Update sssd_enable_smartcards & sssd_offline_cred_expiration #11473
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @Xeicker. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -9,7 +9,7 @@
found=false
# set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf"); do
+for f in $(echo -n "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
if [ ! -e "$f" ]; then
continue
fi
@@ -28,7 +28,7 @@
# if section not in any file, append section with key = value to FIRST file in files parameter
if ! $found ; then
- file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ')
+ file=$(echo "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
mkdir -p "$(dirname "$file")"
echo -e "[pam]\npam_cert_auth = True" >> "$file"
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -89,6 +89,47 @@
- no_reboot_needed
- sssd_enable_smartcards
+- name: Find all the conf files inside /etc/sssd/conf.d/
+ find:
+ paths: /etc/sssd/conf.d/
+ patterns: '*.conf'
+ register: sssd_conf_d_files
+ when:
+ - '"sssd-common" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80909-5
+ - DISA-STIG-RHEL-08-020250
+ - PCI-DSS-Req-8.3
+ - PCI-DSSv4-8.4
+ - configure_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_enable_smartcards
+
+- name: Fix pam_cert_auth configuration in /etc/sssd/conf.d/
+ ansible.builtin.replace:
+ path: '{{ item.path }}'
+ regexp: '[^#]*pam_cert_auth.*'
+ replace: pam_cert_auth = True
+ with_items: '{{ sssd_conf_d_files.files }}'
+ when:
+ - '"sssd-common" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80909-5
+ - DISA-STIG-RHEL-08-020250
+ - PCI-DSS-Req-8.3
+ - PCI-DSSv4-8.4
+ - configure_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_enable_smartcards
+
- name: Enable Smartcards in SSSD - Check if system relies on authselect
ansible.builtin.stat:
path: /usr/bin/authselect
OCIL for rule 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' differs.
--- ocil:ssg-sssd_offline_cred_expiration_ocil:questionnaire:1
+++ ocil:ssg-sssd_offline_cred_expiration_ocil:questionnaire:1
@@ -7,7 +7,7 @@
If "cache_credentials" is set to "false" or is missing no further checks are required.
To verify that SSSD expires offline credentials, run the following command:
-$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf
+$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
If configured properly, output should be
offline_credentials_expiration = 1
Is it the case that it does not exist or is not configured properly?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' differs.
--- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
+++ xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
@@ -9,7 +9,7 @@
found=false
# set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf"); do
+for f in $(echo -n "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
if [ ! -e "$f" ]; then
continue
fi
@@ -28,7 +28,7 @@
# if section not in any file, append section with key = value to FIRST file in files parameter
if ! $found ; then
- file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ')
+ file=$(echo "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
mkdir -p "$(dirname "$file")"
echo -e "[pam]\noffline_credentials_expiration = 1" >> "$file"
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' differs.
--- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
+++ xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
@@ -88,3 +88,44 @@
- medium_severity
- no_reboot_needed
- sssd_offline_cred_expiration
+
+- name: Find all the conf files inside /etc/sssd/conf.d/
+ find:
+ paths: /etc/sssd/conf.d/
+ patterns: '*.conf'
+ register: sssd_conf_d_files
+ when:
+ - '"sssd-common" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82460-7
+ - DISA-STIG-RHEL-08-020290
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-5(13)
+ - configure_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_offline_cred_expiration
+
+- name: Fix offline_credentials_expiration configuration in /etc/sssd/conf.d/
+ ansible.builtin.replace:
+ path: '{{ item.path }}'
+ regexp: '[^#]*offline_credentials_expiration.*'
+ replace: offline_credentials_expiration = 1
+ with_items: '{{ sssd_conf_d_files.files }}'
+ when:
+ - '"sssd-common" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82460-7
+ - DISA-STIG-RHEL-08-020290
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-5(13)
+ - configure_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_offline_cred_expiration |
marcusburghardt
added
the
Update Rule
Update rules sssd_enable_smartcards & sssd_offline_cred_expiration to also look into files inside /etc/sssd/conf.d/ Signed-off-by: Edgar Aguilar <[email protected]>
These test are to take int account files inside /etc/sssd/conf.d/ Signed-off-by: Edgar Aguilar <[email protected]>
Xeicker
force-pushed
the
update_ol8_sssd_rules
branch
from
75311b5 to
8a7bcc0
Compare
jan-cerny
requested changes
Feb 2, 2024
| </ind:textfilecontent54_test> | ||
| <ind:textfilecontent54_object id="obj_sssd_offline_cred_expiration" version="1"> | ||
| <ind:filepath operation="pattern match">^\/etc\/sssd\/(sssd.conf|conf\.d\/.+\.conf)$</ind:filepath> | ||
| <ind:pattern operation="pattern match">^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*offline_credentials_expiration[\s]*=[\s]*1\s*(?:#.*)?$</ind:pattern> | ||
| <ind:instance datatype="int">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
|
|
||
| <ind:textfilecontent54_state id="state_sssd_offline_cred_expiration" version="1"> | ||
| <ind:subexpression>1</ind:subexpression> |
There was a problem hiding this comment.
The regular expression in the corresponding pattern element doesn't contain any capturing group which means there isn't any subexpression to be compared with. The 1 is literally a part of the regex. You would have to replace the 1 by a group (\d+) for this to work. Currently, this causes fails of the test scenarios.
Update it to include a capturing group to use a state to compare the captured subexpression Signed-off-by: Edgar Aguilar <[email protected]>
|
Code Climate has analyzed commit 028b553 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 58.4% (0.1% change). View more on Code Climate. |
jan-cerny
approved these changes
Feb 13, 2024
There was a problem hiding this comment.
OTOH On RHEL8 the output is sane:
jcerny@fedora:~/work/git/scap-security-guide (pr/11473)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel8 sssd_enable_smartcards sssd_offline_cred_expiration
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-02-13-0922/test_suite.log
WARNING - Script sssd_parameter_false.fail.sh is not applicable on given platform
WARNING - Script sssd_parameter_missing.fail.sh is not applicable on given platform
WARNING - Script sssd_parameter_missing_file.fail.sh is not applicable on given platform
WARNING - Script sssd_parameter_true.pass.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
INFO - Script authselect_modified_pam.fail.sh using profile (all) OK
INFO - Script authselect_smartcard_disabled.fail.sh using profile (all) OK
INFO - Script authselect_smartcard_enabled.pass.sh using profile (all) OK
INFO - Script authselect_smartcard_enabled_lower.pass.sh using profile (all) OK
INFO - Script authselect_sssd_parameter_false.fail.sh using profile (all) OK
INFO - Script authselect_sssd_parameter_missing.fail.sh using profile (all) OK
INFO - Script authselect_sssd_parameter_missing_file.fail.sh using profile (all) OK
INFO - Script authselect_smartcard_enabled_conf_d.pass.sh using profile (all) OK
INFO - Script authselect_sssd_parameter_false_conf_d.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
INFO - Script cache_credentials_false.pass.sh using profile (all) OK
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script wrong_section.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script correct_value_dropin.pass.sh using profile (all) OK
INFO - Script correct_value_conf_d.pass.sh using profile (all) OK
INFO - Script wrong_value_conf_d.fail.sh using profile (all) OK
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
/etc/sssd/conf.d/*.conffiles as a possibility to find the configurations. Update affects:Rationale:
Review Hints: