bug: apt/dpkg lock causes failure in CIS 5.3.1.3 (libpam-pwquality install) #330
Description
Have you checked ReadtheDocs?:
Yes
Describe the Issue
Running the UBUNTU22-CIS role fails during the PAM package installation step because apt/dpkg is locked by another process. The role’s CIS 5.3.1.x package tasks do not set a lock timeout, so the run fails immediately if unattended-upgrades or another apt job is running.
Expected Behavior
Role waits for the apt/dpkg lock to clear (or retries) and completes the PAM package tasks without failing when a transient apt lock exists.
Actual Behavior
Role fails with a dpkg frontend lock error during control 5.3.1.3.
Control(s) Affected
- 5.3.1.3 (primary failure)
- 5.3.1.1 / 5.3.1.2 are in the same file and use package installs without lock_timeout (potentially affected)
Environment (please complete the following information):
- branch being used: 2.0.3
- Ansible Version:2.16.14
- Host Python Version: 3.10.12
- Ansible Server Python Version: N/A
- Additional Details: Azure DevOps pipeline, Ubuntu 22.04 target
Additional Notes
Initial error message:
2026-02-11T14:58:04.6688682Z [33;1mVERBOSE: azure-arm.ubuntu2204: TASK [hardening-ubuntu_2204 : 5.3.1.3 | PATCH | Ensure libpam-pwquality is installed] ***[0m
2026-02-11T14:58:05.5702106Z [33;1mVERBOSE: azure-arm.ubuntu2204: fatal: [default]: FAILED! => {"cache_update_time": 1770821774, "cache_updated": false, "changed": false, "msg": "'/usr/bin/apt-get -y -o \"Dpkg::Options::=--force-confdef\" -o \"Dpkg::Options::=--force-confold\" install 'libpam-pwquality=1.4.4-1build2'' failed: E: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 17377 (dpkg)\nE: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it?\n", "rc": 100, "stderr": "E: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 17377 (dpkg)\nE: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it?\n", "stderr_lines": ["E: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 17377 (dpkg)", "E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it?"], "stdout": "", "stdout_lines": []}[0m
Confirmed other occurrences (package tasks missing lock_timeout):
| File | Line | Task |
|---|---|---|
tasks/pre_remediation_audit.yml |
15 | Pre Audit Setup | If using git for content set up |
tasks/section_1/cis_1.2.2.x.yml |
3 | "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed" |
tasks/section_1/cis_1.3.1.x.yml |
3 | "1.3.1.1 | PATCH | Ensure AppArmor is installed" |
tasks/section_1/cis_1.5.x.yml |
92 | "1.5.4 | PATCH | Ensure prelink is not installed" |
tasks/section_1/cis_1.5.x.yml |
117 | "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled" |
tasks/section_1/cis_1.7.x.yml |
2 | "1.7.1 | PATCH | Ensure GDM is removed" |
tasks/section_2/cis_2.1.x.yml |
3 | "2.1.1 | PATCH | Ensure autofs services are not in use" |
tasks/section_2/cis_2.1.x.yml |
36 | "2.1.2 | PATCH | Ensure avahi daemon services are not in use" |
tasks/section_2/cis_2.1.x.yml |
72 | "2.1.3 | PATCH | Ensure dhcp server services are not in use" |
tasks/section_2/cis_2.1.x.yml |
106 | "2.1.4 | PATCH | Ensure dns server services are not in use" |
tasks/section_2/cis_2.1.x.yml |
137 | "2.1.5 | PATCH | Ensure dnsmasq services are not in use" |
tasks/section_2/cis_2.1.x.yml |
168 | "2.1.6 | PATCH | Ensure ftp server services are not in use" |
tasks/section_2/cis_2.1.x.yml |
200 | "2.1.7 | PATCH | Ensure ldap server services are not in use" |
tasks/section_2/cis_2.1.x.yml |
231 | "2.1.8 | PATCH | Ensure message access server services are not in use" |
tasks/section_2/cis_2.1.x.yml |
269 | "2.1.9 | PATCH | Ensure network file system services are not in use" |
