Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth-system related files are created for non-RHEL systems (e.g. Debian) #247

Closed
fernandezcuesta opened this issue Nov 6, 2019 · 1 comment
Closed

auth-system related files are created for non-RHEL systems (e.g. Debian) #247

fernandezcuesta opened this issue Nov 6, 2019 · 1 comment
Labels
bug

Comments

@fernandezcuesta
Copy link
Contributor

Expected behavior
/etc/pam.d/system-auth-ac should not be created for other than RHEL OS families.

Actual behavior
/etc/pam.d/system-auth-ac is generated regardless of OS family.

$ uname -a; ls /etc/pam.d/system-auth-ac
Linux vm01 4.9.0-11-amd64 #1 SMP Debian 4.9.189-3+deb9u1 (2019-09-20) x86_64 GNU/Linux
/etc/pam.d/system-auth-ac

Example Playbook

---
- hosts: all
  become: yes
  become_method: sudo
  tasks:
    - include_role:
        name: dev-sec.os-hardening

Ansible Version

ansible 2.9.0
  config file = /data/sandbox/ansible.cfg
  configured module search path = ['/home/fernandezjm/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.7.4 (default, Jul 16 2019, 07:12:58) [GCC 9.1.0]

Role Version

5.2.1

Additional context
Seems like task configure passwdqc and tally via central system-auth confic from pam.yml is missing the following condition:

when: ansible_facts.os_family == 'RedHat'
@rndmh3ro
Copy link
Member

rndmh3ro commented Nov 9, 2019

You're totally right @fernandezcuesta, thanks for finding this. Additionally /etc/libuser.conf (the next task) should also only be create on rhel-systems. Do you want to create a PR for this?

@rndmh3ro rndmh3ro added the bug label Nov 9, 2019
fernandezcuesta pushed a commit to fernandezcuesta/ansible-os-hardening that referenced this issue Nov 14, 2019
Fix dev-sec#247, cleanup conditions
88e8bc2
fernandezcuesta pushed a commit to fernandezcuesta/ansible-os-hardening that referenced this issue Nov 14, 2019
Fix dev-sec#247, cleanup conditions
72e7174 
Signed-off-by: Jesús Fernández <[email protected]>
fernandezcuesta pushed a commit to fernandezcuesta/ansible-os-hardening that referenced this issue Nov 14, 2019
Fix dev-sec#247, cleanup conditions
545c0dc 
Signed-off-by: Jesús Fernández <[email protected]>
fernandezcuesta pushed a commit to fernandezcuesta/ansible-os-hardening that referenced this issue Nov 15, 2019
Fix dev-sec#247, cleanup conditions
2ab9738 
Signed-off-by: Jesús Fernández <[email protected]>
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this issue Aug 3, 2022
@fernandezcuesta @rndmh3ro
Fix dev-sec#247, cleanup conditions (dev-sec#248)
bb97005 
Signed-off-by: Jesús Fernández <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rndmh3ro @fernandezcuesta