Ubuntu 24.04 5.3.3.4.4 Ensure pam_unix includes use_authtok #12760
Conversation
openshift-ci
bot
added
do-not-merge/work-in-progress
|
Hi @ericeberry. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: ubuntu2404 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_enabled' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_enabled
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_enabled
@@ -8,8 +8,8 @@
if [ -f "$conf_path"/unix ]; then
if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then
cp "$conf_path"/unix "$conf_path"/"$conf_name"
- sed -i '/Default: yes/a Priority: 257\
-Conflicts: unix' "$conf_path"/"$conf_name"
+ sed -i 's/Priority: [0-9]\+/Priority: 257\
+Conflicts: unix/' "$conf_path"/"$conf_name"
DEBIAN_FRONTEND=noninteractive pam-auth-update
else
echo "Not applicable - checksum of $conf_path/unix does not match the original." >&2
bash remediation for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth' differs.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
@@ -11,8 +11,8 @@
if [ -f "$conf_path"/unix ]; then
if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then
cp "$conf_path"/unix "$conf_path"/"$conf_name"
- sed -i '/Default: yes/a Priority: 257\
-Conflicts: unix' "$conf_path"/"$conf_name"
+ sed -i 's/Priority: [0-9]\+/Priority: 257\
+Conflicts: unix/' "$conf_path"/"$conf_name"
DEBIAN_FRONTEND=noninteractive pam-auth-update
else
echo "Not applicable - checksum of $conf_path/unix does not match the original." >&2 |
dodys
added
Ubuntu
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
| @@ -913,8 +913,8 @@ if [ ! -f "$conf_path"/"$conf_name" ]; then | |||
| if [ -f "$conf_path"/unix ]; then | |||
| if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then | |||
| cp "$conf_path"/unix "$conf_path"/"$conf_name" | |||
| sed -i '/Default: yes/a Priority: 257\ | |||
There was a problem hiding this comment.
This change is a fix for all rules using the bash_pam_unix_enable macro. Please add a note to the description.
|
@ericeberry One of the tests is failing, can you look into it please? https://github.com/ComplianceAsCode/content/actions/runs/12660335702/job/35281436920?pr=12760 |
Yes. I am working on that one. |
|
Code Climate has analyzed commit 038943d and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.8% (0.0% change). View more on Code Climate. |
|
|
||
| <ind:textfilecontent54_object id="obj_test_use_authtok" version="1"> | ||
| <ind:filepath>{{{ accounts_password_pam_unix_file }}}</ind:filepath> | ||
| <ind:pattern operation="pattern match">^[ \t]*password[ \t]+([^#\n\r]+)[ \t]+pam_unix\.so[ \t]+([^#\n\r]+[ \t]+)?use_authtok.*$</ind:pattern> |
There was a problem hiding this comment.
This check needs to be adjusted. The CIS rule states that the use_authok keyword should not be added to the Password-Initial section, which is correctly done in the remediation. But if omitting Password-Initial, the keyword will be added to /etc/pam.d/common-password only when the password.*pam_unix.so line is not the first on the stack.
This is the reason why the test is failing after remediation on the container.
The primary block in /etc/pam.d/common-password contains only this on the default container install:
# here are the per-package modules (the "Primary" block)
password [success=1 default=ignore] pam_unix.so obscure yescrypt
On the VM it looks like this:
# here are the per-package modules (the "Primary" block)
password requisite pam_pwquality.so retry=3
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
password sufficient pam_sss.so use_authtok
The test should check if there exists a preceding line that starts with password.
Description:
Rationale: