authselect current --raw returns more data than expected on RHEL 9.7 #14600
Description
Description of problem:
I could find no mention of any issues with "authselect", my apologies if this is already known.
I have installed the Ansible Role RedHatOfficial.rhel9_cis_server_l1 on my Test Ansible server with command:
ansible-galaxy role install RedHatOfficial.rhel9_cis_server_l1
as the ansible User, and so it is deployed to /home/ansible/.ansible/roles/RedHatOfficial.rhel9_cis_server_l1.
When run against a RHEL9.7 Server, the Task "Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Force reselect authselect profile" failed with this error:
[error] Unable to get profile information [2]: No such file or directory
The cmd in this Task uses an embedded "authselect current --raw" command to retrieve the current Profile Name. On my RHEL9. Servers, the "authselect current --raw" command returns:
sssd with-fingerprint with-silent-lastlog
and I suspect that the encompassing "authselect select "$(authselect current --raw)" --force" command is not expecting the extra values after the Profile Name.
I have no knowledge on whether my RHEL9 Servers are out of the ordinary or not; they are based on a RHEL9.4 Template VM, with the 9.7 update installed from my Satellite Server.
The fix I made was to add an awk command to return only the first field from the embedded "authselect current --raw" command, so:
`ansible@ansible-test:RedHatOfficial.rhel9_cis_server_l1/tasks$ diff main.yml.20260325 main.yml
4654c4654
< cmd: authselect select "$(authselect current --raw)" --force
cmd: authselect select "$(authselect current --raw | awk '{print $1}')" --force`
The Role ran to successful completion after this change.
Note that the target Server was recreated in-between the 2 executions of the Role.
SCAP Security Guide Version:
Operating System Version:
Redhat Enterprise Linux 9.7
Steps to Reproduce:
- Create a RHEL9.7 Server
- Install the Ansible Role RedHatOfficial.rhel9_cis_server_l1, from Galaxy, to an Ansible server
- Create a Playbook, on the Ansible server, to execute this Role; something like:
` ---This Playbook invokes a role to harden the Server to RedHat Official RHEL9 CIS Server Level 1
The role is a RedHat Official RHEL9 CIS role from Galaxy
-
hosts: all
become: true
become_user: root
user: ansibletasks:
- name: Harden Server to CIS Server Level 1
include_role:
name: RedHatOfficial.rhel9_cis_server_l1`
- name: Harden Server to CIS Server Level 1
-
- Execute the Playbook against the RHEL9.7 Server from the Ansible server, something like this:
ansible-playbook -i <Target RHEL9.7 Server>, harden.yml 2>&1 | tee <some output file>
Actual Results:
`TASK [RedHatOfficial.rhel9_cis_server_l1 : Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Force reselect authselect profile] ***
fatal: [web-v2dv4-l02.rci.uk]: FAILED! => {"changed": true, "cmd": "authselect select "$(authselect current --raw)" --force",
"delta": "0:00:00.012419", "end": "2026-03-24 16:38:50.202837",
"msg": "non-zero return code", "rc": 1, "start": "2026-03-24 16:38:50.190418",
"stderr": "[error] Unable to get profile information [2]: No such file or directory",
"stderr_lines": ["[error] Unable to get profile information [2]: No such file or directory"],
"stdout": "", "stdout_lines": []}
PLAY RECAP *********************************************************************
: ok=139 changed=28 unreachable=0 failed=1 skipped=67 rescued=0 ignored=0`
The line breaks and indentation of the output are mine.
Expected Results:
ansible@ansible-test:~$ ansible-playbook -i web-v2dv4-l02.rci.uk, harden.yml 2>&1 | tee <output file> ... PLAY RECAP ********************************************************************* <Target Server> : ok=884 changed=149 unreachable=0 failed=0 skipped=470 rescued=0 ignored=0