Bugfix 5 3 4 against issue #176 #177
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
With an AD account there isn't an entry in the /etc/shadow file. This caused the password length check to treat it as a zero length password. Now local password check is skipped for AD account. Also added an additional check for a locked local account for the sudo user. Signed-off-by: John Foster <robopickle@proton.me>
Signed-off-by: John Foster <robopickle@proton.me>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the Discord Server as well.
findings in issue ansible-lockdown#168. Changed vars on line 233 to use dictionary. Signed-off-by: John Foster <robopickle@proton.me>
|
hi @RoboPickle This is a great update, thank you for taking the time, could you possibly add the empty line before each named task just for consistency. Many thanks uk-bolly |
Signed-off-by: John Foster <robopickle@proton.me>
uk-bolly
approved these changes
Feb 19, 2024
|
Hi,
You are most welcome. I've added the blank lines which actually makes a real difference with the readability.
I missed that the deprecation was already handled by another PR!
Thanks
John
|
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overall Review
tasks/main.yml was altered to handle the user not being found in /etc/shadow.
The grep has been changed.
In the event that the user is not found in /etc/shadow then the response "not found:not found" is given. This is then picked up by the following block to skip the password checking. A debug message is used to alert the user that this is happening.
An additional check is now being made for local accounts to check that the account has not been locked. This is achieved by checking for a single "!" at the beginning of the password hash.
Also updated dictionary in 6.1.11 to convert vars to dictionary to avoid deprecation warning.
Issue Fixes:
Fixes #176: Using an AD account to connect to host incorrectly fails rule 5.3.4
Enhancements:
Fixes #168 DEPRECATION WARNING is generating when play task 6.1.11 | AUDIT | Ensure no ungrouped files or directories exist
How has this been tested?:
Tested against a minimally configured Alma Linux 9 VM.
Addendum:
6.1.11 Deprecation warning during audit. Updated vars to dictionary and deprecation warning avoided.
More details on testing are available if required.