-
Notifications
You must be signed in to change notification settings - Fork 673
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make sure sssd.conf files have 0600 permissions mode #10695
Make sure sssd.conf files have 0600 permissions mode #10695
Conversation
Skipping CI for Draft Pull Request. |
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' differs.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -3,6 +3,11 @@
var_sssd_certificate_verification_digest_function=''
+
+# sssd configuration files must be created with 600 permissions if they don't exist
+# otherwise the sssd module fails to start
+OLD_UMASK=$(umask)
+umask u=rw,go=
MAIN_CONF="/etc/sssd/conf.d/certificate_verification.conf"
@@ -33,10 +38,7 @@
echo -e "[sssd]\ncertificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" >> "$file"
fi
-if [ -e "$MAIN_CONF" ]; then
- chown root:root "$MAIN_CONF"
- chmod 600 "$MAIN_CONF"
-fi
+umask $OLD_UMASK
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' differs.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -23,6 +23,7 @@
section: sssd
option: certificate_verification
state: absent
+ mode: 384
when: '"sssd-common" in ansible_facts.packages'
tags:
- CCE-86120-3
@@ -41,6 +42,7 @@
section: sssd
option: certificate_verification
state: absent
+ mode: 384
when: '"sssd-common" in ansible_facts.packages'
tags:
- CCE-86120-3
@@ -60,6 +62,7 @@
option: certificate_verification
value: ocsp_dgst = {{ var_sssd_certificate_verification_digest_function }}
state: present
+ mode: 384
when: '"sssd-common" in ansible_facts.packages'
tags:
- CCE-86120-3
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_pam_services' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
+++ xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
@@ -1,5 +1,10 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q sssd-common; then
+
+# sssd configuration files must be created with 600 permissions if they don't exist
+# otherwise the sssd module fails to start
+OLD_UMASK=$(umask)
+umask u=rw,go=
SSSD_CONF="/etc/sssd/sssd.conf"
SSSD_CONF_DIR="/etc/sssd/conf.d/*.conf"
@@ -42,6 +47,8 @@
done
fi
+umask $OLD_UMASK
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -1,5 +1,10 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# sssd configuration files must be created with 600 permissions if they don't exist
+# otherwise the sssd module fails to start
+OLD_UMASK=$(umask)
+umask u=rw,go=
found=false
@@ -27,6 +32,8 @@
mkdir -p "$(dirname "$file")"
echo -e "[pam]\npam_cert_auth = True" >> "$file"
fi
+
+umask $OLD_UMASK
if [ -f /usr/bin/authselect ]; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_memcache_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
@@ -3,6 +3,11 @@
var_sssd_memcache_timeout=''
+
+# sssd configuration files must be created with 600 permissions if they don't exist
+# otherwise the sssd module fails to start
+OLD_UMASK=$(umask)
+umask u=rw,go=
found=false
@@ -31,6 +36,8 @@
echo -e "[nss]\nmemcache_timeout = $var_sssd_memcache_timeout" >> "$file"
fi
+umask $OLD_UMASK
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' differs.
--- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
+++ xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
@@ -1,5 +1,10 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# sssd configuration files must be created with 600 permissions if they don't exist
+# otherwise the sssd module fails to start
+OLD_UMASK=$(umask)
+umask u=rw,go=
found=false
@@ -28,6 +33,8 @@
echo -e "[pam]\noffline_credentials_expiration = 1" >> "$file"
fi
+umask $OLD_UMASK
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user' differs.
--- xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user
+++ xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user
@@ -2,6 +2,11 @@
if rpm --quiet -q sssd-common; then
MAIN_CONF="/etc/sssd/conf.d/ospp.conf"
+
+# sssd configuration files must be created with 600 permissions if they don't exist
+# otherwise the sssd module fails to start
+OLD_UMASK=$(umask)
+umask u=rw,go=
found=false
@@ -30,10 +35,7 @@
echo -e "[sssd]\nuser = sssd" >> "$file"
fi
-if [ -e "$MAIN_CONF" ]; then
- chown root:root "$MAIN_CONF"
- chmod 600 "$MAIN_CONF"
-fi
+umask $OLD_UMASK
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
@@ -3,6 +3,11 @@
var_sssd_ssh_known_hosts_timeout=''
+
+# sssd configuration files must be created with 600 permissions if they don't exist
+# otherwise the sssd module fails to start
+OLD_UMASK=$(umask)
+umask u=rw,go=
found=false
@@ -31,6 +36,8 @@
echo -e "[ssh]\nssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" >> "$file"
fi
+umask $OLD_UMASK
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
@@ -65,6 +65,7 @@
section: '{{ item.section }}'
option: '{{ item.option }}'
value: '{{ item.value }}'
+ mode: 384
with_items:
- section: sssd
option: domains
@@ -96,6 +97,7 @@
section: '{{ test_grep_domain.stdout | regex_replace(''\[(.*)\]'',''\1'') }}'
option: ldap_tls_cacertdir
value: '{{ var_sssd_ldap_tls_ca_dir }}'
+ mode: 384
when:
- '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
@@ -60,6 +60,7 @@
section: '{{ item.section }}'
option: '{{ item.option }}'
value: '{{ item.value }}'
+ mode: 384
with_items:
- section: sssd
option: domains
@@ -91,6 +92,7 @@
section: '{{ test_grep_domain.stdout | regex_replace(''\[(.*)\]'',''\1'') }}'
option: ldap_tls_reqcert
value: demand
+ mode: 384
when:
- '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
@@ -63,6 +63,7 @@
section: '{{ item.section }}'
option: '{{ item.option }}'
value: '{{ item.value }}'
+ mode: 384
with_items:
- section: sssd
option: domains
@@ -95,6 +96,7 @@
section: '{{ test_grep_domain.stdout | regex_replace(''\[(.*)\]'',''\1'') }}'
option: ldap_id_use_start_tls
value: 'true'
+ mode: 384
when:
- '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] |
@ggbecker What remains to be done here? |
linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh
Outdated
Show resolved
Hide resolved
9fd4f15
to
a2d34c1
Compare
I just addressed you feedback and rebased on top of main branch. This should be now ready to review. |
Code Climate has analyzed commit a2d34c1 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.4% (0.0% change). View more on Code Climate. |
Description:
Rationale:
oscap xccdf generate fix
and then execute the script, this doesn't take into account the applicability of SSSD rules and some remediation gets executed even if they wouldn't be applicable for example. That might be what's is causing to create a file that doesn't exist with wrong permissions, because if the file would be created by the sssd related package, then this problem would not occur.