Backport and fix remediation for smartcard_pam_enabled

The line `auth [success=2 default=ignore] pam_pkcs11.so` is incorrectly inserted at the top of the pam file. This breaks the functionality if other rules insert modules between this line and pam_unix.so (looking at you faillock preauth). One option would be to add another position argument to the function, e.g. "above_pam_unix", and place the line accordingly. However, this would require modifying the analogous macro upstream, which is not ideal. To make things worse, the upstream macro does not have the position functionality implemented. To avoid messing with the function, a better option is to switch to using another macro which was recently backported from upstream, which supports appending lines after a specific match.
ComplianceAsCode · May 2, 2024 · 68cb5d6 · 68cb5d6
1 parent eec4d10
commit 68cb5d6
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 4 deletions.
diff --git a/...ts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/commented.fail.sh b/...ts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/commented.fail.sh
@@ -2,7 +2,7 @@
 # platform = multi_platform_ubuntu,multi_platform_sle
 # packages = libpam-pkcs11
 {{% if 'ubuntu' in product %}}
-echo '# auth [success=2 default=ignore] pam_pkcs11.so' > /etc/pam.d/common-auth
+sed -i '/^auth.*pam_unix.so/i # auth [success=2 default=ignore] pam_pkcs11.so' /etc/pam.d/common-auth
 {{% else %}}
 echo '# auth sufficient pam_pkcs11.so' > /etc/pam.d/common-auth
 {{% endif %}}
diff --git a/...unts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/correct.pass.sh b/...unts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/correct.pass.sh
@@ -3,7 +3,7 @@
 # packages = libpam-pkcs11
 
 {{% if 'ubuntu' in product %}}
-echo 'auth [success=2 default=ignore] pam_pkcs11.so' > /etc/pam.d/common-auth
+sed -i '/^auth.*pam_unix.so/i auth [success=2 default=ignore] pam_pkcs11.so' /etc/pam.d/common-auth
 {{% else %}}
 echo 'auth sufficient pam_pkcs11.so' > /etc/pam.d/common-auth
 {{% endif %}}
diff --git a/...unts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/nothing.fail.sh b/...unts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/nothing.fail.sh
@@ -2,4 +2,4 @@
 # platform = multi_platform_ubuntu,multi_platform_sle
 # packages = libpam-pkcs11
 
-echo > /etc/pam.d/common-auth
+echo "auth	[success=1 default=ignore]	pam_unix.so nullok" > /etc/pam.d/common-auth
diff --git a/...ts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/substring.fail.sh b/...ts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/substring.fail.sh
@@ -3,7 +3,7 @@
 # packages = libpam-pkcs11
 
 {{% if 'ubuntu' in product %}}
-echo 'aauth [success=2 default=ignore] pam_pkcs11.so' > /etc/pam.d/common-auth
+sed -i '/^auth.*pam_unix.so/i aauth [success=2 default=ignore] pam_pkcs11.so' /etc/pam.d/common-auth
 {{% else %}}
 echo 'aauth sufficient pam_pkcs11.so' > /etc/pam.d/common-auth
 {{% endif %}}