-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Review and improve sssd_enable_smartcards rule #9145
Review and improve sssd_enable_smartcards rule #9145
Conversation
To properly enable smartcards, two pam_sss.so lines are necessary in the auth group of system-auth file. Following the implementation recommended by authselect as reference, these two lines have different parameters and different controls. Also, it is not expected that the smartcard-auth file has the same content of system-auth file.
Updated the bash remediation to use PAM macros and enable smartcard by enabling the "with-smartcard" authselect feature where authselect is present. Where authselect is not present, the new PAM macros are used to properly edit PAM files.
Updated the remediation to use PAM macros to enable authselect feature and to properly edit PAM files where authselect is not present.
The existing test scenario scripts were reviewed, new test scenarios were included to check case insensitivity of /etc/sssd/sssd.conf file and some scripts were removed or replaced to keep names aligned to the cases covering authselect feature and PAM files changes.
The system-auth and smartcard-auth PAM files have different content in a proper implementation with smartcard enabled. The OVAL assessment was properly updated to differentiate the requirements of these two files. The check conditionals were reviewed and updated to avoid false positives where the file exists but is not compliant. The service check was removed since it is not expected in this rule. Therefore, unecessary checks were removed.
This datastream diff is auto generated by the check Click here to see the full diffOVAL definition oval:ssg-sssd_enable_smartcards:def:1 differs:
--- old datastream
+++ new datastream
- criteria OR
- criteria OR
- extend_definition oval:ssg-service_sssd_disabled:def:1
- extend_definition oval:ssg-sssd_conf_exists:def:1
+ criterion oval:ssg-test_sssd_enable_smartcards_allow_missing_name_smartcard_auth:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs:
--- old datastream
+++ new datastream
@@ -4,6 +4,12 @@
pam_cert_auth = True
-$ sudo grep cert_auth /etc/sssd/sssd.conf /etc/pam.d/*
+To verify that smart cards are enabled in PAM files, run the following command:
+$ sudo grep -e "auth.*pam_sss.so.*\(allow_missing_name\|try_cert_auth\)" /etc/pam.d/smartcard-auth /etc/pam.d/system-auth
+If configured properly, output should be
+
+/etc/pam.d/smartcard-auth:auth sufficient pam_sss.so allow_missing_name
+/etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth
+
Is it the case that smart cards are not enabled in SSSD?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs:
--- old datastream
+++ new datastream
@@ -31,85 +31,45 @@
if [ -f /usr/bin/authselect ]; then
if authselect check; then
-
+ if ! authselect check; then
+ echo "
+ authselect integrity check failed. Remediation aborted!
+ This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+ It is not recommended to manually edit the PAM files when authselect tool is available.
+ In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+ exit 1
+ fi
authselect enable-feature with-smartcard
-
- authselect apply-changes -b --backup=after-pwhistory-hardening.backup
- else
- echo "
-authselect integrity check failed. Remediation aborted!
-This remediation could not be applied because the authselect profile is not intact.
-It is not recommended to manually edit the PAM files when authselect is available.
-In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
- false
+
+ authselect apply-changes -b
fi
else
- if [ -e "/etc/pam.d/smartcard-auth" ] ; then
- valueRegex="" defaultValue=""
- # non-empty values need to be preceded by an equals sign
- [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
- # add an equals sign to non-empty values
- [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
-
- # fix 'type' if it's wrong
- if grep -q -P "^\\s*(?"'!'"auth\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam_sss.so" < "/etc/pam.d/smartcard-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam_sss.so)/\\1auth\\2/" "/etc/pam.d/smartcard-auth"
+ if ! grep -qP '^\s*auth\s+'"sufficient"'\s+pam_sss.so\s*.*' "/etc/pam.d/smartcard-auth"; then
+ # Line matching group + control + module was not found. Check group + module.
+ if [ "$(grep -cP '^\s*auth\s+.*\s+pam_sss.so\s*' "/etc/pam.d/smartcard-auth")" -eq 1 ]; then
+ # The control is updated only if one single line matches.
+ sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_sss.so.*)/\1'"sufficient"' \2/' "/etc/pam.d/smartcard-auth"
+ else
+ echo 'auth '"sufficient"' pam_sss.so' >> "/etc/pam.d/smartcard-auth"
+ fi
fi
-
- # fix 'control' if it's wrong
- if grep -q -P "^\\s*auth\\s+(?"'!'"sufficient)[[:alnum:]]+\\s+pam_sss.so" < "/etc/pam.d/smartcard-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+)[[:alnum:]]+(\\s+pam_sss.so)/\\1sufficient\\2/" "/etc/pam.d/smartcard-auth"
+ # Check the option
+ if ! grep -qP '^\s*auth\s+'"sufficient"'\s+pam_sss.so\s*.*\sallow_missing_name\b' "/etc/pam.d/smartcard-auth"; then
+ sed -i -E --follow-symlinks '/\s*auth\s+'"sufficient"'\s+pam_sss.so.*/ s/$/ allow_missing_name/' "/etc/pam.d/smartcard-auth"
fi
-
- # fix the value for 'option' if one exists but does not match 'valueRegex'
- if grep -q -P "^\\s*auth\\s+sufficient\\s+pam_sss.so(\\s.+)?\\s+try_cert_auth(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/smartcard-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+sufficient\\s+pam_sss.so(\\s.+)?\\s)try_cert_auth=[^[:space:]]*/\\1try_cert_auth${defaultValue}/" "/etc/pam.d/smartcard-auth"
-
- # add 'option=default' if option is not set
- elif grep -q -E "^\\s*auth\\s+sufficient\\s+pam_sss.so" < "/etc/pam.d/smartcard-auth" &&
- grep -E "^\\s*auth\\s+sufficient\\s+pam_sss.so" < "/etc/pam.d/smartcard-auth" | grep -q -E -v "\\stry_cert_auth(=|\\s|\$)" ; then
-
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+sufficient\\s+pam_sss.so[^\\n]*)/\\1 try_cert_auth${defaultValue}/" "/etc/pam.d/smartcard-auth"
- # add a new entry if none exists
- elif ! grep -q -P "^\\s*auth\\s+sufficient\\s+pam_sss.so(\\s.+)?\\s+try_cert_auth${valueRegex}(\\s|\$)" < "/etc/pam.d/smartcard-auth" ; then
- echo "auth sufficient pam_sss.so try_cert_auth${defaultValue}" >> "/etc/pam.d/smartcard-auth"
+ if ! grep -qP '^\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so\s*.*' "/etc/pam.d/system-auth"; then
+ # Line matching group + control + module was not found. Check group + module.
+ if [ "$(grep -cP '^\s*auth\s+.*\s+pam_sss.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then
+ # The control is updated only if one single line matches.
+ sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_sss.so.*)/\1'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"' \2/' "/etc/pam.d/system-auth"
+ else
+ echo 'auth '"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"' pam_sss.so' >> "/etc/pam.d/system-auth"
+ fi
fi
-else
- echo "/etc/pam.d/smartcard-auth doesn't exist" >&2
-fi
- if [ -e "/etc/pam.d/system-auth" ] ; then
- valueRegex="" defaultValue=""
- # non-empty values need to be preceded by an equals sign
- [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
- # add an equals sign to non-empty values
- [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
-
- # fix 'type' if it's wrong
- if grep -q -P "^\\s*(?"'!'"auth\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam_sss.so" < "/etc/pam.d/system-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam_sss.so)/\\1auth\\2/" "/etc/pam.d/system-auth"
+ # Check the option
+ if ! grep -qP '^\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so\s*.*\stry_cert_auth\b' "/etc/pam.d/system-auth"; then
+ sed -i -E --follow-symlinks '/\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so.*/ s/$/ try_cert_auth/' "/etc/pam.d/system-auth"
fi
-
- # fix 'control' if it's wrong
- if grep -q -P "^\\s*auth\\s+(?"'!'"sufficient)[[:alnum:]]+\\s+pam_sss.so" < "/etc/pam.d/system-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+)[[:alnum:]]+(\\s+pam_sss.so)/\\1sufficient\\2/" "/etc/pam.d/system-auth"
- fi
-