tasks/section_2/cis_2.1.x.yml |
302 | "2.1.10 | PATCH | Ensure nis server services are not in use" |
tasks/section_2/cis_2.1.x.yml |
334 | "2.1.11 | PATCH | Ensure print server services are not in use" |
tasks/section_2/cis_2.1.x.yml |
367 | "2.1.12 | PATCH | Ensure rpcbind services are not in use" |
tasks/section_2/cis_2.1.x.yml |
402 | "2.1.13 | PATCH | Ensure rsync services are not in use" |
tasks/section_2/cis_2.1.x.yml |
433 | "2.1.14 | PATCH | Ensure samba file server services are not in use" |
tasks/section_2/cis_2.1.x.yml |
466 | "2.1.15 | PATCH | Ensure snmp services are not in use" |
tasks/section_2/cis_2.1.x.yml |
499 | "2.1.16 | PATCH | Ensure tftp server services are not in use" |
tasks/section_2/cis_2.1.x.yml |
530 | "2.1.17 | PATCH | Ensure web proxy server services are not in use" |
tasks/section_2/cis_2.1.x.yml |
561 | "2.1.18 | PATCH | Ensure web server services are not in use" |
tasks/section_2/cis_2.1.x.yml |
620 | "2.1.19 | PATCH | Ensure xinetd services are not in use" |
tasks/section_2/cis_2.1.x.yml |
651 | "2.1.20 | PATCH | Ensure X window server services are not in use" |
tasks/section_2/cis_2.2.x.yml |
3 | "2.2.1 | PATCH | Ensure NIS Client is not installed" |
tasks/section_2/cis_2.2.x.yml |
19 | "2.2.2 | PATCH | Ensure rsh client is not installed" |
tasks/section_2/cis_2.2.x.yml |
35 | "2.2.3 | PATCH | Ensure talk client is not installed" |
tasks/section_2/cis_2.2.x.yml |
51 | "2.2.4 | PATCH | Ensure telnet client is not installed" |
tasks/section_2/cis_2.2.x.yml |
68 | "2.2.5 | PATCH | Ensure ldap client is not installed" |
tasks/section_2/cis_2.2.x.yml |
84 | "2.2.6 | PATCH | Ensure ftp client is not installed" |
tasks/section_2/cis_2.3.1.x.yml |
3 | "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use" |
tasks/section_3/cis_3.1.x.yml |
94 | "3.1.3 | PATCH | Ensure bluetooth services are not in use" |
tasks/section_4/cis_4.1.x.yml |
3 | "4.1.1 | PATCH | Ensure ufw is installed" |
tasks/section_4/cis_4.1.x.yml |
19 | "4.1.2 | PATCH | Ensure iptables-persistent is not installed with ufw" |
tasks/section_4/cis_4.2.x.yml |
30 | "4.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables" |
tasks/section_4/cis_4.3.1.x.yml |
3 | "4.3.1.1 | PATCH | Ensure iptables packages are installed" |
tasks/section_4/cis_4.3.1.x.yml |
19 | "4.3.1.2 | PATCH | Ensure nftables is not installed with iptables" |
tasks/section_4/cis_4.3.1.x.yml |
36 | "4.3.1.3 | PATCH | Ensure ufw is uninstalled or disabled with iptables" |
tasks/section_4/cis_4.3.2.x.yml |
119 | "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" |
tasks/section_4/cis_4.3.3.x.yml |
112 | "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" |
tasks/section_5/cis_5.2.x.yml |
3 | "5.2.1 | PATCH | Ensure sudo is installed" |
tasks/section_5/cis_5.3.1.x.yml |
3 | "5.3.1.1 | PATCH | Ensure latest version of pam is installed" |
tasks/section_5/cis_5.3.1.x.yml |
19 | "5.3.1.2 | PATCH | Ensure libpam-modules is installed" |
tasks/section_5/cis_5.3.1.x.yml |
35 | "5.3.1.3 | PATCH | Ensure libpam-pwquality is installed" |
tasks/section_6/cis_6.1.x.yml |
3 | "6.1.1 | PATCH | Ensure AIDE is installed" |
tasks/section_6/cis_6.2.1.2.x.yml |
3 | "6.2.1.2.1 | PATCH | Ensure systemd-journal-remote is installed" |
tasks/section_6/cis_6.3.1.x.yml |
3 | "6.3.1.1 | PATCH | Ensure auditd packages are installed" |
Possible Solution
Introduce a configurable apt/dpkg lock timeout variable and use it for the CIS 5.3.1.x package tasks.
- Add
ubtu22cis_apt_lock_timeout: 180indefaults/main.yml. - Use
lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"on the package tasks intasks/section_5/cis_5.3.1.x.yml.