Create Ansible macro for authselect backup command #9128

marcusburghardt · 2022-07-11T15:22:42Z

Description:

Many Ansible tasks related to authselect eventually need to run the authselect apply-changes command to apply changes and automatically create a backup. Instead of repeating this command, it was created a macro to ensure it is properly executed. This macro also provides a parameter which permits changing the default backup name. If not informed, the authselect standard is used.

This PR also fix a missing condition in one task related to authselect backup to make sure the authselect command is not executed where authselect is not available.

Rationale:

Centralized the authselect apply-changes command in a single macro.
Avoid error during the Ansible playbook execution due to authselect command executed in a system without authselect.
Avoid overwritten authselect backups by using the same backup name, unless explicitly informed a custom backup name.

github-actions · 2022-07-11T15:30:31Z

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

github-actions · 2022-07-11T15:51:38Z

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_display_login_attempts' differs:
--- old datastream
+++ new datastream
@@ -133,11 +133,10 @@
 - authselect_current_profile is not match("custom/")
 - not result_authselect_custom_profile_present.stat.exists
 
- - name: Ensure PAM Displays Last Logon/Access Notification - Ensure a backup of
- current authselect profile before selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -166,10 +165,10 @@
 - result_authselect_features is not skipped
 - result_pam_authselect_select_profile is not skipped
 
- - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the authselect
- custom profile changes are applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -228,11 +227,12 @@
 - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
 > 1
 
- - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the authselect
- custom profile changes are applied after module line changes
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_lastlog.so.backup
- when:
+ - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
 - (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
 is defined and result_pam_module_edit.changed)
 when:
@@ -261,10 +261,10 @@
 when:
 - result_pam_module_showfailed_option_present.found == 0
 
- - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the authselect
- custom profile changes are applied
+ - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect changes
+ are applied
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
 when:
 - result_authselect_present.stat.exists
 - (result_pam_showfailed_add is defined and result_pam_showfailed_add.changed)
@@ -404,11 +404,10 @@
 - authselect_current_profile is not match("custom/")
 - not result_authselect_custom_profile_present.stat.exists
 
- - name: Ensure PAM Displays Last Logon/Access Notification - Ensure a backup of
- current authselect profile before selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -437,10 +436,10 @@
 - result_authselect_features is not skipped
 - result_pam_authselect_select_profile is not skipped
 
- - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the authselect
- custom profile changes are applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -462,10 +461,10 @@
 replace: \1\2
 register: result_pam_option_removal
 
- - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the authselect
- custom profile changes are applied
+ - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect changes
+ are applied
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-pam_lastlog.so-silent-removal.backup
+ cmd: authselect apply-changes -b
 when:
 - result_authselect_present.stat.exists
 - result_pam_option_removal is changed

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs:
--- old datastream
+++ new datastream
@@ -143,11 +143,9 @@
 - authselect_current_profile is not match("custom/")
 - not result_authselect_custom_profile_present.stat.exists
 
- - name: 'Limit Password Reuse: password-auth - Ensure a backup of current authselect
- profile before selecting the custom profile'
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -176,10 +174,9 @@
 - result_authselect_features is not skipped
 - result_pam_authselect_select_profile is not skipped
 
- - name: 'Limit Password Reuse: password-auth - Ensure the authselect custom profile
- changes are applied'
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -238,11 +235,11 @@
 - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
 > 1
 
- - name: 'Limit Password Reuse: password-auth - Ensure the authselect custom profile
- changes are applied after module line changes'
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_pwhistory.so.backup
- when:
+ - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
 - (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
 is defined and result_pam_module_edit.changed)
 when:
@@ -282,10 +279,9 @@
 when:
 - result_pam_module_remember_option_present.found > 0
 
- - name: 'Limit Password Reuse: password-auth - Ensure the authselect custom profile
- changes are applied'
+ - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
 when:
 - result_authselect_present.stat.exists
 - (result_pam_remember_add is defined and result_pam_remember_add.changed) or

