Update enable_authselect remediation on bootable containers #13131
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The `authselect` has been added into RHEL 9 bootable containers in https://issues.redhat.com/browse/RHEL-76811 but there is no default authselect profile selected and that is causing the remediation of the rule `enable_authselect` to fail: ``` [root]# authselect current No existing configuration detected. [root]# authselect select sssd No existing configuration detected. [error] File [/etc/pam.d/system-auth] exists but it needs to be overwritten! [error] File [/etc/pam.d/password-auth] exists but it needs to be overwritten! [error] File [/etc/pam.d/fingerprint-auth] exists but it needs to be overwritten! [error] File [/etc/pam.d/smartcard-auth] exists but it needs to be overwritten! [error] File [/etc/pam.d/postlogin] exists but it needs to be overwritten! [error] File [/etc/nsswitch.conf] exists but it needs to be overwritten! [error] File that needs to be overwritten was found [error] Refusing to activate profile unless this file is removed or overwrite is requested. Some unexpected changes to the configuration were detected. Use --force parameter if you want to overwrite these changes. authselect is not used but files from the 'pam' package have been altered, so the authselect configuration won't be forced. ``` Therefore, we update the remediation to run `authselect select` command with the `--force` parameter when running on a bootable container which resolves this issue.
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_enable_authselect' differs.
--- xccdf_org.ssgproject.content_rule_enable_authselect
+++ xccdf_org.ssgproject.content_rule_enable_authselect
@@ -5,7 +5,11 @@
authselect current
if test "$?" -ne 0; then
- authselect select "$var_authselect_profile"
+ if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; }; then
+ authselect select --force "$var_authselect_profile"
+ else
+ authselect select "$var_authselect_profile"
+ fi
if test "$?" -ne 0; then
if rpm --quiet --verify pam; then |
|
Code Climate has analyzed commit 8ec4bca and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 62.1% (0.0% change). View more on Code Climate. |
8000
jan-cerny
approved these changes
Mar 3, 2025
There was a problem hiding this comment.
I have built a RHEL 9 bootable container image hardened with the STIG profile using content built from this PR branch. I have deployed a VM from the built bootable container image using podman-bootc and I run a verification oscap scan. The rules that previously failed are passed in the report.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
authselecthas been added into RHEL 9 bootable containers in https://issues.redhat.com/browse/RHEL-76811 but there is no default authselect profile selected and that is causing the remediation of the ruleenable_authselectto fail:Therefore, we update the remediation to run
authselect selectcommand with the--forceparameter when running on a bootable container which resolves this issue.