- # fix the value for 'option' if one exists but does not match 'valueRegex'
- if grep -q -P "^\\s*auth\\s+sufficient\\s+pam_sss.so(\\s.+)?\\s+try_cert_auth(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/system-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+sufficient\\s+pam_sss.so(\\s.+)?\\s)try_cert_auth=[^[:space:]]*/\\1try_cert_auth${defaultValue}/" "/etc/pam.d/system-auth"
-
- # add 'option=default' if option is not set
- elif grep -q -E "^\\s*auth\\s+sufficient\\s+pam_sss.so" < "/etc/pam.d/system-auth" &&
- grep -E "^\\s*auth\\s+sufficient\\s+pam_sss.so" < "/etc/pam.d/system-auth" | grep -q -E -v "\\stry_cert_auth(=|\\s|\$)" ; then
-
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+sufficient\\s+pam_sss.so[^\\n]*)/\\1 try_cert_auth${defaultValue}/" "/etc/pam.d/system-auth"
- # add a new entry if none exists
- elif ! grep -q -P "^\\s*auth\\s+sufficient\\s+pam_sss.so(\\s.+)?\\s+try_cert_auth${valueRegex}(\\s|\$)" < "/etc/pam.d/system-auth" ; then
- echo "auth sufficient pam_sss.so try_cert_auth${defaultValue}" >> "/etc/pam.d/system-auth"
- fi
-else
- echo "/etc/pam.d/system-auth doesn't exist" >&2
-fi
fi
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs:
--- old datastream
+++ new datastream
@@ -81,51 +81,7 @@
- no_reboot_needed
- sssd_enable_smartcards
-- name: Check for expected pam_sss.so entry in system-auth
- ansible.builtin.lineinfile:
- path: /etc/pam.d/system-auth
- create: false
- regexp: ^\s*auth.*sufficient.*pam_sss\.so.*try_cert_auth.*$
- state: absent
- check_mode: true
- changed_when: false
- register: result_pam_try_cert_auth_present_system_auth
- when:
- - '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- tags:
- - CCE-80909-5
- - DISA-STIG-RHEL-08-020250
- - configure_strategy
- - low_complexity
- - medium_disruption
- - medium_severity
- - no_reboot_needed
- - sssd_enable_smartcards
-
-- name: Check for expected pam_sss.so entry in smartcard-auth
- ansible.builtin.lineinfile:
- path: /etc/pam.d/smartcard-auth
- create: false
- regexp: ^\s*auth.*sufficient.*pam_sss\.so.*try_cert_auth.*$
- state: absent
- check_mode: true
- changed_when: false
- register: result_pam_try_cert_auth_present_smartcard_auth
- when:
- - '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- tags:
- - CCE-80909-5
- - DISA-STIG-RHEL-08-020250
- - configure_strategy
- - low_complexity
- - medium_disruption
- - medium_severity
- - no_reboot_needed
- - sssd_enable_smartcards
-
-- name: Check if system relies on authselect
+- name: Enable Smartcards in SSSD - Check if system relies on authselect
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
@@ -142,66 +98,58 @@
- no_reboot_needed
- sssd_enable_smartcards
-- name: Remediation where authselect tool is present
+- name: Enable Smartcards in SSSD - Remediate using authselect
block:
- - name: Check the integrity of the current authselect profile
+ - name: Enable Smartcards in SSSD - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
ignore_errors: true
- - name: Informative message based on the authselect integrity check result
+ - name: Enable Smartcards in SSSD - Informative message based on the authselect
+ integrity check result
ansible.builtin.assert:
that:
- result_authselect_check_cmd is success
fail_msg:
- authselect integrity check failed. Remediation aborted!
- - This remediation could not be applied because the authselect profile is not
- intact.
- - It is not recommended to manually edit the PAM files when authselect is available.
+ - This remediation could not be applied because an authselect profile was not
+ selected or the selected profile is not intact.
+ - It is not recommended to manually edit the PAM files when authselect tool
+ is available.
- In cases where the default authselect profile does not cover a specific demand,
a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- - name: Get authselect current profile
- ansible.builtin.shell:
- cmd: authselect current -r | awk '{ print $1 }'
- register: result_authselect_profile
- changed_when: false
- when:
- - result_authselect_check_cmd is success
-
- - name: Get authselect current features
+ - name: Enable Smartcards in SSSD - Get authselect current features
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
when:
- result_authselect_check_cmd is success
- - result_authselect_profile is not skipped
-
- - name: Ensure smartcards are enabled via authselect tool
+
+ - name: Enable Smartcards in SSSD - Ensure "with-smartcard" feature is enabled using
+ authselect tool
ansible.builtin.command:
cmd: authselect enable-feature with-smartcard
+ register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-smartcard")
- - result_authselect_profile is not skipped
-
- - name: Ensure the custom profile changes are applied
+
+ - name: Enable Smartcards in SSSD - Ensure authselect changes are applied
ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-pwhistory-hardening.backup
- when:
- - result_authselect_check_cmd is success
- - result_authselect_profile is not skipped
- when:
- - '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - (result_pam_try_cert_auth_present_smartcard_auth.found == 0) or (result_pam_try_cert_auth_present_system_auth.found
- == 0)
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_enable_feature_cmd is not skipped
+ - result_authselect_enable_feature_cmd is success
+ when:
+ - '"sssd-common" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- result_authselect_present.stat.exists
tags:
- CCE-80909-5
@@ -213,48 +161,164 @@
- no_reboot_needed
- sssd_enable_smartcards
-- name: Remediation where authselect tool is not present and PAM files are directly
- edited
+- name: Enable Smartcards in SSSD - Remediate by directly editing PAM files
block:
- - name: Ensure the desired configuration is present in the custom profile smartcard-auth
- ansible.builtin.lineinfile:
- create: true
- dest: /etc/pam.d/smartcard-auth
- insertbefore: ^session.*
- firstmatch: true
- regexp: ^(\s*auth.*pam_sss\.so)$
- line: auth sufficient pam_sss.so try_cert_auth
-
- - name: Ensure the desired configuration is present in the custom profile system-auth
- ansible.builtin.lineinfile:
- create: true
- dest: /etc/pam.d/system-auth
- insertbefore: ^session.*
- firstmatch: true
- regexp: ^(\s*auth.*pam_sss\.so)$
- line: auth sufficient pam_sss.so try_cert_auth
-
- - name: Ensure the try_cert_auth option is in smartcard-auth
- ansible.builtin.replace:
- dest: /etc/pam.d/smartcard-auth
- regexp: ^(auth.*sufficient.*pam_sss\.so)((?!try_cert_auth).)*$
- replace: \g<1> try_cert_auth \g<2>
- when:
- - result_pam_try_cert_auth_present_smartcard_auth.found == 0
-
- - name: Ensure the try_cert_auth option is in system-auth
- ansible.builtin.replace:
- dest: /etc/pam.d/system-auth
- regexp: ^(auth.*sufficient.*pam_sss\.so)((?!try_cert_auth).)*$
- replace: \g<1> try_cert_auth \g<2>
- when:
- - result_pam_try_cert_auth_present_system_auth.found == 0
- when:
- - '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - (result_pam_try_cert_auth_present_smartcard_auth.found == 0) or (result_pam_try_cert_auth_present_system_auth.found
- == 0)
+ - name: Enable Smartcards in SSSD - Check if expected PAM module line is present
+ in /etc/pam.d/smartcard-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/smartcard-auth
+ regexp: ^\s*auth\s+sufficient\s+pam_sss.so\s*.*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_present
+
+ - name: Enable Smartcards in SSSD - Include or update the PAM module line in /etc/pam.d/smartcard-auth
+ block:
+
+ - name: Enable Smartcards in SSSD - Check if required PAM module line is present
+ in /etc/pam.d/smartcard-auth with different control
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/smartcard-auth
+ regexp: ^\s*auth\s+.*\s+pam_sss.so\s*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_other_control_present
+
+ - name: Enable Smartcards in SSSD - Ensure the correct control for the required
+ PAM module line in /etc/pam.d/smartcard-auth
+ ansible.builtin.replace:
+ dest: /etc/pam.d/smartcard-auth
+ regexp: ^(\s*auth\s+).*(\bpam_sss.so.*)
+ replace: \1sufficient \2
+ register: result_pam_module_edit
+ when:
+ - result_pam_line_other_control_present.found == 1
+
+ - name: Enable Smartcards in SSSD - Ensure the required PAM module line is included
+ in /etc/pam.d/smartcard-auth
+ ansible.builtin.lineinfile:
+ dest: /etc/pam.d/smartcard-auth
+ line: auth sufficient pam_sss.so
+ register: result_pam_module_add
+ when:
+ - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
+ > 1
+
+ - name: Enable Smartcards in SSSD - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
+ - (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
+ is defined and result_pam_module_edit.changed)
+ when:
+ - result_pam_line_present.found is defined
+ - result_pam_line_present.found == 0
+
+ - name: Enable Smartcards in SSSD - Check if the required PAM module option is present
+ in /etc/pam.d/smartcard-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/smartcard-auth
+ regexp: ^\s*auth\s+sufficient\s+pam_sss.so\s*.*\sallow_missing_name\b
