OpenStack-Ansible

Duplicate config entries on sshd dont get reset as per STIG requirements

Bug #1958649 reported by Fredrik
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Undecided
Unassigned

Bug Description

Hey! I came across a system which had multiple lines setting `PasswordAuthentication yes` & `PermitEmptyPasswords yes`. It seems like a problem that these lines are kept in the config file even after applying the playbook. Should these lines not be entierly removed or commented out from the config on playbook run?
I attached the file as is after having run the playbook.

Revision history for this message
Fredrik (murkay) wrote :
Dmitriy Rabotyagov (noonedeadpunk)
Changed in openstack-ansible:
status: New → Triaged
Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

That seems a fair bug, and we should include the test around this :)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-hardening (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/ansible-hardening/+/841716

Changed in openstack-ansible:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-hardening (master)

Reviewed: https://review.opendev.org/c/openstack/ansible-hardening/+/841716
Committed: https://opendev.org/openstack/ansible-hardening/commit/aa1feb45271c8fbe8eba7d555ded9d41a70eff64
Submitter: "Zuul (22348)"
Branch: master

commit aa1feb45271c8fbe8eba7d555ded9d41a70eff64
Author: Dmitriy Rabotyagov <email address hidden>
Date: Fri May 13 13:02:27 2022 +0200

    Clean out SSH options we managing

    With current behaviour we duplicate SSH options and don't care if same
    thing is defined anywhere down the line.
    With that change we change how options are defined - instead of the
    template we use a list of mappings. With that
    we can select and remove options that playbook supposed to manage.

    With that we also keep playbook idempotency. As side effect we still
    can have options duplicated but only if they have exact same value.

    Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/840353
    Change-Id: I140606f7e724fbe2a4f0b03f6a0501da7bdd5964
    Closes-Bug: #1958649

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ansible-hardening yoga-eom

This issue was fixed in the openstack/ansible-hardening yoga-eom release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.