Review and fix sssd rules in ANSSI control file #12378
Conversation
marcusburghardt
added
bugfix
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_pam_services'.
--- xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
+++ xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
@@ -9,6 +9,9 @@
/etc/sssd/sssd.conf. For example:
[sssd]
services = sudo, autofs, pam
+
+[warning]:
+This rule will report as "notapplicable" if there is no SSSD configuration file present in the system. The SSSD configuration might be different for each site and therefore a new configuration file is not automatically created.
[reference]:
1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_pam_services' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
+++ xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
@@ -1,53 +1,43 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q sssd-common; then
-
-# sssd configuration files must be created with 600 permissions if they don't exist
-# otherwise the sssd module fails to start
-OLD_UMASK=$(umask)
-umask u=rw,go=
SSSD_CONF="/etc/sssd/sssd.conf"
SSSD_CONF_DIR="/etc/sssd/conf.d/*.conf"
if [ ! -f "$SSSD_CONF" ] && [ ! -f "$SSSD_CONF_DIR" ]; then
- mkdir -p /etc/sssd
- touch "$SSSD_CONF"
-fi
+ echo "
+ sssd configuration files not found. Ensure a valid configuration is present.
+ Manual modification of configuration files may be necessary to align with site policies."
+else
+ # Flag to check if there is already services with pam
+ service_already_exist=false
+ for f in $SSSD_CONF $SSSD_CONF_DIR; do
+ if [ ! -e "$f" ]; then
+ continue
+ fi
+ # finds all services entries under [sssd] configuration category, get a unique list so it doesn't add redundant fix
+ services_list=$( awk '/^\s*\[/{f=0} /^\s*\[sssd\]/{f=1}f' $f | grep -P '^services[ \t]*=' | uniq )
+ if [ -z "$services_list" ]; then
+ continue
+ fi
-# Flag to check if there is already services with pam
-service_already_exist=false
-for f in $SSSD_CONF $SSSD_CONF_DIR; do
- if [ ! -e "$f" ]; then
- continue
- fi
- # finds all services entries under [sssd] configuration category, get a unique list so it doesn't add redundant fix
- services_list=$( awk '/^\s*\[/{f=0} /^\s*\[sssd\]/{f=1}f' $f | grep -P '^services[ \t]*=' | uniq )
- if [ -z "$services_list" ]; then
- continue
- fi
+ while IFS= read -r services; do
+ if [[ ! $services =~ "pam" ]]; then
+ sed -i "s/$services$/&, pam/" $f
+ fi
+ # Either pam service was already there or got added now
+ service_already_exist=true
+ done <<< "$services_list"
+ done
- while IFS= read -r services; do
- if [[ ! $services =~ "pam" ]]; then
- sed -i "s/$services$/&, pam/" $f
- fi
- # Either pam service was already there or got added now
- service_already_exist=true
- done <<< "$services_list"
-
-done
-
-# If there was no service in [sssd], add it to first config
-if [ "$service_already_exist" = false ]; then
- for f in $SSSD_CONF $SSSD_CONF_DIR; do
- cat << EOF >> "$f"
+ # If there was no service in [sssd], add it to first config
+ if [ "$service_already_exist" = false ]; then
+ cat << EOF >> "$SSSD_CONF"
[sssd]
services = pam
EOF
- break
- done
+ fi
fi
-
-umask $OLD_UMASK
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_pam_services' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
+++ xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
@@ -12,7 +12,7 @@
- no_reboot_needed
- sssd_enable_pam_services
-- name: Configure PAM in SSSD Services - Find all the conf files inside the /etc/sssd/conf.d/
+- name: Configure PAM in SSSD Services - Find all conf files inside the /etc/sssd/conf.d/
directory
ansible.builtin.find:
paths:
@@ -31,7 +31,7 @@
- no_reboot_needed
- sssd_enable_pam_services
-- name: Configure PAM in SSSD Services - Modify lines in files in the /etc/sssd/conf.d/
+- name: Configure PAM in SSSD Services - Modify lines in files found in the /etc/sssd/conf.d/
directory
ansible.builtin.replace:
path: '{{ item }}'
@@ -53,7 +53,7 @@
- no_reboot_needed
- sssd_enable_pam_services
-- name: Configure PAM in SSSD Services - Find /etc/sssd/sssd.conf
+- name: Configure PAM in SSSD Services - Check existence of /etc/sssd/sssd.conf
ansible.builtin.stat:
path: /etc/sssd/sssd.conf
register: sssd_conf_file
@@ -89,16 +89,17 @@
- no_reboot_needed
- sssd_enable_pam_services
-- name: Configure PAM in SSSD Services - Find services key in /etc/sssd/sssd.conf
- ansible.builtin.replace:
+- name: Configure PAM in SSSD Services - Ensure services entry in sssd section of
+ /etc/sssd/sssd.conf
+ ini_file:
path: /etc/sssd/sssd.conf
