This is my first post. Ansible is new to me, I am learning it. I need help updating a playbook. I installed the scap-security-guide package in rhel8. It has many playbooks but I would like to use “rhel8-playbook-cis_server_l1.yml” to harden web servers. I ran the playbook without making any changes. It ran with no issue, however, I couldn’t log in to the server neither with a regular user or root. So I had to start the VM in rescue mode to update the passwords. Looks like it made the passwords expire. It also removed http and open-ldap packages but I updated both tasks. However, I am unable to figure out how can I disable the password expiration task that won’t happen if I run it in the production environment. What changes do I need to make so that the playbook won’t touch the user password etc?
I can’t attached the file and when I pasted the code and it didn’t allow me since it’s a long playbook. I’ll try to post it with multiple replies.
edit: It also didn’t let me post the code with multiple replies since I’m new user.
Ok I believe I’ve reviewed most of the playbook’s tasks related with password enforcement, but couldn’t find any performing a password update (actually it’s quite a large playbook, so I might have overlooked it). However, there are quite a lot of tasks that modify password policies. May it be possible that your current server password doesn’t meet the new policies, so it gets disabled or locked?
Those are the types of tasks that grabbed my attention:
Ensure PAM Enforces Password Requirements
Change the maximum time period between password changes
Set Lockout Time for Failed Password Attempts - Limit Password Reuse
There may be more of these, as I said, this playbook is huge!
PS:
You can gain further abilities on the forum (e.g. to paste code snippets) if you earn the “Certified” badge Certified badge on Ansible
You can follow Discobot’s instructions to earn that one (you should have received a PM from it)
Anyway, since we hadn’t totally found the root of your issue, I’ll bookmark this thread to follow-it up in a week or so before we consider it solved. If you find the cause before, we’ll appreciate your kind feedback, really.
I updated value of variable “var_accounts_maximum_age_login_def” from 365 to 99999, that fixed the problem and ran playbook for another server and it worked fine. This is a long playbook but looking into variables and then searching plays of those variable can make things a little easy that if someone want to delete or change the state of plays from absent to present ect. You can close this. Thank you!
Excellent! I’m glad you were able to find the root cause. Actually that was one of my suspicions too, so I’m happy I was able to point you in the right direction
One last thing: since your problem has been already fixed, would you be so kind to tick the solved check on the post you believe addresses better the issue? This way, the thread will appear as solved on the Get Help category and others may benefit from it.