V-72427 - Incorrectly checks that configuration exists in every file

[ljkimmel]

This control is checking that every file under /etc/sssd/conf.d/ includes a 'services' setting with 'pam' as an option. This is an incorrect approach. It only needs to be validated that the 'services' setting contains the 'pam' option when the setting is used. If the setting is not defined it has no impact on the final result.

With that said, in order for the spirit of the control to be met we do need to ensure that 'pam' is included as an option to the 'services' setting in sssd.conf.

[HackerShark]

@ljkimmel @aaronlippold @rbclark

For this control the check text tells us to grep every file under /etc/ssd/conf.d/*.conf and check the services setting that it has a pam option. There is already a check making sure that we are using the ssd package and if it's not installed then we skip the control, otherwise as the check text describes we check the files as they recommend.

To my understanding we are already covering the spirit of the control. If not could you further clarify as to why this needs to be updated.

[ljkimmel]

The last line in the STIG really sums it up: 'If the "pam" service is not present on all "services" lines, this is a finding.' To me this means: IF the file contains the 'services' option, THEN that line must contain 'pam'. It does not, in my mind, imply that each file must contain a "services line" (which is what we are enforcing).

So that would meet the word of the STIG. However, as I mentioned in the opening comment, that doesn't necessarily meet the spirit of the control. The idea is that 'pam' must be included as a 'service' at least once. When we consider the way that SSSD merges its configurations we can conclude that the base sssd.conf file must at least contain 'services' with 'pam'. Therefore, we must validate that sssd.conf contains the configuration but we need only report the other files under conf.d IF they contain a 'services' option that might seek to override that specified in sssd.conf.

[ejaronne]

If I understand correctly, even if SSSD is installed, it is possible that some or even all of the /etc/ssd/conf.d/*.conf file will not even have a services line in them, and that's perfectly okay...BUT I'm not an SSSD expert so I'm not sure how varied it can be configured. If we assume that can and does happen. and that the author is truly trying to intervene when someone configures a service under SSSD, then I concur with ljkimmel that it needs to only apply the test if a services line is found.
I'm not an InSpec expert, but when I look at these lines, I think it fails when no services line is even found. Also, why are there 2 methods being used to detect seemingly the same thing?

redhat-enterprise-linux-7-stig-baseline/controls/V-72427.rb

Lines 75 to 80 in cb5e83e

	describe parse_config_file(file) do
	its('services') { should include 'pam' }
	end if package('sssd').installed?
	describe command("grep -i -E 'services(\s)*=(\s)*(.+*)pam' #{file}") do
	its('stdout.strip') { should include 'pam' }
	end if package('sssd').installed?