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs:
--- old datastream
+++ new datastream
@@ -143,11 +143,9 @@
 - authselect_current_profile is not match("custom/")
 - not result_authselect_custom_profile_present.stat.exists
 
- - name: 'Limit Password Reuse: system-auth - Ensure a backup of current authselect
- profile before selecting the custom profile'
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -176,10 +174,9 @@
 - result_authselect_features is not skipped
 - result_pam_authselect_select_profile is not skipped
 
- - name: 'Limit Password Reuse: system-auth - Ensure the authselect custom profile
- changes are applied'
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -238,11 +235,11 @@
 - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
 > 1
 
- - name: 'Limit Password Reuse: system-auth - Ensure the authselect custom profile
- changes are applied after module line changes'
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_pwhistory.so.backup
- when:
+ - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
 - (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
 is defined and result_pam_module_edit.changed)
 when:
@@ -282,10 +279,9 @@
 when:
 - result_pam_module_remember_option_present.found > 0
 
- - name: 'Limit Password Reuse: system-auth - Ensure the authselect custom profile
- changes are applied'
+ - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
 when:
 - result_authselect_present.stat.exists
 - (result_pam_remember_add is defined and result_pam_remember_add.changed) or

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember' differs:
--- old datastream
+++ new datastream
@@ -132,11 +132,9 @@
 - authselect_current_profile is not match("custom/")
 - not result_authselect_custom_profile_present.stat.exists
 
- - name: Limit Password Reuse - Ensure a backup of current authselect profile before
- selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: Limit Password Reuse - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -163,10 +161,9 @@
 - result_authselect_features is not skipped
 - result_pam_authselect_select_profile is not skipped
 
- - name: Limit Password Reuse - Ensure the authselect custom profile changes are
- applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: Limit Password Reuse - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -225,11 +222,11 @@
 - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
 > 1
 
- - name: Limit Password Reuse - Ensure the authselect custom profile changes are
- applied after module line changes
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_pwhistory.so.backup
- when:
+ - name: Limit Password Reuse - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
 - (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
 is defined and result_pam_module_edit.changed)
 when:
@@ -269,10 +266,9 @@
 when:
 - result_pam_module_remember_option_present.found > 0
 
- - name: Limit Password Reuse - Ensure the authselect custom profile changes are
- applied
+ - name: Limit Password Reuse - Ensure authselect changes are applied
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
 when:
 - result_authselect_present.stat.exists
 - (result_pam_remember_add is defined and result_pam_remember_add.changed) or
@@ -406,11 +402,9 @@
 - authselect_current_profile is not match("custom/")
 - not result_authselect_custom_profile_present.stat.exists
 
- - name: Limit Password Reuse - Ensure a backup of current authselect profile before
- selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: Limit Password Reuse - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -437,10 +431,9 @@
 - result_authselect_features is not skipped
 - result_pam_authselect_select_profile is not skipped
 
- - name: Limit Password Reuse - Ensure the authselect custom profile changes are
- applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: Limit Password Reuse - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -499,11 +492,11 @@
 - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
 > 1
 
- - name: Limit Password Reuse - Ensure the authselect custom profile changes are
- applied after module line changes
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_pwhistory.so.backup
- when:
+ - name: Limit Password Reuse - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
 - (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
 is defined and result_pam_module_edit.changed)
 when:
@@ -543,10 +536,9 @@
 when:
 - result_pam_module_remember_option_present.found > 0
 
- - name: Limit Password Reuse - Ensure the authselect custom profile changes are
- applied
+ - name: Limit Password Reuse - Ensure authselect changes are applied
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
 when:
 - result_authselect_present.stat.exists
 - (result_pam_remember_add is defined and result_pam_remember_add.changed) or

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs:
--- old datastream
+++ new datastream
@@ -82,10 +82,10 @@
 - result_authselect_check_cmd is success
 - result_authselect_features.stdout is not search("with-faillock")
 