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_module_allow_missing_name_option_present
+
+ - name: Enable Smartcards in SSSD - Ensure the "allow_missing_name" PAM option for
+ "pam_sss.so" is included in /etc/pam.d/smartcard-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/smartcard-auth
+ backrefs: true
+ regexp: ^(\s*auth\s+sufficient\s+pam_sss.so.*)
+ line: \1 allow_missing_name
+ state: present
+ register: result_pam_allow_missing_name_add
+ when:
+ - result_pam_module_allow_missing_name_option_present.found == 0
+
+ - name: Enable Smartcards in SSSD - Check if expected PAM module line is present
+ in /etc/pam.d/system-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/system-auth
+ regexp: ^\s*auth\s+\[success=done authinfo_unavail=ignore ignore=ignore default=die\]\s+pam_sss.so\s*.*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_present
+
+ - name: Enable Smartcards in SSSD - Include or update the PAM module line in /etc/pam.d/system-auth
+ block:
+
+ - name: Enable Smartcards in SSSD - Check if required PAM module line is present
+ in /etc/pam.d/system-auth with different control
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/system-auth
+ regexp: ^\s*auth\s+.*\s+pam_sss.so\s*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_other_control_present
+
+ - name: Enable Smartcards in SSSD - Ensure the correct control for the required
+ PAM module line in /etc/pam.d/system-auth
+ ansible.builtin.replace:
+ dest: /etc/pam.d/system-auth
+ regexp: ^(\s*auth\s+).*(\bpam_sss.so.*)
+ replace: \1\[success=done authinfo_unavail=ignore ignore=ignore default=die\]
+ \2
+ register: result_pam_module_edit
+ when:
+ - result_pam_line_other_control_present.found == 1
+
+ - name: Enable Smartcards in SSSD - Ensure the required PAM module line is included
+ in /etc/pam.d/system-auth
+ ansible.builtin.lineinfile:
+ dest: /etc/pam.d/system-auth
+ line: auth \[success=done authinfo_unavail=ignore ignore=ignore default=die\] pam_sss.so
+ register: result_pam_module_add
+ when:
+ - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
+ > 1
+
+ - name: Enable Smartcards in SSSD - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
+ - (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
+ is defined and result_pam_module_edit.changed)
+ when:
+ - result_pam_line_present.found is defined
+ - result_pam_line_present.found == 0
+
+ - name: Enable Smartcards in SSSD - Check if the required PAM module option is present
+ in /etc/pam.d/system-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/system-auth
+ regexp: ^\s*auth\s+\[success=done authinfo_unavail=ignore ignore=ignore default=die\]\s+pam_sss.so\s*.*\stry_cert_auth\b
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_module_try_cert_auth_option_present
+
+ - name: Enable Smartcards in SSSD - Ensure the "try_cert_auth" PAM option for "pam_sss.so"
+ is included in /etc/pam.d/system-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/system-auth
+ backrefs: true
+ regexp: ^(\s*auth\s+\[success=done authinfo_unavail=ignore ignore=ignore default=die\]\s+pam_sss.so.*)
+ line: \1 try_cert_auth
+ state: present
+ register: result_pam_try_cert_auth_add
+ when:
+ - result_pam_module_try_cert_auth_option_present.found == 0
+ when:
+ - '"sssd-common" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- not result_authselect_present.stat.exists
tags:
- CCE-80909-5 |
"/etc/pam.d/system-auth" and "/etc/pam.d/smartcard-auth" files based on the following | ||
examples: | ||
<pre>/etc/pam.d/smartcard-auth:auth sufficient pam_sss.so try_cert_auth | ||
{{% if product in ["ol8", "rhel8", "rhel9"] %}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about Fedora? Should it be on the list? Usually the changes are introduced to RHEL via Fedora so it's worth checking if Fedora also has it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point @jan-cerny . This also works for Fedora and we can include it in the list. I will update the PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
Code Climate has analyzed commit 18800cb and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 42.7% (0.0% change). View more on Code Climate. |
@marcusburghardt: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Description:
This rule was reviewed using as reference current documentation and authselect profiles.
It was noticed this rule was not properly assessing if the smartcards were enabled or not.
While fixing this and expanding the test scenarios more issues were fixed:
sssd
service was checked, while this is not the scope of this rule. There is theservice_sssd_enabled
rule for this. In addition, this service check was causing different behavior comparing RHEL7 and RHEL8-9.Finally, all remediations and test scenarios were updated to reflect the recommended approach to enable smartcards.
Rationale:
The OVAL was more complex than necessary and unexpectedly behaving different based on the
sssd
service status, which is not the scope for this rule.authselect
feature was used instead of directly editing PAM files, making the remediation much safer and easy.References:
More information:
The new approach suggested in this rule may differ from the current benchmarks. However, since it seems the correct approach, the second step would be to discuss with the relevant benchmarks maintainers to recommend this update.