-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update var_password_pam_remember_control_flag to allow multiple values in OL8 #8861
Update var_password_pam_remember_control_flag to allow multiple values in OL8 #8861
Conversation
Hi @Xeicker. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This datastream diff is auto generated by the check Click here to see the full diffOCIL for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs:
--- old datastream
+++ new datastream
@@ -1,10 +1,10 @@
Check that the operating system prohibits the reuse of a password for
a minimum of generations with the following command:
# grep pam_pwhistory.so /etc/pam.d/password-auth
-password pam_pwhistory.so remember= use_authtok
-If the command does not return a result, or the returned line is commented
-out, has a second column value different from , does not contain
-"remember" value, or the value is less than
-, this is a finding.
+password control_flag pam_pwhistory.so remember= use_authtok
+If the command does not return a result, the returned line is commented out,
+the line does not contain "remember" value, the value is less than , the control_flag value isn't one of
+the next: this is a
+finding.
Is it the case that the value of remember is not set equal to or greater than <sub idref="var_password_pam_remember" />?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs:
--- old datastream
+++ new datastream
@@ -4,6 +4,8 @@
var_password_pam_remember=''
var_password_pam_remember_control_flag=''
+
+var_password_pam_remember_control_flag="$(echo $var_password_pam_remember_control_flag | cut -d \, -f 1)"
if [ -e "/etc/pam.d/password-auth" ] ; then
PAM_FILE_PATH="/etc/pam.d/password-auth"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs:
--- old datastream
+++ new datastream
@@ -194,7 +194,8 @@
is present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ var_password_pam_remember_control_flag }}\s+pam_pwhistory.so\s*.*
+ regexp: ^\s*password\s+{{ var_password_pam_remember_control_flag.split(",")[0]
+ }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
@@ -219,7 +220,7 @@
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
- replace: \1{{ var_password_pam_remember_control_flag }} \2
+ replace: \1{{ var_password_pam_remember_control_flag.split(",")[0] }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
@@ -229,7 +230,8 @@
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
insertafter: ^password.*requisite.*pam_pwquality.so
- line: password {{ var_password_pam_remember_control_flag }} pam_pwhistory.so
+ line: password {{ var_password_pam_remember_control_flag.split(",")[0]
+ }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
@@ -248,7 +250,8 @@
option is present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ var_password_pam_remember_control_flag }}\s+pam_pwhistory.so\s*.*\sremember\b
+ regexp: ^\s*password\s+{{ var_password_pam_remember_control_flag.split(",")[0]
+ }}\s+pam_pwhistory.so\s*.*\sremember\b
state: absent
check_mode: true
changed_when: false
@@ -259,7 +262,8 @@
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ var_password_pam_remember_control_flag }}\s+pam_pwhistory.so.*)
+ regexp: ^(\s*password\s+{{ var_password_pam_remember_control_flag.split(",")[0]
+ }}\s+pam_pwhistory.so.*)
line: \1 remember={{ var_password_pam_remember }}
state: present
register: result_pam_remember_add
@@ -271,7 +275,8 @@
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ var_password_pam_remember_control_flag }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
+ regexp: ^(\s*password\s+{{ var_password_pam_remember_control_flag.split(",")[0]
+ }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
line: \1\2={{ var_password_pam_remember }} \3
register: result_pam_remember_edit
when:
OCIL for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs:
--- old datastream
+++ new datastream
@@ -1,10 +1,10 @@
Check that the operating system prohibits the reuse of a password for a minimum of
generations with the following command:
# grep pam_pwhistory.so /etc/pam.d/system-auth
-password pam_pwhistory.so remember= use_authtok
-If the command does not return a result, or the returned line is commented out, has a second
-column value different from ,
-does not contain "remember" value, or the value is less than ,
-this is a finding.
+password control_flag pam_pwhistory.so remember= use_authtok
+If the command does not return a result, the returned line is commented out,
+the line does not contain "remember" value, the value is less than , the control_flag value isn't one of
+the next: this is a
+finding.