- - name: Lock Accounts After Failed Password Attempts - Ensure changes are applied
- after enabling a feature
+ - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
+ are applied
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
 when:
 - result_authselect_enable_feature_cmd is not skipped
 - result_authselect_enable_feature_cmd is success

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs:
--- old datastream
+++ new datastream
@@ -79,10 +79,10 @@
 - result_authselect_check_cmd is success
 - result_authselect_features.stdout is not search("with-faillock")
 
- - name: Configure the root Account for Failed Password Attempts - Ensure changes
- are applied after enabling a feature
+ - name: Configure the root Account for Failed Password Attempts - Ensure authselect
+ changes are applied
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
 when:
 - result_authselect_enable_feature_cmd is not skipped
 - result_authselect_enable_feature_cmd is success

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs:
--- old datastream
+++ new datastream
@@ -72,10 +72,10 @@
 - result_authselect_check_cmd is success
 - result_authselect_features.stdout is not search("with-faillock")
 
- - name: Enforce pam_faillock for Local Accounts Only - Ensure changes are applied
- after enabling a feature
+ - name: Enforce pam_faillock for Local Accounts Only - Ensure authselect changes
+ are applied
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
 when:
 - result_authselect_enable_feature_cmd is not skipped
 - result_authselect_enable_feature_cmd is success

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs:
--- old datastream
+++ new datastream
@@ -77,10 +77,10 @@
 - result_authselect_check_cmd is success
 - result_authselect_features.stdout is not search("with-faillock")
 
- - name: Set Interval For Counting Failed Password Attempts - Ensure changes are
- applied after enabling a feature
+ - name: Set Interval For Counting Failed Password Attempts - Ensure authselect changes
+ are applied
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
 when:
 - result_authselect_enable_feature_cmd is not skipped
 - result_authselect_enable_feature_cmd is success

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs:
--- old datastream
+++ new datastream
@@ -82,10 +82,10 @@
 - result_authselect_check_cmd is success
 - result_authselect_features.stdout is not search("with-faillock")
 
- - name: Set Lockout Time for Failed Password Attempts - Ensure changes are applied
- after enabling a feature
+ - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
+ are applied
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
 when:
 - result_authselect_enable_feature_cmd is not skipped
 - result_authselect_enable_feature_cmd is success

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth' differs:
--- old datastream
+++ new datastream
@@ -127,10 +127,9 @@
 - not result_authselect_custom_profile_present.stat.exists
 
 - name: Ensure PAM password complexity module is enabled in password-auth - Ensure
- a backup of current authselect profile before selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -160,9 +159,9 @@
 - result_pam_authselect_select_profile is not skipped
 
 - name: Ensure PAM password complexity module is enabled in password-auth - Ensure
- the authselect custom profile changes are applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -223,10 +222,11 @@
 > 1
 
 - name: Ensure PAM password complexity module is enabled in password-auth - Ensure
- the authselect custom profile changes are applied after module line changes
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_pwquality.so.backup
- when:
+ authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
 - (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
 is defined and result_pam_module_edit.changed)
 when:
@@ -234,9 +234,9 @@
 - result_pam_line_present.found == 0
 
 - name: Ensure PAM password complexity module is enabled in password-auth - Ensure
- the authselect custom profile changes are applied
+ authselect changes are applied
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
 when:
 - result_authselect_present.stat.exists
 - (result_pam__add is defined and result_pam__add.changed) or (result_pam__edit

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth' differs:
--- old datastream
+++ new datastream
@@ -127,10 +127,9 @@
 - not result_authselect_custom_profile_present.stat.exists
 
 - name: Ensure PAM password complexity module is enabled in system-auth - Ensure
- a backup of current authselect profile before selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -160,9 +159,9 @@
 - result_pam_authselect_select_profile is not skipped
 
 - name: Ensure PAM password complexity module is enabled in system-auth - Ensure
- the authselect custom profile changes are applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -223,10 +222,11 @@
 > 1
 
