From 24cffc3dbbc9ce94334c6d8081a37f8895f450df Mon Sep 17 00:00:00 2001 From: Factory AI Bot Date: Thu, 9 Apr 2026 22:38:48 +0200 Subject: [PATCH] Fix STIG playbook: PAM faillock guard, FIPS module config, IMA hash Category A fixes for the STIG hardening playbook (backward-compatible with Ansible 2.14+ and audit 3.x/4.x): 1. Add '| default("")' to PHTN-50-000192 pam_faillock when: conditions to prevent PAM stack corruption when regex_search() returns None 2. Add ima_hash=sha256 kernel parameter when fips=1 is active 3. Generate /etc/ssl/fipsmodule.cnf when FIPS provider is present but config is missing Change-Id: If2b2c4ac079d6ef41ac521acb59d010200a95003 Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com> --- .../fix-stig-playbook-fips-pam.patch | 79 +++++++++++++++++++ SPECS/stig-hardening/stig-hardening.spec | 7 +- 2 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 SPECS/stig-hardening/fix-stig-playbook-fips-pam.patch diff --git a/SPECS/stig-hardening/fix-stig-playbook-fips-pam.patch b/SPECS/stig-hardening/fix-stig-playbook-fips-pam.patch new file mode 100644 index 0000000000..c0fde335cd --- /dev/null +++ b/SPECS/stig-hardening/fix-stig-playbook-fips-pam.patch @@ -0,0 +1,79 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Factory AI Bot +Date: Thu, 02 Apr 2026 15:00:00 +0200 +Subject: [PATCH] Fix STIG playbook: PAM stack, FIPS module config, IMA hash + +1) Fix PHTN-50-000192 pam_faillock.so setup: regex_search() in + set_fact returns None when no match. The comparison + 'preauthsearch == ""' evaluates to False when preauthsearch is + None, causing the cleanup step to be skipped while add steps + still run, corrupting the PAM auth stack with duplicate entries. + Use '| default("")' so None is treated as empty string. + (Backward-compatible: no-op when value is already a string on + older Ansible.) + +2) Add ima_hash=sha256 kernel parameter when fips=1 is active. + FIPS mode disables sha1 but IMA defaults to sha1, causing + allocation failures during boot. + +3) Generate /etc/ssl/fipsmodule.cnf via 'openssl fipsinstall' when + the FIPS provider module is present but fipsmodule.cnf is missing. + Without it, booting with fips=1 causes OpenSSL to fail to + initialize FIPS mode and pam_unix.so cannot verify passwords. + +Signed-off-by: Factory AI Bot +--- +diff -ruN a/tasks/photon.yml b/tasks/photon.yml +--- a/tasks/photon.yml 2026-04-02 14:09:20.577266299 +0200 ++++ b/tasks/photon.yml 2026-04-02 14:10:05.298254183 +0200 +@@ -305,6 +305,17 @@ + - run_openssl_fips_install | bool + - opensslfipsinstalled.stdout == "" + ++ - name: PHTN-50-000013 - Check if FIPS module is present ++ ansible.builtin.stat: ++ path: /usr/lib/ossl-modules/fips.so ++ register: fips_module_file ++ ++ - name: PHTN-50-000013 - Generate FIPS module config if missing ++ ansible.builtin.command: openssl fipsinstall -out /etc/ssl/fipsmodule.cnf -module /usr/lib/ossl-modules/fips.so ++ args: ++ creates: /etc/ssl/fipsmodule.cnf ++ when: fips_module_file.stat.exists ++ + ################################################################################################################################### + - name: PHTN-50-000014 - Configure auditd.conf write_logs + tags: [PHTN-50-000014, auditd] +@@ -1183,6 +1194,12 @@ + regexp: '^(\s*linux(?!.* fips=).*)' + replace: '\1 fips=1' + ++ - name: PHTN-50-000182 - Add ima_hash=sha256 when fips=1 is active ++ ansible.builtin.replace: ++ path: '{{ var_grub_conf_file }}' ++ regexp: '^(\s*linux(?!.* ima_hash=).*fips=1.*)' ++ replace: '\1 ima_hash=sha256' ++ + - name: PHTN-50-000080 - Replace fips=1 in /boot/grub2/grub.cfg + ansible.builtin.replace: + path: '{{ var_grub_conf_file }}' +@@ -1320,7 +1337,7 @@ + state: absent + regexp: '^auth\s+(required|requisite|\[default=die\])\s+pam_faillock\.so.*$' + when: +- - preauthsearch == "" or authfailsearch == "" ++ - preauthsearch | default('') == "" or authfailsearch | default('') == "" + + - name: Ensure pam_unix.so auth control is 'sufficient' in system-auth if it is 'required' + ansible.builtin.replace: +@@ -1375,7 +1392,7 @@ + module_path: pam_faillock.so + state: absent + when: +- - sysaccountsearch == "" ++ - sysaccountsearch | default('') == "" + + - name: PHTN-50-000192 - Add pam_faillock.so to system-account if it doesn't exist + community.general.pamd: +-- +2.43.7 diff --git a/SPECS/stig-hardening/stig-hardening.spec b/SPECS/stig-hardening/stig-hardening.spec index 08122eda35..9e06b10492 100644 --- a/SPECS/stig-hardening/stig-hardening.spec +++ b/SPECS/stig-hardening/stig-hardening.spec @@ -4,7 +4,7 @@ Summary: VMware Photon OS 5.0 STIG Readiness Guide Ansible Playbook Name: stig-hardening #Version x.y.z corresponds vr-z tag in the repo. Eg 1.1.1 = v1r1-1 Version: 2.1 -Release: 6%{?dist} +Release: 7%{?dist} URL: https://github.com/vmware/dod-compliance-and-automation/tree/master/photon/5.0/ansible/vmware-photon-5.0-stig-ansible-hardening Group: Productivity/Security Vendor: VMware, Inc. @@ -23,6 +23,7 @@ Source1: license.txt Patch0: fix-some-value-checks.patch Patch1: system-auth-fix.patch Patch2: fix-photon.yml-for-latest-audit-and-ansible.patch +Patch3: fix-stig-playbook-fips-pam.patch Requires: ansible >= 2.20.1 Requires: ansible-community-general @@ -44,6 +45,10 @@ cp -a %{_builddir}/%{name}-ph5-%{version}/ %{buildroot}%{_datadir}/ansible/%{nam %{_datadir}/ansible/ %changelog +* Thu Apr 09 2026 Factory AI Bot 2.1-7 +- Fix PHTN-50-000192 pam_faillock PAM stack corruption (| default guard) +- Add ima_hash=sha256 kernel parameter when fips=1 is active +- Generate fipsmodule.cnf when FIPS provider is present but config is missing * Wed Apr 01 2026 Shreenidhi Shedi 2.1-6 - Fix conditions for ansible-2.20 and audit-4.x * Wed Mar 25 2026 Shreenidhi Shedi 2.1-5