I was working on updating RHEL-07-010270 to the v2 STIG standard and noticed several issues with the pamd module that spread across several of our other rules.

The pamd module is not idempotent in most invocations. It seems to both make changes it doesn't need to make AND not make changes that it needs to make.

Unless I'm going crazy this is what I found...if you use state: before or state: after to insert a rule that doesn't exist it will happily report ok even if the arguments for the rule need to be updated. So on first pass if the rule does not exist it will insert it and use the correct arguments. However if the rule exists and new arguments need to be inserted or existing arguments need to have values changed it will just move past it and report all is good.

I tried splitting the pamd actions out into two separate actions. One action that does the rule insert and a second action that should ensure the rule arguments are properly set using state: updated. However...that results in the pamd module ALWAYS reporting a change with state: updated.

I'm trying to see if the state: updated problem is a known issue with the module. I know its a fairly complicated module so I'm not sure what the status of it is.

There are issues with the pamd module in ansible 2.7. I haven't had time to report them...

Also, the args are only a suggestion unless state is args_present or args_absent. See also most recent RHEL6 role changes relative to pamd, IIRC.

Yeah I reported an issue with the 2.7 version of the module here: ansible/ansible#47080

I checked the idempotent issue I described above and it seems that if you say state: updated it will always change. Looking at the code for the module its clear that it isn't doing any checking to see if the args actually need to be updated.

Reported the non-idempotent issue as well: ansible/ansible#47083

Upstream pamd module has been patched by @shepdelacreme, closing this issue