 - name: Ensure PAM password complexity module is enabled in system-auth - Ensure
- the authselect custom profile changes are applied after module line changes
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_pwquality.so.backup
- when:
+ authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
 - (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
 is defined and result_pam_module_edit.changed)
 when:
@@ -234,9 +234,9 @@
 - result_pam_line_present.found == 0
 
 - name: Ensure PAM password complexity module is enabled in system-auth - Ensure
- the authselect custom profile changes are applied
+ authselect changes are applied
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
 when:
 - result_authselect_present.stat.exists
 - (result_pam__add is defined and result_pam__add.changed) or (result_pam__edit

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth' differs:
--- old datastream
+++ new datastream
@@ -137,11 +137,10 @@
 - authselect_current_profile is not match("custom/")
 - not result_authselect_custom_profile_present.stat.exists
 
- - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure a backup
- of current authselect profile before selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -170,10 +169,10 @@
 - result_authselect_features is not skipped
 - result_pam_authselect_select_profile is not skipped
 
- - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure the authselect
- custom profile changes are applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -231,11 +230,12 @@
 - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
 > 1
 
- - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure the authselect
- custom profile changes are applied after module line changes
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_unix.so.backup
- when:
+ - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
 - (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
 is defined and result_pam_module_edit.changed)
 when:
@@ -264,10 +264,10 @@
 when:
 - result_pam_module_sha512_option_present.found == 0
 
- - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure the authselect
- custom profile changes are applied
+ - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect
+ changes are applied
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
 when:
 - result_authselect_present.stat.exists
 - (result_pam_sha512_add is defined and result_pam_sha512_add.changed) or (result_pam_sha512_edit

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth' differs:
--- old datastream
+++ new datastream
@@ -135,11 +135,9 @@
 - authselect_current_profile is not match("custom/")
 - not result_authselect_custom_profile_present.stat.exists
 
- - name: Set PAM's Password Hashing Algorithm - Ensure a backup of current authselect
- profile before selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -168,10 +166,9 @@
 - result_authselect_features is not skipped
 - result_pam_authselect_select_profile is not skipped
 
- - name: Set PAM's Password Hashing Algorithm - Ensure the authselect custom profile
- changes are applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -229,11 +226,11 @@
 - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
 > 1
 
- - name: Set PAM's Password Hashing Algorithm - Ensure the authselect custom profile
- changes are applied after module line changes
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_unix.so.backup
- when:
+ - name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
 - (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
 is defined and result_pam_module_edit.changed)
 when:
@@ -262,10 +259,9 @@
 when:
 - result_pam_module_sha512_option_present.found == 0
 
- - name: Set PAM's Password Hashing Algorithm - Ensure the authselect custom profile
- changes are applied
+ - name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
 when:
 - result_authselect_present.stat.exists
 - (result_pam_sha512_add is defined and result_pam_sha512_add.changed) or (result_pam_sha512_edit

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth' differs:
--- old datastream
+++ new datastream
@@ -129,11 +129,10 @@
 - authselect_current_profile is not match("custom/")
 - not result_authselect_custom_profile_present.stat.exists
 
- - name: Set number of Password Hashing Rounds - password-auth - Ensure a backup
- of current authselect profile before selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: Set number of Password Hashing Rounds - password-auth - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -162,10 +161,10 @@
 - result_authselect_features is not skipped
 - result_pam_authselect_select_profile is not skipped
 
- - name: Set number of Password Hashing Rounds - password-auth - Ensure the authselect
- custom profile changes are applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: Set number of Password Hashing Rounds - password-auth - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -223,11 +222,12 @@
 - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
 > 1
 
- - name: Set number of Password Hashing Rounds - password-auth - Ensure the authselect
- custom profile changes are applied after module line changes
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_unix.so.backup
- when:
+ - name: Set number of Password Hashing Rounds - password-auth - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
 - (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
 is defined and result_pam_module_edit.changed)
 when:
@@ -267,10 +267,10 @@
 when:
 - result_pam_module_rounds_option_present.found > 0
 
