined and result_pam_module_edit.changed)
when:
@@ -264,10 +264,10 @@
when:
- result_pam_module_sha512_option_present.found == 0
- - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure the authselect
- custom profile changes are applied
+ - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect
+ changes are applied
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- (result_pam_sha512_add is defined and result_pam_sha512_add.changed) or (result_pam_sha512_edit
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth' differs:
--- old datastream
+++ new datastream
@@ -135,11 +135,9 @@
- authselect_current_profile is not match("custom/")
- not result_authselect_custom_profile_present.stat.exists
- - name: Set PAM's Password Hashing Algorithm - Ensure a backup of current authselect
- profile before selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -168,10 +166,9 @@
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- - name: Set PAM's Password Hashing Algorithm - Ensure the authselect custom profile
- changes are applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -229,11 +226,11 @@
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- - name: Set PAM's Password Hashing Algorithm - Ensure the authselect custom profile
- changes are applied after module line changes
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_unix.so.backup
- when:
+ - name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
- (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
is defined and result_pam_module_edit.changed)
when:
@@ -262,10 +259,9 @@
when:
- result_pam_module_sha512_option_present.found == 0
- - name: Set PAM's Password Hashing Algorithm - Ensure the authselect custom profile
- changes are applied
+ - name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- (result_pam_sha512_add is defined and result_pam_sha512_add.changed) or (result_pam_sha512_edit
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth' differs:
--- old datastream
+++ new datastream
@@ -129,11 +129,10 @@
- authselect_current_profile is not match("custom/")
- not result_authselect_custom_profile_present.stat.exists
- - name: Set number of Password Hashing Rounds - password-auth - Ensure a backup
- of current authselect profile before selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: Set number of Password Hashing Rounds - password-auth - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -162,10 +161,10 @@
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- - name: Set number of Password Hashing Rounds - password-auth - Ensure the authselect
- custom profile changes are applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: Set number of Password Hashing Rounds - password-auth - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -223,11 +222,12 @@
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- - name: Set number of Password Hashing Rounds - password-auth - Ensure the authselect
- custom profile changes are applied after module line changes
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_unix.so.backup
- when:
+ - name: Set number of Password Hashing Rounds - password-auth - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
- (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
is defined and result_pam_module_edit.changed)
when:
@@ -267,10 +267,10 @@
when:
- result_pam_module_rounds_option_present.found > 0
- - name: Set number of Password Hashing Rounds - password-auth - Ensure the authselect
- custom profile changes are applied
+ - name: Set number of Password Hashing Rounds - password-auth - Ensure authselect
+ changes are applied
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- (result_pam_rounds_add is defined and result_pam_rounds_add.changed) or (result_pam_rounds_edit
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth' differs:
--- old datastream
+++ new datastream
@@ -128,11 +128,10 @@
- authselect_current_profile is not match("custom/")
- not result_authselect_custom_profile_present.stat.exists
- - name: Set number of Password Hashing Rounds - system-auth - Ensure a backup
- of current authselect profile before selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: Set number of Password Hashing Rounds - system-auth - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -161,10 +160,10 @@
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- - name: Set number of Password Hashing Rounds - system-auth - Ensure the authselect
- custom profile changes are applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: Set number of Password Hashing Rounds - system-auth - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
@@ -222,11 +221,12 @@
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- - name: Set number of Password Hashing Rounds - system-auth - Ensure the authselect
- custom profile changes are applied after module line changes
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_unix.so.backup
- when:
+ - name: Set number of Password Hashing Rounds - system-auth - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
- (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
is defined and result_pam_module_edit.changed)
when:
@@ -266,10 +266,10 @@
when:
- result_pam_module_rounds_option_present.found > 0
- - name: Set number of Password Hashing Rounds - system-auth - Ensure the authselect
- custom profile changes are applied
+ - name: Set number of Password Hashing Rounds - system-auth - Ensure authselect
+ changes are applied
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- (result_pam_rounds_add is defined and result_pam_rounds_add.changed) or (result_pam_rounds_edit
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords' differs:
--- old datastream
+++ new datastream
@@ -65,10 +65,10 @@
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("without-nullok")
- - name: Prevent Login to Accounts With Empty Password - Ensure changes are applied
- after enabling a feature
+ - name: Prevent Login to Accounts With Empty Password - Ensure authselect changes
+ are applied
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success |
when: | ||
- result_authselect_present.stat.exists |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This fixed the playbook abort in RHEL7.
Many Ansible tasks related to authselect eventually needs to run the "authselect apply-changes" command to apply changes and automatically create a backup. Instead of repeating this command, it was created a macro to ensure it is properly executed. This macro also provides a parameter which permits changing the default backup name. If not informed, the authselect standard is used.
Fix a missing condition in one task related to authselect backup to make sure the authselect command is not executed where authselect is not available.
dd73ce5
to
81d2e47
Compare
Code Climate has analyzed commit 81d2e47 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 42.7% (0.0% change). View more on Code Climate. |
@marcusburghardt: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Description:
Many Ansible tasks related to
authselect
eventually need to run theauthselect apply-changes
command to apply changes and automatically create a backup. Instead of repeating this command, it was created a macro to ensure it is properly executed. This macro also provides a parameter which permits changing the default backup name. If not informed, theauthselect
standard is used.This PR also fix a missing condition in one task related to
authselect
backup to make sure theauthselect
command is not executed whereauthselect
is not available.Rationale:
Centralized the
authselect apply-changes
command in a single macro.Avoid error during the Ansible playbook execution due to
authselect
command executed in a system withoutauthselect
.Avoid overwritten
authselect
backups by using the same backup name, unless explicitly informed a custom backup name.