Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sure sssd.conf files have 0600 permissions mode #10695

Merged
merged 1 commit into from
Jul 17, 2023
Merged

Make sure sssd.conf files have 0600 permissions mode #10695

merged 1 commit into from
Jul 17, 2023

Conversation

ggbecker
Copy link
Member

@ggbecker ggbecker commented Jun 7, 2023
edited
Loading

Description:

  • Make sure sssd.conf files have 0600 permissions mode.

Rationale:

  • Create sssd.conf file with expected permissions
  • An attempt to fix: https://bugzilla.redhat.com/show_bug.cgi?id=2211511
    • In the bugzilla, they use oscap xccdf generate fix and then execute the script, this doesn't take into account the applicability of SSSD rules and some remediation gets executed even if they wouldn't be applicable for example. That might be what's is causing to create a file that doesn't exist with wrong permissions, because if the file would be created by the sssd related package, then this problem would not occur.

@ggbecker ggbecker added the bugfix Fixes to reported bugs. label Jun 7, 2023
@ggbecker ggbecker added this to the 0.1.69 milestone Jun 7, 2023
@openshift-ci
Copy link

openshift-ci bot commented Jun 7, 2023

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jun 7, 2023
@github-actions
Copy link

github-actions bot commented Jun 7, 2023

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link

github-actions bot commented Jun 7, 2023
edited
Loading

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' differs.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -3,6 +3,11 @@
 
 var_sssd_certificate_verification_digest_function=''
 
+
+# sssd configuration files must be created with 600 permissions if they don't exist
+# otherwise the sssd module fails to start
+OLD_UMASK=$(umask)
+umask u=rw,go=
 
 MAIN_CONF="/etc/sssd/conf.d/certificate_verification.conf"
 
@@ -33,10 +38,7 @@
     echo -e "[sssd]\ncertificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" >> "$file"
 fi
 
-if [ -e "$MAIN_CONF" ]; then
-    chown root:root "$MAIN_CONF"
-	chmod 600 "$MAIN_CONF"
-fi
+umask $OLD_UMASK
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' differs.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -23,6 +23,7 @@
     section: sssd
     option: certificate_verification
     state: absent
+    mode: 384
   when: '"sssd-common" in ansible_facts.packages'
   tags:
   - CCE-86120-3
@@ -41,6 +42,7 @@
     section: sssd
     option: certificate_verification
     state: absent
+    mode: 384
   when: '"sssd-common" in ansible_facts.packages'
   tags:
   - CCE-86120-3
@@ -60,6 +62,7 @@
     option: certificate_verification
     value: ocsp_dgst = {{ var_sssd_certificate_verification_digest_function }}
     state: present
+    mode: 384
   when: '"sssd-common" in ansible_facts.packages'
   tags:
   - CCE-86120-3

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_pam_services' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
+++ xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
@@ -1,5 +1,10 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q sssd-common; then
+
+# sssd configuration files must be created with 600 permissions if they don't exist
+# otherwise the sssd module fails to start
+OLD_UMASK=$(umask)
+umask u=rw,go=
 
 SSSD_CONF="/etc/sssd/sssd.conf"
 SSSD_CONF_DIR="/etc/sssd/conf.d/*.conf"
@@ -42,6 +47,8 @@
     done
 fi
 
+umask $OLD_UMASK
+
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -1,5 +1,10 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# sssd configuration files must be created with 600 permissions if they don't exist
+# otherwise the sssd module fails to start
+OLD_UMASK=$(umask)
+umask u=rw,go=
 
 found=false
 
@@ -27,6 +32,8 @@
     mkdir -p "$(dirname "$file")"
     echo -e "[pam]\npam_cert_auth = True" >> "$file"
 fi
+
+umask $OLD_UMASK
 
 
 if [ -f /usr/bin/authselect ]; then

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_memcache_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
@@ -3,6 +3,11 @@
 
 var_sssd_memcache_timeout=''
 
+
+# sssd configuration files must be created with 600 permissions if they don't exist
+# otherwise the sssd module fails to start
+OLD_UMASK=$(umask)
+umask u=rw,go=
 
 found=false
 
@@ -31,6 +36,8 @@
     echo -e "[nss]\nmemcache_timeout = $var_sssd_memcache_timeout" >> "$file"
 fi
 