Is it the case that the value of remember is not set equal to or greater than <sub idref="var_password_pam_remember" />?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs:
--- old datastream
+++ new datastream
@@ -4,6 +4,8 @@
var_password_pam_remember=''
var_password_pam_remember_control_flag=''
+
+var_password_pam_remember_control_flag="$(echo $var_password_pam_remember_control_flag | cut -d \, -f 1)"
if [ -e "/etc/pam.d/system-auth" ] ; then
PAM_FILE_PATH="/etc/pam.d/system-auth"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs:
--- old datastream
+++ new datastream
@@ -194,7 +194,8 @@
present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ var_password_pam_remember_control_flag }}\s+pam_pwhistory.so\s*.*
+ regexp: ^\s*password\s+{{ var_password_pam_remember_control_flag.split(",")[0]
+ }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
@@ -219,7 +220,7 @@
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
- replace: \1{{ var_password_pam_remember_control_flag }} \2
+ replace: \1{{ var_password_pam_remember_control_flag.split(",")[0] }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
@@ -229,7 +230,8 @@
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
insertafter: ^password.*requisite.*pam_pwquality.so
- line: password {{ var_password_pam_remember_control_flag }} pam_pwhistory.so
+ line: password {{ var_password_pam_remember_control_flag.split(",")[0]
+ }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
@@ -248,7 +250,8 @@
is present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ var_password_pam_remember_control_flag }}\s+pam_pwhistory.so\s*.*\sremember\b
+ regexp: ^\s*password\s+{{ var_password_pam_remember_control_flag.split(",")[0]
+ }}\s+pam_pwhistory.so\s*.*\sremember\b
state: absent
check_mode: true
changed_when: false
@@ -259,7 +262,8 @@
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ var_password_pam_remember_control_flag }}\s+pam_pwhistory.so.*)
+ regexp: ^(\s*password\s+{{ var_password_pam_remember_control_flag.split(",")[0]
+ }}\s+pam_pwhistory.so.*)
line: \1 remember={{ var_password_pam_remember }}
state: present
register: result_pam_remember_add
@@ -271,7 +275,8 @@
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ var_password_pam_remember_control_flag }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
+ regexp: ^(\s*password\s+{{ var_password_pam_remember_control_flag.split(",")[0]
+ }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
line: \1\2={{ var_password_pam_remember }} \3
register: result_pam_remember_edit
when: |
...d_pam_pwhistory_remember_password_auth/tests/correct_value_multiple_control_required.pass.sh
Outdated
Show resolved
Hide resolved
..._pam_pwhistory_remember_password_auth/tests/correct_value_multiple_control_requisite.pass.sh
Outdated
Show resolved
Hide resolved
...ord_pam_pwhistory_remember_system_auth/tests/correct_value_multiple_control_required.pass.sh
Outdated
Show resolved
Hide resolved
...rd_pam_pwhistory_remember_system_auth/tests/correct_value_multiple_control_requisite.pass.sh
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest to consider the use of macros for the remediation.
Another point I am curious is about the acceptable controls. I am fine if this is the case for ol8
, but I would like to remind that requisite
and required
are slightly different in this context. For example, in RHEL benchmarks, only one control is acceptable but the control was changed between RHEL7 and RHEL8. I wonder if the case is similar here.
...tempts/accounts_password_pam_pwhistory_remember_password_auth/tests/argument_missing.fail.sh
Outdated
Show resolved
Hide resolved
..._password_attempts/accounts_password_pam_pwhistory_remember_password_auth/ansible/shared.yml
Outdated
Show resolved
Hide resolved
..._out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/bash/shared.sh
Show resolved
Hide resolved
Well from DISA STIG requirements |
Unfortunately I don't have the context of this change, but in RHEL7, for example, there are documentation using Looking the pam.conf man page, I can see this:
So, IMHO, it is better to use In short, regardless of the specific case of |
896e978
to
734e049
Compare
@marcusburghardt Could you please take a look at this? It's been rebased and as you recently modified the PAM and autheselect related things you have more context than me. |
@marcusburghardt I don't know why I thought the macros for ansible where also included in the PR you mentioned. |
Hi @Xeicker , yes. Please, use the new macros for the remediations. This way we can keep the same standard for all PAM related rules and make them easier to be maintained. The Ansible macros are very new (merged today). They would make our lives much easier, I hope. : ) |
Sure @jan-cerny , I am assign this PR to myself. Thanks |
734e049
to
7eae4a6
Compare
7eae4a6
to
3f05063
Compare
@Xeicker , could you rabase the PR and solve the conflicts, please? |
3f05063
to
04d5bbd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have some considerations regarding the test scenarios, to make them more independent from profiles. Also, the Ansible remediation is failing in some cases, but is due to an already fixed issue (#9141). If you rebase the PR, this should also be fixed. Thanks.
#!/bin/bash | ||
# packages = pam | ||
# platform = Oracle Linux 8 | ||
# profiles = xccdf_org.ssgproject.content_profile_stig |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For this test scenario, I would recommend to define the variable value to be testes instead of the profile where it is set. This way we make sure the test scenario is not impacted by any change in the profile. For example:
variables = var_password_pam_remember=5,var_password_pam_remember_control_flag=ol8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wanted to do something similar, but it doesn't work in this way, if I set var_password_pam_remember_control_flag=ol8
the value is literally "ol8" it doesn't take the value from the .var
file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. I am not sure now if it is intentional or there are any technical limitation for this, but I think it is worth to report an issue so we can investigate and try to improve this.
...rd_pam_pwhistory_remember_system_auth/tests/correct_value_multiple_control_requisite.pass.sh
Show resolved
Hide resolved
...word_pam_pwhistory_remember_system_auth/tests/wrong_value_multiple_control_requisite.fail.sh
Show resolved
Hide resolved
values are allowed write them separated by commas as in "required,requisite", | ||
for remediations the first value will be taken' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had to read the description twice. Maybe we could subtly improve the reading. For example:
'Specify the control flag required for password remember requirement. If multiple
values are allowed, write them separated by commas as in "required,requisite".
In case of multiple values, the first value will be taken for remediations.'
...d_pam_pwhistory_remember_password_auth/tests/correct_value_multiple_control_required.pass.sh
Show resolved
Hide resolved
..._pam_pwhistory_remember_password_auth/tests/correct_value_multiple_control_requisite.pass.sh
Show resolved
Hide resolved
...d_pam_pwhistory_remember_password_auth/tests/wrong_value_multiple_control_sufficient.fail.sh
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have successfully tested all the impacted rules. There are only some comments about wording where I think we can improve the experience for the readers. Also it would be good to rebase this PR so we can run all the tests considering the updates and fixes (#9141) on relevant macros. I wouldn't say these points are blockers to merge this PR, but I also think is a good moment to tackle them. @Xeicker , could you take a look and share your thoughts, please?
#!/bin/bash | ||
# packages = pam | ||
# platform = Oracle Linux 8 | ||
# profiles = xccdf_org.ssgproject.content_profile_stig |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. I am not sure now if it is intentional or there are any technical limitation for this, but I think it is worth to report an issue so we can investigate and try to improve this.
...ocking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
Outdated
Show resolved
Hide resolved
...ocking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
Outdated
Show resolved
Hide resolved
...ocking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
Outdated
Show resolved
Hide resolved
Now it allows multiple values, since for ol8 the flags requisite and required comply with desired behavior. For accounts_password_pam_pwhistory_remember_system_auth and accounts_password_pam_pwhistory_remember_password_auth, update ansible and bash to work with this approach Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Update tests in accounts_password_pam_pwhistory_remember_system_auth and accounts_password_pam_pwhistory_remember_password_auth to cover multiple possible control flags posibility and update ansible to Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Update accounts_password_pam_pwhistory_remember_system_auth stig id to comply with DISA's OL8 v1r2 stig profile. Also update the description and ocil to match their behavior Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Rethink tests in accounts_password_pam_pwhistory_remember_password_auth & accounts_password_pam_pwhistory_remember_system_auth to use authselect whenever the tool is available for the OS Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
04d5bbd
to
64e2ad9
Compare
Code Climate has analyzed commit 64e2ad9 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 42.7% (0.0% change). View more on Code Climate. |
@jan-cerny , there are changes requested by you which seems to be already addressed in this PR. Could you update your review, please? |
All reviewer comments have been addressed.
Description:
var_password_pam_remember_control_flag
to allow multiple valuesvar_password_pam_remember_control_flag
bash_ensure_pam_module_options
to cover all possible scenariosRationale: