Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ansible remediation on Ubuntu looks for wrong PAM files #11817

Open
naugler opened this issue Apr 13, 2024 · 1 comment
Open

Ansible remediation on Ubuntu looks for wrong PAM files #11817

naugler opened this issue Apr 13, 2024 · 1 comment
Labels
Ansible Ansible remediation update. Ubuntu Ubuntu product related.

Comments

@naugler
Copy link

naugler commented Apr 13, 2024
edited

Description of problem:

fatal error when executing ansible-playbook on Ubuntu 20.04 with ubuntu2004-playbook-stig.yml:
error while evaluating conditional (result_pam_faillock_is_enabled.found == 0): 'dict object' has no attribute 'found'

/etc/pam.d/system-auth does not exist, I think Ubuntu uses /etc/pam.d/common-auth instead?
/etc/pam.d/password-auth does not exist, I think Ubuntu uses /etc/pam.d/common-password instead?

SCAP Security Guide Version:

0.1.72

Operating System Version:

Ubuntu 20.04

Steps to Reproduce:

  1. ansible-playbook -i localhost, -c local /opt/ssg/ansible/ubuntu2004-playbook-stig.yml

Actual Results:

TASK [Account Lockouts Must Be Logged - Check if pam_faillock.so is already enabled] **************************************************************************************************************************************************************
ok: [localhost]

TASK [Account Lockouts Must Be Logged - Enable pam_faillock.so preauth editing PAM files] *********************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The conditional check 'result_pam_faillock_is_enabled.found == 0' failed. The error was: error while evaluating conditional (result_pam_faillock_is_enabled.found == 0): 'dict object' has no attribute 'found'\n\nThe error appears to be in '/opt/ssg/ansible/ubuntu2004-playbook-stig.yml': line 767, column 9, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n      - name: Account Lockouts Must Be Logged - Enable pam_faillock.so preauth editing\n        ^ here\n"}

Expected Results:

task success

Additional Information/Debugging Steps:

authselect tool is not present

ansible [core 2.12.10]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.10 (default, Nov 22 2023, 10:22:35) [GCC 9.4.0]
  jinja version = 2.10.1
  libyaml = True
@naugler naugler changed the title Fatal error in ubuntu2004-playbook-stig.yml Ansible remediation on Ubuntu looks for wrong PAM files Apr 13, 2024
@dodys dodys added the Ubuntu Ubuntu product related. label Apr 16, 2024
@dodys
Copy link
Contributor

dodys commented Apr 16, 2024

Ansible remediation is not supported by Canonical, therefore it is known that many rules fail because of missing proper ansible scripts.
If you have the time and is looking to contribute, please submit pull requests

@dodys dodys added the Ansible Ansible remediation update. label Apr 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Ansible Ansible remediation update. Ubuntu Ubuntu product related.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@naugler @dodys