+umask $OLD_UMASK
+
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' differs.
--- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
+++ xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
@@ -1,5 +1,10 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# sssd configuration files must be created with 600 permissions if they don't exist
+# otherwise the sssd module fails to start
+OLD_UMASK=$(umask)
+umask u=rw,go=
 
 found=false
 
@@ -28,6 +33,8 @@
     echo -e "[pam]\noffline_credentials_expiration = 1" >> "$file"
 fi
 
+umask $OLD_UMASK
+
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user' differs.
--- xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user
+++ xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user
@@ -2,6 +2,11 @@
 if rpm --quiet -q sssd-common; then
 
 MAIN_CONF="/etc/sssd/conf.d/ospp.conf"
+
+# sssd configuration files must be created with 600 permissions if they don't exist
+# otherwise the sssd module fails to start
+OLD_UMASK=$(umask)
+umask u=rw,go=
 
 found=false
 
@@ -30,10 +35,7 @@
     echo -e "[sssd]\nuser = sssd" >> "$file"
 fi
 
-if [ -e "$MAIN_CONF" ]; then
-    chown root:root "$MAIN_CONF"
-	chmod 600 "$MAIN_CONF"
-fi
+umask $OLD_UMASK
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
@@ -3,6 +3,11 @@
 
 var_sssd_ssh_known_hosts_timeout=''
 
+
+# sssd configuration files must be created with 600 permissions if they don't exist
+# otherwise the sssd module fails to start
+OLD_UMASK=$(umask)
+umask u=rw,go=
 
 found=false
 
@@ -31,6 +36,8 @@
     echo -e "[ssh]\nssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" >> "$file"
 fi
 
+umask $OLD_UMASK
+
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
@@ -65,6 +65,7 @@
     section: '{{ item.section }}'
     option: '{{ item.option }}'
     value: '{{ item.value }}'
+    mode: 384
   with_items:
   - section: sssd
     option: domains
@@ -96,6 +97,7 @@
     section: '{{ test_grep_domain.stdout | regex_replace(''\[(.*)\]'',''\1'') }}'
     option: ldap_tls_cacertdir
     value: '{{ var_sssd_ldap_tls_ca_dir }}'
+    mode: 384
   when:
   - '"sssd-common" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
@@ -60,6 +60,7 @@
     section: '{{ item.section }}'
     option: '{{ item.option }}'
     value: '{{ item.value }}'
+    mode: 384
   with_items:
   - section: sssd
     option: domains
@@ -91,6 +92,7 @@
     section: '{{ test_grep_domain.stdout | regex_replace(''\[(.*)\]'',''\1'') }}'
     option: ldap_tls_reqcert
     value: demand
+    mode: 384
   when:
   - '"sssd-common" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
@@ -63,6 +63,7 @@
     section: '{{ item.section }}'
     option: '{{ item.option }}'
     value: '{{ item.value }}'
+    mode: 384
   with_items:
   - section: sssd
     option: domains
@@ -95,6 +96,7 @@
     section: '{{ test_grep_domain.stdout | regex_replace(''\[(.*)\]'',''\1'') }}'
     option: ldap_id_use_start_tls
     value: 'true'
+    mode: 384
   when:
   - '"sssd-common" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

@jan-cerny
Copy link
Collaborator

@ggbecker What remains to be done here?

@ggbecker ggbecker force-pushed the fix-sssd-config-file-permissions branch from 9fd4f15 to a2d34c1 Compare July 17, 2023 09:36
@ggbecker
Copy link
Member Author

@ggbecker What remains to be done here?

I just addressed you feedback and rebased on top of main branch. This should be now ready to review.

@ggbecker ggbecker marked this pull request as ready for review July 17, 2023 09:37
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jul 17, 2023
@codeclimate
Copy link

codeclimate bot commented Jul 17, 2023

Code Climate has analyzed commit a2d34c1 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.4% (0.0% change).

View more on Code Climate.

@Mab879 Mab879 self-assigned this Jul 17, 2023
@Mab879 Mab879 merged commit 7027e9c into ComplianceAsCode:master Jul 17, 2023
33 of 34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny left review comments

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
bugfix Fixes to reported bugs.
Projects
None yet
Milestone
0.1.69
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ggbecker @jan-cerny @Mab879