Adjust set_password_hashing_algorithm_* for RHEL 10
#12782
Merged
+20
−21
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The bash control variable was getting escaped incorrectly and causing the tests for fail. Moving to Jinja variable.
Mab879
added
Bash
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth' differs.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
@@ -5,7 +5,7 @@
PAM_FILE_PATH="/etc/pam.d/system-auth"
-CONTROL="sufficient"
+
if [ -e "$PAM_FILE_PATH" ] ; then
PAM_FILE_PATH="$PAM_FILE_PATH"
@@ -42,18 +42,18 @@
fi
- if ! grep -qP "^\s*password\s+\$CONTROL\s+pam_unix.so\s*.*" "$PAM_FILE_PATH"; then
+ if ! grep -qP "^\s*password\s+sufficient\s+pam_unix.so\s*.*" "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_unix.so.*)/\1$CONTROL \2/" "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_unix.so.*)/\1sufficient \2/" "$PAM_FILE_PATH"
else
- echo "password $CONTROL pam_unix.so" >> "$PAM_FILE_PATH"
+ echo "password sufficient pam_unix.so" >> "$PAM_FILE_PATH"
fi
fi
# Check the option
- if ! grep -qP "^\s*password\s+\$CONTROL\s+pam_unix.so\s*.*\s$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks "/\s*password\s+\$CONTROL\s+pam_unix.so.*/ s/$/ $var_password_hashing_algorithm_pam/" "$PAM_FILE_PATH"
+ if ! grep -qP "^\s*password\s+sufficient\s+pam_unix.so\s*.*\s$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "/\s*password\s+sufficient\s+pam_unix.so.*/ s/$/ $var_password_hashing_algorithm_pam/" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
|
|
Code Climate has analyzed commit 105a8ca and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.6% (0.0% change). View more on Code Climate. |
jan-cerny
approved these changes
Jan 10, 2025
There was a problem hiding this comment.
It fixed the failing automatus test scenarios for me.
Verified locally:
jcerny@fedora:~/work/git/scap-security-guide (pr/12782)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel10 --remediate-using ansible set_password_hashing_algorithm_passwordauth
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-01-10-1358/test_suite.log
WARNING - Script correct.pass.sh is not applicable on given platform
WARNING - Script missing.fail.sh is not applicable on given platform
WARNING - Script wrong_control.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
INFO - Script authselect_correct_value.pass.sh using profile (all) OK
INFO - Script authselect_incorrect_option.fail.sh using profile (all) OK
INFO - Script authselect_missing_option.fail.sh using profile (all) OK
INFO - Script authselect_modified_pam.fail.sh using profile (all) OK
INFO - Script authselect_multiple_options.fail.sh using profile (all) OK
INFO - Script authselect_wrong_control.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/12782)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel10 --remediate-using ansible set_password_hashing_algorithm_systemauth
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-01-10-1402/test_suite.log
WARNING - Script commented_value.fail.sh is not applicable on given platform
WARNING - Script correct.pass.sh is not applicable on given platform
WARNING - Script missing.fail.sh is not applicable on given platform
WARNING - Script wrong_control.fail.sh is not applicable on given platform
WARNING - Script wrong_value_concat.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
INFO - Script authselect_correct_value.pass.sh using profile (all) OK
INFO - Script authselect_incorrect_option.fail.sh using profile (all) OK
INFO - Script authselect_missing_option.fail.sh using profile (all) OK
INFO - Script authselect_modified_pam.fail.sh using profile (all) OK
INFO - Script authselect_multiple_options.fail.sh using profile (all) OK
INFO - Script authselect_wrong_control.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/12782)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel10 set_password_hashing_algorithm_passwordauth
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-01-10-1406/test_suite.log
WARNING - Script correct.pass.sh is not applicable on given platform
WARNING - Script missing.fail.sh is not applicable on given platform
WARNING - Script wrong_control.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
INFO - Script authselect_correct_value.pass.sh using profile (all) OK
INFO - Script authselect_incorrect_option.fail.sh using profile (all) OK
INFO - Script authselect_missing_option.fail.sh using profile (all) OK
INFO - Script authselect_modified_pam.fail.sh using profile (all) OK
INFO - Script authselect_multiple_options.fail.sh using profile (all) OK
INFO - Script authselect_wrong_control.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/12782)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel10 set_password_hashing_algorithm_systemauth
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-01-10-1408/test_suite.log
WARNING - Script commented_value.fail.sh is not applicable on given platform
WARNING - Script correct.pass.sh is not applicable on given platform
WARNING - Script missing.fail.sh is not applicable on given platform
WARNING - Script wrong_control.fail.sh is not applicable on given platform
WARNING - Script wrong_value_concat.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
INFO - Script authselect_correct_value.pass.sh using profile (all) OK
INFO - Script authselect_incorrect_option.fail.sh using profile (all) OK
INFO - Script authselect_missing_option.fail.sh using profile (all) OK
INFO - Script authselect_modified_pam.fail.sh using profile (all) OK
INFO - Script authselect_multiple_options.fail.sh using profile (all) OK
INFO - Script authselect_wrong_control.fail.sh using profile (all) OK
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
set_password_hashing_algorithm_systemauthandset_password_hashing_algorithm_passwordauthyescryptset_password_hashing_algorithm_systemauthandset_password_hashing_algorithm_passwordauthfor RHEL 10Rationale:
Fixes #12769
Review Hints:
./build_product rhel10cd tests./automatus.py rule --datastream ../build/ssg-rhel10-ds.xml --libvirt qemu:///system automatus_rhel10 set_password_hashing_algorithm_passwordauth,set_password_hashing_algorithm_systemauth