rhel9cis_pam_confd_dir is undefined ? 5.3.3.3.2 errors

[morgancoxuk]

Describe the Issue
V2 of the benchmark fails - I get

TASK [common/rhel9cistmp : 5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set] ******************************************************
fatal: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'rhel9cis_pam_confd_dir' is undefined. 'rhel9cis_pam_confd_dir' is undefined\n\nThe error appears to be in '/etc/ansible/roles/common/rhel9cistmp/tasks/section_5/cis_5.3.3.3.x.yml': line 70, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n    - name: \"5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set\"\n      ^ here\n"}

Expected Behavior
The role to run

Actual Behavior
Role errors

Control(s) Affected
What controls are being affected by the issue

Environment (please complete the following information):

• branch being used: [e.g. devel]
• Ansible Version: ansible [core 2.14.17]
• Host Python Version: [e.g. Python 3.9.21]
• Ansible Server Python Version: [e.g. Python3.9.21]
• Additional Details:

Possible Solution
The issue is in this section

    - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set"
      when:
        - not rhel9cis_allow_authselect_updates
        - discovered_pwhistory_enforce_for_root.stdout | length == 0
        - rhel9cis_disruption_high
      ansible.builtin.lineinfile:
        path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
        regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(enforce_for_root)
        line: '\1\2\3 enforce_for_root'
        backrefs: true

The issue is neither rhel9cis_pam_confd_dir or rhel9cis_pam_pwhistory_file is defined in defaults/vars

Its an easy fix, but can you confirm an example correct path for this file ? I assume I can use '/etc/security/pwhistory.conf' ?

edit :

Same thing happens later in same task

TASK [common/rhel9-pcidss-hardening : 5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure use_authtok is set] ***
fatal: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'rhel9cis_pam_confd_dir' is undefined. 'rhel9cis_pam_confd_dir' is undefined\n\nThe error appears to be in '/etc/ansible/roles/common/rhel9-pcidss-hardening/tasks/cis-5.3.3.3.x.yml': line 115, column 11, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n        - name: \"5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure use_authtok is set\"\n          ^ here\n"}

Same issue - neither rhel9cis_pam_confd_dir or rhel9cis_pam_pwhistory_file is defined

i.e - if i clone git repo the only references to these vars is

$ egrep -r "rhel9cis_pam_confd_dir|rhel9cis_pam_pwhistory_file" ~/src/RHEL9-CIS
/home/mcox/src/RHEL9-CIS/tasks/section_5/cis_5.3.3.3.x.yml:        path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
/home/mcox/src/RHEL9-CIS/tasks/section_5/cis_5.3.3.3.x.yml:        path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"

i.e no var is defined in the repo

Just to confirm i'm running with no authselect - i.e

rhel9cis_disruption_high: true
rhel9cis_allow_authselect_updates: false

And when the role fails there are no pwhistory lines oin any /etc/pam.d file...

Thanks