- - name: Set number of Password Hashing Rounds - password-auth - Ensure the authselect
- custom profile changes are applied
+ - name: Set number of Password Hashing Rounds - password-auth - Ensure authselect
+ changes are applied
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
 when:
 - result_authselect_present.stat.exists
 - (result_pam_rounds_add is defined and result_pam_rounds_add.changed) or (result_pam_rounds_edit

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth' differs:
--- old datastream
+++ new datastream
@@ -128,11 +128,10 @@
 - authselect_current_profile is not match("custom/")
 - not result_authselect_custom_profile_present.stat.exists
 
- - name: Set number of Password Hashing Rounds - system-auth - Ensure a backup
- of current authselect profile before selecting the custom profile
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
- register: result_authselect_backup
+ - name: Set number of Password Hashing Rounds - system-auth - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -161,10 +160,10 @@
 - result_authselect_features is not skipped
 - result_pam_authselect_select_profile is not skipped
 
- - name: Set number of Password Hashing Rounds - system-auth - Ensure the authselect
- custom profile changes are applied
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ - name: Set number of Password Hashing Rounds - system-auth - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
 when:
 - result_authselect_check_cmd is success
 - result_authselect_profile is not skipped
@@ -222,11 +221,12 @@
 - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
 > 1
 
- - name: Set number of Password Hashing Rounds - system-auth - Ensure the authselect
- custom profile changes are applied after module line changes
- ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-pam_unix.so.backup
- when:
+ - name: Set number of Password Hashing Rounds - system-auth - Ensure authselect
+ changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
 - (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
 is defined and result_pam_module_edit.changed)
 when:
@@ -266,10 +266,10 @@
 when:
 - result_pam_module_rounds_option_present.found > 0
 
- - name: Set number of Password Hashing Rounds - system-auth - Ensure the authselect
- custom profile changes are applied
+ - name: Set number of Password Hashing Rounds - system-auth - Ensure authselect
+ changes are applied
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
 when:
 - result_authselect_present.stat.exists
 - (result_pam_rounds_add is defined and result_pam_rounds_add.changed) or (result_pam_rounds_edit

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords' differs:
--- old datastream
+++ new datastream
@@ -65,10 +65,10 @@
 - result_authselect_check_cmd is success
 - result_authselect_features.stdout is not search("without-nullok")
 
- - name: Prevent Login to Accounts With Empty Password - Ensure changes are applied
- after enabling a feature
+ - name: Prevent Login to Accounts With Empty Password - Ensure authselect changes
+ are applied
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=before-hardening-custom-profile.backup
+ cmd: authselect apply-changes -b
 when:
 - result_authselect_enable_feature_cmd is not skipped
 - result_authselect_enable_feature_cmd is success

shared/macros/10-ansible.jinja

yuumasato · 2022-07-11T16:09:56Z

shared/macros/10-ansible.jinja

      when:
+        - result_authselect_present.stat.exists


This fixed the playbook abort in RHEL7.

Many Ansible tasks related to authselect eventually needs to run the "authselect apply-changes" command to apply changes and automatically create a backup. Instead of repeating this command, it was created a macro to ensure it is properly executed. This macro also provides a parameter which permits changing the default backup name. If not informed, the authselect standard is used.

Fix a missing condition in one task related to authselect backup to make sure the authselect command is not executed where authselect is not available.

codeclimate · 2022-07-11T21:05:19Z

Code Climate has analyzed commit 81d2e47 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 42.7% (0.0% change).

View more on Code Climate.

openshift-ci · 2022-07-11T22:04:59Z

@marcusburghardt: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ocp4-stig	`81d2e47`	link	true	`/test e2e-aws-ocp4-stig`
ci/prow/e2e-aws-rhcos4-e8	`81d2e47`	link	true	`/test e2e-aws-rhcos4-e8`
ci/prow/e2e-aws-rhcos4-moderate	`81d2e47`	link	true	`/test e2e-aws-rhcos4-moderate`
ci/prow/e2e-aws-ocp4-pci-dss	`81d2e47`	link	true	`/test e2e-aws-ocp4-pci-dss`
ci/prow/e2e-aws-ocp4-cis	`81d2e47`	link	true	`/test e2e-aws-ocp4-cis`
ci/prow/e2e-aws-rhcos4-high	`81d2e47`	link	true	`/test e2e-aws-rhcos4-high`
ci/prow/e2e-aws-ocp4-high-node	`81d2e47`	link	true	`/test e2e-aws-ocp4-high-node`
ci/prow/e2e-aws-ocp4-moderate	`81d2e47`	link	true	`/test e2e-aws-ocp4-moderate`
ci/prow/e2e-aws-ocp4-e8	`81d2e47`	link	true	`/test e2e-aws-ocp4-e8`
ci/prow/e2e-aws-ocp4-pci-dss-node	`81d2e47`	link	true	`/test e2e-aws-ocp4-pci-dss-node`
ci/prow/e2e-aws-ocp4-cis-node	`81d2e47`	link	true	`/test e2e-aws-ocp4-cis-node`
ci/prow/e2e-aws-ocp4-high	`81d2e47`	link	true	`/test e2e-aws-ocp4-high`
ci/prow/e2e-aws-ocp4-moderate-node	`81d2e47`	link	true	`/test e2e-aws-ocp4-moderate-node`
ci/prow/e2e-aws-ocp4-stig-node	`81d2e47`	link	true	`/test e2e-aws-ocp4-stig-node`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

marcusburghardt requested a review from yuumasato July 11, 2022 15:22

marcusburghardt added the Ansible Ansible remediation update. label Jul 11, 2022

marcusburghardt added this to the 0.1.63 milestone Jul 11, 2022

yuumasato self-assigned this Jul 11, 2022

yuumasato reviewed Jul 11, 2022

View reviewed changes

marcusburghardt added 2 commits July 11, 2022 22:26

Fix missing condition for Ansible authselect backup task

81d2e47

Fix a missing condition in one task related to authselect backup to make sure the authselect command is not executed where authselect is not available.

marcusburghardt force-pushed the ansible-authselect-backup-name branch from dd73ce5 to 81d2e47 Compare July 11, 2022 20:29

marcusburghardt changed the title ~~Remove module name from authselect backup name - Ansible~~ Create Ansible macro for authselect backup command Jul 11, 2022

marcusburghardt requested a review from yuumasato July 12, 2022 06:51

yuumasato approved these changes Jul 12, 2022

View reviewed changes

yuumasato merged commit c4c6491 into ComplianceAsCode:master Jul 12, 2022

yuumasato added bugfix Fixes to reported bugs. enhancement General enhancements to the project. labels Jul 12, 2022

marcusburghardt deleted the ansible-authselect-backup-name branch July 12, 2022 07:58

marcusburghardt mentioned this pull request Jul 14, 2022

accounts_password_pam_unix_remember ansible remediation errors after argument_missing.fail.sh test #9141

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Create Ansible macro for authselect backup command #9128

Create Ansible macro for authselect backup command #9128

marcusburghardt commented Jul 11, 2022 •

edited

github-actions bot commented Jul 11, 2022

github-actions bot commented Jul 11, 2022 •

edited

yuumasato Jul 11, 2022

codeclimate bot commented Jul 11, 2022

openshift-ci bot commented Jul 11, 2022

Create Ansible macro for authselect backup command #9128

Create Ansible macro for authselect backup command #9128

Conversation

marcusburghardt commented Jul 11, 2022 • edited

Description:

Rationale:

github-actions bot commented Jul 11, 2022

github-actions bot commented Jul 11, 2022 • edited

yuumasato Jul 11, 2022

Choose a reason for hiding this comment

codeclimate bot commented Jul 11, 2022

openshift-ci bot commented Jul 11, 2022

marcusburghardt commented Jul 11, 2022 •

edited

github-actions bot commented Jul 11, 2022 •

edited