Review and improve sssd_enable_smartcards rule

[marcusburghardt]

Description:

This rule was reviewed using as reference current documentation and authselect profiles.
It was noticed this rule was not properly assessing if the smartcards were enabled or not.
While fixing this and expanding the test scenarios more issues were fixed:

• There were too much conditions in the OVAL criteria, creating complexity and causing unexpected assessment. For example, the sssd service was checked, while this is not the scope of this rule. There is the service_sssd_enabled rule for this. In addition, this service check was causing different behavior comparing RHEL7 and RHEL8-9.
• Another test for the file existence was removed. It was not necessary since another test was already checking the file content and implicitly ensuring the file exists.
• It was included a new state for testing the "smartcard-auth" file.

Finally, all remediations and test scenarios were updated to reflect the recommended approach to enable smartcards.

Rationale:

The OVAL was more complex than necessary and unexpectedly behaving different based on the sssd service status, which is not the scope for this rule.
authselect feature was used instead of directly editing PAM files, making the remediation much safer and easy.

References:

• https://access.redhat.com/articles/4253861

More information:

The new approach suggested in this rule may differ from the current benchmarks. However, since it seems the correct approach, the second step would be to discuss with the relevant benchmarks maintainers to recommend this update.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

OVAL definition oval:ssg-sssd_enable_smartcards:def:1 differs:
--- old datastream
+++ new datastream
- criteria OR
- criteria OR
- extend_definition oval:ssg-service_sssd_disabled:def:1
- extend_definition oval:ssg-sssd_conf_exists:def:1
+ criterion oval:ssg-test_sssd_enable_smartcards_allow_missing_name_smartcard_auth:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs:
--- old datastream
+++ new datastream
@@ -4,6 +4,12 @@
 pam_cert_auth = True
 
 
-$ sudo grep cert_auth /etc/sssd/sssd.conf /etc/pam.d/*
+To verify that smart cards are enabled in PAM files, run the following command:
+$ sudo grep -e "auth.*pam_sss.so.*\(allow_missing_name\|try_cert_auth\)" /etc/pam.d/smartcard-auth /etc/pam.d/system-auth
+If configured properly, output should be
+
+/etc/pam.d/smartcard-auth:auth sufficient pam_sss.so allow_missing_name
+/etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth
+
 Is it the case that smart cards are not enabled in SSSD?
 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs:
--- old datastream
+++ new datastream
@@ -31,85 +31,45 @@
 
 if [ -f /usr/bin/authselect ]; then
 if authselect check; then
- 
+ if ! authselect check; then
+ echo "
+ authselect integrity check failed. Remediation aborted!
+ This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+ It is not recommended to manually edit the PAM files when authselect tool is available.
+ In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+ exit 1
+ fi
 authselect enable-feature with-smartcard
- 
- authselect apply-changes -b --backup=after-pwhistory-hardening.backup
- else
- echo "
-authselect integrity check failed. Remediation aborted!
-This remediation could not be applied because the authselect profile is not intact.
-It is not recommended to manually edit the PAM files when authselect is available.
-In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
- false
+
+ authselect apply-changes -b
 fi
 else
- if [ -e "/etc/pam.d/smartcard-auth" ] ; then
- valueRegex="" defaultValue=""
- # non-empty values need to be preceded by an equals sign
- [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
- # add an equals sign to non-empty values
- [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
-
- # fix 'type' if it's wrong
- if grep -q -P "^\\s*(?"'!'"auth\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam_sss.so" < "/etc/pam.d/smartcard-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam_sss.so)/\\1auth\\2/" "/etc/pam.d/smartcard-auth"
+ if ! grep -qP '^\s*auth\s+'"sufficient"'\s+pam_sss.so\s*.*' "/etc/pam.d/smartcard-auth"; then
+ # Line matching group + control + module was not found. Check group + module.
+ if [ "$(grep -cP '^\s*auth\s+.*\s+pam_sss.so\s*' "/etc/pam.d/smartcard-auth")" -eq 1 ]; then
+ # The control is updated only if one single line matches.
+ sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_sss.so.*)/\1'"sufficient"' \2/' "/etc/pam.d/smartcard-auth"
+ else
+ echo 'auth '"sufficient"' pam_sss.so' >> "/etc/pam.d/smartcard-auth"
+ fi
 fi
-
- # fix 'control' if it's wrong
- if grep -q -P "^\\s*auth\\s+(?"'!'"sufficient)[[:alnum:]]+\\s+pam_sss.so" < "/etc/pam.d/smartcard-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+)[[:alnum:]]+(\\s+pam_sss.so)/\\1sufficient\\2/" "/etc/pam.d/smartcard-auth"
+ # Check the option
+ if ! grep -qP '^\s*auth\s+'"sufficient"'\s+pam_sss.so\s*.*\sallow_missing_name\b' "/etc/pam.d/smartcard-auth"; then
+ sed -i -E --follow-symlinks '/\s*auth\s+'"sufficient"'\s+pam_sss.so.*/ s/$/ allow_missing_name/' "/etc/pam.d/smartcard-auth"
 fi
-
- # fix the value for 'option' if one exists but does not match 'valueRegex'
- if grep -q -P "^\\s*auth\\s+sufficient\\s+pam_sss.so(\\s.+)?\\s+try_cert_auth(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/smartcard-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+sufficient\\s+pam_sss.so(\\s.+)?\\s)try_cert_auth=[^[:space:]]*/\\1try_cert_auth${defaultValue}/" "/etc/pam.d/smartcard-auth"
-
- # add 'option=default' if option is not set
- elif grep -q -E "^\\s*auth\\s+sufficient\\s+pam_sss.so" < "/etc/pam.d/smartcard-auth" &&
- grep -E "^\\s*auth\\s+sufficient\\s+pam_sss.so" < "/etc/pam.d/smartcard-auth" | grep -q -E -v "\\stry_cert_auth(=|\\s|\$)" ; then
-
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+sufficient\\s+pam_sss.so[^\\n]*)/\\1 try_cert_auth${defaultValue}/" "/etc/pam.d/smartcard-auth"
- # add a new entry if none exists
- elif ! grep -q -P "^\\s*auth\\s+sufficient\\s+pam_sss.so(\\s.+)?\\s+try_cert_auth${valueRegex}(\\s|\$)" < "/etc/pam.d/smartcard-auth" ; then
- echo "auth sufficient pam_sss.so try_cert_auth${defaultValue}" >> "/etc/pam.d/smartcard-auth"
+ if ! grep -qP '^\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so\s*.*' "/etc/pam.d/system-auth"; then
+ # Line matching group + control + module was not found. Check group + module.
+ if [ "$(grep -cP '^\s*auth\s+.*\s+pam_sss.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then
+ # The control is updated only if one single line matches.
+ sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_sss.so.*)/\1'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"' \2/' "/etc/pam.d/system-auth"
+ else
+ echo 'auth '"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"' pam_sss.so' >> "/etc/pam.d/system-auth"
+ fi
 fi
-else
- echo "/etc/pam.d/smartcard-auth doesn't exist" >&2
-fi
- if [ -e "/etc/pam.d/system-auth" ] ; then
- valueRegex="" defaultValue=""
- # non-empty values need to be preceded by an equals sign
- [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
- # add an equals sign to non-empty values
- [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
-
- # fix 'type' if it's wrong
- if grep -q -P "^\\s*(?"'!'"auth\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam_sss.so" < "/etc/pam.d/system-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam_sss.so)/\\1auth\\2/" "/etc/pam.d/system-auth"
+ # Check the option
+ if ! grep -qP '^\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so\s*.*\stry_cert_auth\b' "/etc/pam.d/system-auth"; then
+ sed -i -E --follow-symlinks '/\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so.*/ s/$/ try_cert_auth/' "/etc/pam.d/system-auth"
 fi
-
- # fix 'control' if it's wrong
- if grep -q -P "^\\s*auth\\s+(?"'!'"sufficient)[[:alnum:]]+\\s+pam_sss.so" < "/etc/pam.d/system-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+)[[:alnum:]]+(\\s+pam_sss.so)/\\1sufficient\\2/" "/etc/pam.d/system-auth"
- fi
-
- # fix the value for 'option' if one exists but does not match 'valueRegex'
- if grep -q -P "^\\s*auth\\s+sufficient\\s+pam_sss.so(\\s.+)?\\s+try_cert_auth(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/system-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+sufficient\\s+pam_sss.so(\\s.+)?\\s)try_cert_auth=[^[:space:]]*/\\1try_cert_auth${defaultValue}/" "/etc/pam.d/system-auth"
-
- # add 'option=default' if option is not set
- elif grep -q -E "^\\s*auth\\s+sufficient\\s+pam_sss.so" < "/etc/pam.d/system-auth" &&
- grep -E "^\\s*auth\\s+sufficient\\s+pam_sss.so" < "/etc/pam.d/system-auth" | grep -q -E -v "\\stry_cert_auth(=|\\s|\$)" ; then
-
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+sufficient\\s+pam_sss.so[^\\n]*)/\\1 try_cert_auth${defaultValue}/" "/etc/pam.d/system-auth"
- # add a new entry if none exists
- elif ! grep -q -P "^\\s*auth\\s+sufficient\\s+pam_sss.so(\\s.+)?\\s+try_cert_auth${valueRegex}(\\s|\$)" < "/etc/pam.d/system-auth" ; then
- echo "auth sufficient pam_sss.so try_cert_auth${defaultValue}" >> "/etc/pam.d/system-auth"
- fi
-else
- echo "/etc/pam.d/system-auth doesn't exist" >&2
-fi
 fi
 
 else

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs:
--- old datastream
+++ new datastream
@@ -81,51 +81,7 @@
 - no_reboot_needed
 - sssd_enable_smartcards
 
-- name: Check for expected pam_sss.so entry in system-auth
- ansible.builtin.lineinfile:
- path: /etc/pam.d/system-auth
- create: false
- regexp: ^\s*auth.*sufficient.*pam_sss\.so.*try_cert_auth.*$
- state: absent
- check_mode: true
- changed_when: false
- register: result_pam_try_cert_auth_present_system_auth
- when:
- - '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- tags:
- - CCE-80909-5
- - DISA-STIG-RHEL-08-020250
- - configure_strategy
- - low_complexity
- - medium_disruption
- - medium_severity
- - no_reboot_needed
- - sssd_enable_smartcards
-
-- name: Check for expected pam_sss.so entry in smartcard-auth
- ansible.builtin.lineinfile:
- path: /etc/pam.d/smartcard-auth
- create: false
- regexp: ^\s*auth.*sufficient.*pam_sss\.so.*try_cert_auth.*$
- state: absent
- check_mode: true
- changed_when: false
- register: result_pam_try_cert_auth_present_smartcard_auth
- when:
- - '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- tags:
- - CCE-80909-5
- - DISA-STIG-RHEL-08-020250
- - configure_strategy
- - low_complexity
- - medium_disruption
- - medium_severity
- - no_reboot_needed
- - sssd_enable_smartcards
-
-- name: Check if system relies on authselect
+- name: Enable Smartcards in SSSD - Check if system relies on authselect
 ansible.builtin.stat:
 path: /usr/bin/authselect
 register: result_authselect_present
@@ -142,66 +98,58 @@
 - no_reboot_needed
 - sssd_enable_smartcards
 
-- name: Remediation where authselect tool is present
+- name: Enable Smartcards in SSSD - Remediate using authselect
 block:
 
- - name: Check the integrity of the current authselect profile
+ - name: Enable Smartcards in SSSD - Check integrity of authselect current profile
 ansible.builtin.command:
 cmd: authselect check
 register: result_authselect_check_cmd
 changed_when: false
 ignore_errors: true
 
- - name: Informative message based on the authselect integrity check result
+ - name: Enable Smartcards in SSSD - Informative message based on the authselect
+ integrity check result
 ansible.builtin.assert:
 that:
 - result_authselect_check_cmd is success
 fail_msg:
 - authselect integrity check failed. Remediation aborted!
- - This remediation could not be applied because the authselect profile is not
- intact.
- - It is not recommended to manually edit the PAM files when authselect is available.
+ - This remediation could not be applied because an authselect profile was not
+ selected or the selected profile is not intact.
+ - It is not recommended to manually edit the PAM files when authselect tool
+ is available.
 - In cases where the default authselect profile does not cover a specific demand,
 a custom authselect profile is recommended.
 success_msg:
 - authselect integrity check passed
 
- - name: Get authselect current profile
- ansible.builtin.shell:
- cmd: authselect current -r | awk '{ print $1 }'
- register: result_authselect_profile
- changed_when: false
- when:
- - result_authselect_check_cmd is success
-
- - name: Get authselect current features
+ - name: Enable Smartcards in SSSD - Get authselect current features
 ansible.builtin.shell:
 cmd: authselect current | tail -n+3 | awk '{ print $2 }'
 register: result_authselect_features
 changed_when: false
 when:
 - result_authselect_check_cmd is success
- - result_authselect_profile is not skipped
-
- - name: Ensure smartcards are enabled via authselect tool
+
+ - name: Enable Smartcards in SSSD - Ensure "with-smartcard" feature is enabled using
+ authselect tool
 ansible.builtin.command:
 cmd: authselect enable-feature with-smartcard
+ register: result_authselect_enable_feature_cmd
 when:
 - result_authselect_check_cmd is success
 - result_authselect_features.stdout is not search("with-smartcard")
- - result_authselect_profile is not skipped
-
- - name: Ensure the custom profile changes are applied
+
+ - name: Enable Smartcards in SSSD - Ensure authselect changes are applied
 ansible.builtin.command:
- cmd: authselect apply-changes -b --backup=after-pwhistory-hardening.backup
- when:
- - result_authselect_check_cmd is success
- - result_authselect_profile is not skipped
- when:
- - '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - (result_pam_try_cert_auth_present_smartcard_auth.found == 0) or (result_pam_try_cert_auth_present_system_auth.found
- == 0)
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_enable_feature_cmd is not skipped
+ - result_authselect_enable_feature_cmd is success
+ when:
+ - '"sssd-common" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - result_authselect_present.stat.exists
 tags:
 - CCE-80909-5
@@ -213,48 +161,164 @@
 - no_reboot_needed
 - sssd_enable_smartcards
 
-- name: Remediation where authselect tool is not present and PAM files are directly
- edited
+- name: Enable Smartcards in SSSD - Remediate by directly editing PAM files
 block:
 
- - name: Ensure the desired configuration is present in the custom profile smartcard-auth
- ansible.builtin.lineinfile:
- create: true
- dest: /etc/pam.d/smartcard-auth
- insertbefore: ^session.*
- firstmatch: true
- regexp: ^(\s*auth.*pam_sss\.so)$
- line: auth sufficient pam_sss.so try_cert_auth
-
- - name: Ensure the desired configuration is present in the custom profile system-auth
- ansible.builtin.lineinfile:
- create: true
- dest: /etc/pam.d/system-auth
- insertbefore: ^session.*
- firstmatch: true
- regexp: ^(\s*auth.*pam_sss\.so)$
- line: auth sufficient pam_sss.so try_cert_auth
-
- - name: Ensure the try_cert_auth option is in smartcard-auth
- ansible.builtin.replace:
- dest: /etc/pam.d/smartcard-auth
- regexp: ^(auth.*sufficient.*pam_sss\.so)((?!try_cert_auth).)*$
- replace: \g<1> try_cert_auth \g<2>
- when:
- - result_pam_try_cert_auth_present_smartcard_auth.found == 0
-
- - name: Ensure the try_cert_auth option is in system-auth
- ansible.builtin.replace:
- dest: /etc/pam.d/system-auth
- regexp: ^(auth.*sufficient.*pam_sss\.so)((?!try_cert_auth).)*$
- replace: \g<1> try_cert_auth \g<2>
- when:
- - result_pam_try_cert_auth_present_system_auth.found == 0
- when:
- - '"sssd-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - (result_pam_try_cert_auth_present_smartcard_auth.found == 0) or (result_pam_try_cert_auth_present_system_auth.found
- == 0)
+ - name: Enable Smartcards in SSSD - Check if expected PAM module line is present
+ in /etc/pam.d/smartcard-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/smartcard-auth
+ regexp: ^\s*auth\s+sufficient\s+pam_sss.so\s*.*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_present
+
+ - name: Enable Smartcards in SSSD - Include or update the PAM module line in /etc/pam.d/smartcard-auth
+ block:
+
+ - name: Enable Smartcards in SSSD - Check if required PAM module line is present
+ in /etc/pam.d/smartcard-auth with different control
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/smartcard-auth
+ regexp: ^\s*auth\s+.*\s+pam_sss.so\s*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_other_control_present
+
+ - name: Enable Smartcards in SSSD - Ensure the correct control for the required
+ PAM module line in /etc/pam.d/smartcard-auth
+ ansible.builtin.replace:
+ dest: /etc/pam.d/smartcard-auth
+ regexp: ^(\s*auth\s+).*(\bpam_sss.so.*)
+ replace: \1sufficient \2
+ register: result_pam_module_edit
+ when:
+ - result_pam_line_other_control_present.found == 1
+
+ - name: Enable Smartcards in SSSD - Ensure the required PAM module line is included
+ in /etc/pam.d/smartcard-auth
+ ansible.builtin.lineinfile:
+ dest: /etc/pam.d/smartcard-auth
+ line: auth sufficient pam_sss.so
+ register: result_pam_module_add
+ when:
+ - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
+ > 1
+
+ - name: Enable Smartcards in SSSD - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
+ - (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
+ is defined and result_pam_module_edit.changed)
+ when:
+ - result_pam_line_present.found is defined
+ - result_pam_line_present.found == 0
+
+ - name: Enable Smartcards in SSSD - Check if the required PAM module option is present
+ in /etc/pam.d/smartcard-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/smartcard-auth
+ regexp: ^\s*auth\s+sufficient\s+pam_sss.so\s*.*\sallow_missing_name\b
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_module_allow_missing_name_option_present
+
+ - name: Enable Smartcards in SSSD - Ensure the "allow_missing_name" PAM option for
+ "pam_sss.so" is included in /etc/pam.d/smartcard-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/smartcard-auth
+ backrefs: true
+ regexp: ^(\s*auth\s+sufficient\s+pam_sss.so.*)
+ line: \1 allow_missing_name
+ state: present
+ register: result_pam_allow_missing_name_add
+ when:
+ - result_pam_module_allow_missing_name_option_present.found == 0
+
+ - name: Enable Smartcards in SSSD - Check if expected PAM module line is present
+ in /etc/pam.d/system-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/system-auth
+ regexp: ^\s*auth\s+\[success=done authinfo_unavail=ignore ignore=ignore default=die\]\s+pam_sss.so\s*.*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_present
+
+ - name: Enable Smartcards in SSSD - Include or update the PAM module line in /etc/pam.d/system-auth
+ block:
+
+ - name: Enable Smartcards in SSSD - Check if required PAM module line is present
+ in /etc/pam.d/system-auth with different control
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/system-auth
+ regexp: ^\s*auth\s+.*\s+pam_sss.so\s*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_other_control_present
+
+ - name: Enable Smartcards in SSSD - Ensure the correct control for the required
+ PAM module line in /etc/pam.d/system-auth
+ ansible.builtin.replace:
+ dest: /etc/pam.d/system-auth
+ regexp: ^(\s*auth\s+).*(\bpam_sss.so.*)
+ replace: \1\[success=done authinfo_unavail=ignore ignore=ignore default=die\]
+ \2
+ register: result_pam_module_edit
+ when:
+ - result_pam_line_other_control_present.found == 1
+
+ - name: Enable Smartcards in SSSD - Ensure the required PAM module line is included
+ in /etc/pam.d/system-auth
+ ansible.builtin.lineinfile:
+ dest: /etc/pam.d/system-auth
+ line: auth \[success=done authinfo_unavail=ignore ignore=ignore default=die\] pam_sss.so
+ register: result_pam_module_add
+ when:
+ - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
+ > 1
+
+ - name: Enable Smartcards in SSSD - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when:
+ - result_authselect_present.stat.exists
+ - (result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit
+ is defined and result_pam_module_edit.changed)
+ when:
+ - result_pam_line_present.found is defined
+ - result_pam_line_present.found == 0
+
+ - name: Enable Smartcards in SSSD - Check if the required PAM module option is present
+ in /etc/pam.d/system-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/system-auth
+ regexp: ^\s*auth\s+\[success=done authinfo_unavail=ignore ignore=ignore default=die\]\s+pam_sss.so\s*.*\stry_cert_auth\b
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_module_try_cert_auth_option_present
+
+ - name: Enable Smartcards in SSSD - Ensure the "try_cert_auth" PAM option for "pam_sss.so"
+ is included in /etc/pam.d/system-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/system-auth
+ backrefs: true
+ regexp: ^(\s*auth\s+\[success=done authinfo_unavail=ignore ignore=ignore default=die\]\s+pam_sss.so.*)
+ line: \1 try_cert_auth
+ state: present
+ register: result_pam_try_cert_auth_add
+ when:
+ - result_pam_module_try_cert_auth_option_present.found == 0
+ when:
+ - '"sssd-common" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - not result_authselect_present.stat.exists
 tags:
 - CCE-80909-5

[jan-cerny]

How about Fedora? Should it be on the list? Usually the changes are introduced to RHEL via Fedora so it's worth checking if Fedora also has it.

[marcusburghardt]

Good point @jan-cerny . This also works for Fedora and we can include it in the list. I will update the PR.

[marcusburghardt]

Done

[codeclimate]

Code Climate has analyzed commit 18800cb and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 42.7% (0.0% change).

View more on Code Climate.

[openshift-ci]

@marcusburghardt: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-rhcos4-high	18800cb	link	true	/test e2e-aws-rhcos4-high
ci/prow/e2e-aws-rhcos4-moderate	18800cb	link	true	/test e2e-aws-rhcos4-moderate

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.