Skip to content

Commit 3b1971a

Browse files
committed
stig-hardening: also apply fips-pam patch to SPECS/91 (pinned-91)
The original PR added fix-stig-playbook-fips-pam.patch only to SPECS/stig-hardening/ (subrelease >= 92, Ansible 2.20). The same patch is also applicable to SPECS/91/stig-hardening/ (subrelease <= 91, Ansible 2.14+): * IMA hash=sha256 and fipsmodule.cnf generation are kernel/ OpenSSL concerns, independent of Ansible version, and are needed by any pinned-91 build that boots with fips=1. * The "| default('')" PAM faillock guard is a defensive no-op on Ansible 2.14+ (regex_search returns "" on 2.14, not None), so the same patch can be reused verbatim. Both the >=92 and <=91 specs apply Patch0 + Patch1 to the same upstream tarball, and Patch2 of the >=92 variant (fix-photon.yml-for-latest-audit-and-ansible.patch) touches lines that are disjoint from this patch (telnet regex at ~628, autrace list at ~915), so re-using the same patch file with no edits is safe. Pinned-91 spec: - Release: 5.1 -> 5.2 - Patch2: fix-stig-playbook-fips-pam.patch (new, identical content to SPECS/stig-hardening/) Tested per the PR's existing matrix (5.0 pinned91 row): sha256 allocated, fipsmodule.cnf generated, PAM faillock correct. Signed-off-by: David Casota <dcasota@gmail.com>
1 parent 24cffc3 commit 3b1971a

2 files changed

Lines changed: 84 additions & 1 deletion

File tree

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2+
From: Factory AI Bot <factory-droid[bot]@users.noreply.github.com>
3+
Date: Thu, 02 Apr 2026 15:00:00 +0200
4+
Subject: [PATCH] Fix STIG playbook: PAM stack, FIPS module config, IMA hash
5+
6+
1) Fix PHTN-50-000192 pam_faillock.so setup: regex_search() in
7+
set_fact returns None when no match. The comparison
8+
'preauthsearch == ""' evaluates to False when preauthsearch is
9+
None, causing the cleanup step to be skipped while add steps
10+
still run, corrupting the PAM auth stack with duplicate entries.
11+
Use '| default("")' so None is treated as empty string.
12+
(Backward-compatible: no-op when value is already a string on
13+
older Ansible.)
14+
15+
2) Add ima_hash=sha256 kernel parameter when fips=1 is active.
16+
FIPS mode disables sha1 but IMA defaults to sha1, causing
17+
allocation failures during boot.
18+
19+
3) Generate /etc/ssl/fipsmodule.cnf via 'openssl fipsinstall' when
20+
the FIPS provider module is present but fipsmodule.cnf is missing.
21+
Without it, booting with fips=1 causes OpenSSL to fail to
22+
initialize FIPS mode and pam_unix.so cannot verify passwords.
23+
24+
Signed-off-by: Factory AI Bot <factory-droid[bot]@users.noreply.github.com>
25+
---
26+
diff -ruN a/tasks/photon.yml b/tasks/photon.yml
27+
--- a/tasks/photon.yml 2026-04-02 14:09:20.577266299 +0200
28+
+++ b/tasks/photon.yml 2026-04-02 14:10:05.298254183 +0200
29+
@@ -305,6 +305,17 @@
30+
- run_openssl_fips_install | bool
31+
- opensslfipsinstalled.stdout == ""
32+
33+
+ - name: PHTN-50-000013 - Check if FIPS module is present
34+
+ ansible.builtin.stat:
35+
+ path: /usr/lib/ossl-modules/fips.so
36+
+ register: fips_module_file
37+
+
38+
+ - name: PHTN-50-000013 - Generate FIPS module config if missing
39+
+ ansible.builtin.command: openssl fipsinstall -out /etc/ssl/fipsmodule.cnf -module /usr/lib/ossl-modules/fips.so
40+
+ args:
41+
+ creates: /etc/ssl/fipsmodule.cnf
42+
+ when: fips_module_file.stat.exists
43+
+
44+
###################################################################################################################################
45+
- name: PHTN-50-000014 - Configure auditd.conf write_logs
46+
tags: [PHTN-50-000014, auditd]
47+
@@ -1183,6 +1194,12 @@
48+
regexp: '^(\s*linux(?!.* fips=).*)'
49+
replace: '\1 fips=1'
50+
51+
+ - name: PHTN-50-000182 - Add ima_hash=sha256 when fips=1 is active
52+
+ ansible.builtin.replace:
53+
+ path: '{{ var_grub_conf_file }}'
54+
+ regexp: '^(\s*linux(?!.* ima_hash=).*fips=1.*)'
55+
+ replace: '\1 ima_hash=sha256'
56+
+
57+
- name: PHTN-50-000080 - Replace fips=1 in /boot/grub2/grub.cfg
58+
ansible.builtin.replace:
59+
path: '{{ var_grub_conf_file }}'
60+
@@ -1320,7 +1337,7 @@
61+
state: absent
62+
regexp: '^auth\s+(required|requisite|\[default=die\])\s+pam_faillock\.so.*$'
63+
when:
64+
- - preauthsearch == "" or authfailsearch == ""
65+
+ - preauthsearch | default('') == "" or authfailsearch | default('') == ""
66+
67+
- name: Ensure pam_unix.so auth control is 'sufficient' in system-auth if it is 'required'
68+
ansible.builtin.replace:
69+
@@ -1375,7 +1392,7 @@
70+
module_path: pam_faillock.so
71+
state: absent
72+
when:
73+
- - sysaccountsearch == ""
74+
+ - sysaccountsearch | default('') == ""
75+
76+
- name: PHTN-50-000192 - Add pam_faillock.so to system-account if it doesn't exist
77+
community.general.pamd:
78+
--
79+
2.43.7

SPECS/91/stig-hardening/stig-hardening.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ Summary: VMware Photon OS 5.0 STIG Readiness Guide Ansible Playbook
44
Name: stig-hardening
55
#Version x.y.z corresponds v<x>r<y>-z tag in the repo. Eg 1.1.1 = v1r1-1
66
Version: 2.1
7-
Release: 5.1%{?dist}
7+
Release: 5.2%{?dist}
88
URL: https://github.com/vmware/dod-compliance-and-automation/tree/master/photon/5.0/ansible/vmware-photon-5.0-stig-ansible-hardening
99
Group: Productivity/Security
1010
Vendor: VMware, Inc.
@@ -22,6 +22,7 @@ Source1: license.txt
2222

2323
Patch0: fix-some-value-checks.patch
2424
Patch1: system-auth-fix.patch
25+
Patch2: fix-stig-playbook-fips-pam.patch
2526

2627
Requires: ansible >= 2.14.2
2728
Requires: ansible-community-general
@@ -43,6 +44,9 @@ cp -a %{_builddir}/%{name}-ph5-%{version}/ %{buildroot}%{_datadir}/ansible/%{nam
4344
%{_datadir}/ansible/
4445

4546
%changelog
47+
* Mon May 11 2026 David Casota <dcasota@gmail.com> 2.1-5.2
48+
- Add fix-stig-playbook-fips-pam.patch (FIPS module config + IMA hash;
49+
PAM faillock | default('') guard is a defensive no-op on Ansible 2.14+)
4650
* Wed Apr 01 2026 Shreenidhi Shedi <shreenidhi.shedi@broadcom.com> 2.1-5.1
4751
- Bump after moving to SPECS/91
4852
* Wed Mar 25 2026 Shreenidhi Shedi <shreenidhi.shedi@broadcom.com> 2.1-5

0 commit comments

Comments
 (0)