- regexp: ^\s*\[sssd\][^\[\]]*?(?:\n(?!\[)[^\n]*?services\s*=)+
- replace: ''
- changed_when: false
- check_mode: true
- register: sssd_conf_file_services
+ section: sssd
+ option: services
+ value: pam
when:
- '"sssd-common" in ansible_facts.packages'
+ - not modify_lines_sssd_conf_d_files.changed
+ - not modify_lines_sssd_conf_file.changed
- sssd_conf_file.stat.exists
tags:
- CCE-82446-6
@@ -110,26 +111,3 @@
- medium_severity
- no_reboot_needed
- sssd_enable_pam_services
-
-- name: Configure PAM in SSSD Services - Insert entry to /etc/sssd/sssd.conf
- ini_file:
- path: /etc/sssd/sssd.conf
- section: sssd
- option: services
- value: pam
- when:
- - '"sssd-common" in ansible_facts.packages'
- - not modify_lines_sssd_conf_d_files.changed
- - not modify_lines_sssd_conf_file.changed
- - (sssd_conf_file_services.msg is defined and "replacements" not in sssd_conf_file_services.msg)
- or not sssd_conf_file.stat.exists
- tags:
- - CCE-82446-6
- - NIST-800-53-CM-6(a)
- - NIST-800-53-IA-2(1)
- - configure_strategy
- - low_complexity
- - medium_disruption
- - medium_severity
- - no_reboot_needed
- - sssd_enable_pam_services
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_pam_services'
--- xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
+++ xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
@@ -1 +1 @@
-
+oval:ssg-sssd_conf_files_present:def:1 |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
|
CI tests for ANSSI are returning error with rules Now, since the VM doesn't have sssd conf files created by default, the rules keep failing after remediation. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
marcusburghardt
force-pushed
the
sssd_rules
branch
from
c299868
to
319c8aa
Compare
marcusburghardt
changed the title
marcusburghardt
changed the title
I created a new applicability to check if any SSSD configuration file is already present in the system. If so, the rule will check and, if necessary, remediate. If not, the rule will report |
|
I saw that other SSSD related rules could benefit of the applicability introduced here. I have plan to check these rules in another opportunity. Each rule uses a different approach. Ideally we should create a template (maybe some macros are enough) for SSSD and align all the SSSD related rules to the same approach. Unfortunately, this would demand more time than I have right now. So, for this PR I focused only on rules used in ANSSI control file. |
|
@marcusburghardt Do you plan on workig on this? How can we move this along? |
Updated the test scenarios for a valid option. Signed-off-by: Marcus Burghardt <[email protected]>
This is a templated rule but the test scenarios are overridden in order to create a sssd.conf file for testing purposes. The package name in the custom test scenarios was not correct. Signed-off-by: Marcus Burghardt <[email protected]>
sssd remediation should not create sssd configuration files if they were not previous created by sys admins. The reason the sssd configuration files are not created by default is because its parameters may differ for each site policy, therefore manual intervention is necessary to ensure the sssd parameters are compliant. The bash remediation was creating a new file only to satisfy a parameter. This creates incosistent sssd configuration and makes the sssd service to fail. Signed-off-by: Marcus Burghardt <[email protected]>
Signed-off-by: Marcus Burghardt <[email protected]>
Signed-off-by: Marcus Burghardt <[email protected]>
Signed-off-by: Marcus Burghardt <[email protected]>
The sssd.conf should only modified if already present. It is not created by this remediation. Signed-off-by: Marcus Burghardt <[email protected]>
Some SSSD related rules are only applicable when there is already SSSD configuration files present in the system. Signed-off-by: Marcus Burghardt <[email protected]>
This rule is only applicable when SSSD is already in use and consequently configured. Signed-off-by: Marcus Burghardt <[email protected]>
marcusburghardt
force-pushed
the
sssd_rules
branch
from
319c8aa
to
6e3a497
Compare
|
Code Climate has analyzed commit 6e3a497 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 60.9% (0.0% change). View more on Code Climate. |
Description:
When reviewing #12351 I noticed some issues with
sssdrelated rules.This PR:
sssd_enable_pam_servicesbash remediationid_providervalue and fix the sssd package name in some test scenariossssd_enable_pam_servicesfor better reportingRationale:
Better test scenarios and remediation for sssd related rules used in ANSSI control file.
Review Hints: