Improve bash/ansible_ensure_pam_module_option macros #13405
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Make sure that bash/ansible_ensure_pam_module_option can handle situation in which option with value is not set correctly Current implementation was failing in case the pam option(i.e. deny) is set but to an empty value ,i.e. instead of `deny=5`, if we have the `deny= ` or even `deny=-3` the regex will fail to match the option
|
Skipping CI for Draft Pull Request. |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
@@ -202,7 +202,7 @@
if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*\sremember\b" "$PAM_FILE_PATH"; then
sed -i -E --follow-symlinks "/\s*password\s+requisite\s+pam_pwhistory.so.*/ s/$/ remember=$var_password_pam_remember/" "$PAM_FILE_PATH"
else
- sed -i -E --follow-symlinks "s/(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember=)[[:alnum:]]+\s*(.*)/\1\2$var_password_pam_remember \3/" "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember=)[[:alnum:]]*\s*(.*)/\1\2$var_password_pam_remember \3/" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
@@ -871,7 +871,7 @@
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
+ regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]*\s*(.*)
line: \1\2={{ var_password_pam_remember }} \3
register: result_pam_accounts_password_pam_pwhistory_remember_password_auth_edit
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
@@ -202,7 +202,7 @@
if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*\sremember\b" "$PAM_FILE_PATH"; then
sed -i -E --follow-symlinks "/\s*password\s+requisite\s+pam_pwhistory.so.*/ s/$/ remember=$var_password_pam_remember/" "$PAM_FILE_PATH"
else
- sed -i -E --follow-symlinks "s/(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember=)[[:alnum:]]+\s*(.*)/\1\2$var_password_pam_remember \3/" "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember=)[[:alnum:]]*\s*(.*)/\1\2$var_password_pam_remember \3/" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
@@ -870,7 +870,7 @@
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
+ regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]*\s*(.*)
line: \1\2={{ var_password_pam_remember }} \3
register: result_pam_accounts_password_pam_pwhistory_remember_system_auth_edit
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
@@ -203,7 +203,7 @@
if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*\sremember\b" "$PAM_FILE_PATH"; then
sed -i -E --follow-symlinks "/\s*password\s+requisite\s+pam_pwhistory.so.*/ s/$/ remember=$var_password_pam_unix_remember/" "$PAM_FILE_PATH"
else
- sed -i -E --follow-symlinks "s/(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember=)[[:alnum:]]+\s*(.*)/\1\2$var_password_pam_unix_remember \3/" "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember=)[[:alnum:]]*\s*(.*)/\1\2$var_password_pam_unix_remember \3/" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
@@ -841,7 +841,7 @@
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
+ regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]*\s*(.*)
line: \1\2={{ var_password_pam_unix_remember }} \3
register: result_pam_accounts_password_pam_unix_remember_edit
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
@@ -58,7 +58,7 @@
if ! grep -qP "^\s*password\s+sufficient\s+pam_unix.so\s*.*\srounds\b" "$PAM_FILE_PATH"; then
sed -i -E --follow-symlinks "/\s*password\s+sufficient\s+pam_unix.so.*/ s/$/ rounds=$var_password_pam_unix_rounds/" "$PAM_FILE_PATH"
else
- sed -i -E --follow-symlinks "s/(\s*password\s+sufficient\s+pam_unix.so\s+.*)(rounds=)[[:alnum:]]+\s*(.*)/\1\2$var_password_pam_unix_rounds \3/" "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/(\s*password\s+sufficient\s+pam_unix.so\s+.*)(rounds=)[[:alnum:]]*\s*(.*)/\1\2$var_password_pam_unix_rounds \3/" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
@@ -283,7 +283,7 @@
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so\s+.*)(rounds)=[0-9a-zA-Z]+\s*(.*)
+ regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so\s+.*)(rounds)=[0-9a-zA-Z]*\s*(.*)
line: \1\2={{ var_password_pam_unix_rounds }} \3
register: result_pam_accounts_password_pam_unix_rounds_password_auth_edit
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth
@@ -57,7 +57,7 @@
if ! grep -qP "^\s*password\s+sufficient\s+pam_unix.so\s*.*\srounds\b" "$PAM_FILE_PATH"; then
sed -i -E --follow-symlinks "/\s*password\s+sufficient\s+pam_unix.so.*/ s/$/ rounds=$var_password_pam_unix_rounds/" "$PAM_FILE_PATH"
else
- sed -i -E --follow-symlinks "s/(\s*password\s+sufficient\s+pam_unix.so\s+.*)(rounds=)[[:alnum:]]+\s*(.*)/\1\2$var_password_pam_unix_rounds \3/" "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/(\s*password\s+sufficient\s+pam_unix.so\s+.*)(rounds=)[[:alnum:]]*\s*(.*)/\1\2$var_password_pam_unix_rounds \3/" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth
@@ -283,7 +283,7 @@
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so\s+.*)(rounds)=[0-9a-zA-Z]+\s*(.*)
+ regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so\s+.*)(rounds)=[0-9a-zA-Z]*\s*(.*)
line: \1\2={{ var_password_pam_unix_rounds }} \3
register: result_pam_accounts_password_pam_unix_rounds_system_auth_edit
when: |
|
Code Climate has analyzed commit 785b8fe and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.9% (0.0% change). View more on Code Climate. |
jan-cerny
approved these changes
May 5, 2025
There was a problem hiding this comment.
I have run automatus tests locally:
jcerny@fedora:~/work/git/scap-security-guide (pr/13405)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 sssd_enable_smartcards
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-05-05-0934/test_suite.log
WARNING - Script 'sssd_parameter_false.fail.sh' is not applicable on 'rhel9' target because its platform is 'multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4'
WARNING - Script 'sssd_parameter_missing.fail.sh' is not applicable on 'rhel9' target because its platform is 'multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4'
WARNING - Script 'sssd_parameter_missing_file.fail.sh' is not applicable on 'rhel9' target because its platform is 'multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4'
WARNING - Script 'sssd_parameter_true.pass.sh' is not applicable on 'rhel9' target because its platform is 'multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4'
INFO - xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
INFO - Script authselect_modified_pam.fail.sh using profile (all) OK
INFO - Script authselect_smartcard_disabled.fail.sh using profile (all) OK
INFO - Script authselect_smartcard_enabled.pass.sh using profile (all) OK
INFO - Script authselect_smartcard_enabled_conf_d.pass.sh using profile (all) OK
INFO - Script authselect_smartcard_enabled_lower.pass.sh using profile (all) OK
INFO - Script authselect_sssd_parameter_false.fail.sh using profile (all) OK
INFO - Script authselect_sssd_parameter_false_conf_d.fail.sh using profile (all) OK
INFO - Script authselect_sssd_parameter_missing.fail.sh using profile (all) OK
INFO - Script authselect_sssd_parameter_missing_file.fail.sh using profile (all) OK
INFO - Script sssd_parameter_missing_remove_authselect.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/13405)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible sssd_enable_smartcards
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-05-05-0939/test_suite.log
WARNING - Script 'sssd_parameter_false.fail.sh' is not applicable on 'rhel9' target because its platform is 'multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4'
WARNING - Script 'sssd_parameter_missing.fail.sh' is not applicable on 'rhel9' target because its platform is 'multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4'
WARNING - Script 'sssd_parameter_missing_file.fail.sh' is not applicable on 'rhel9' target because its platform is 'multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4'
WARNING - Script 'sssd_parameter_true.pass.sh' is not applicable on 'rhel9' target because its platform is 'multi_platform_fedora,Oracle Linux 7,Red Hat Virtualization 4'
INFO - xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
INFO - Script authselect_modified_pam.fail.sh using profile (all) OK
INFO - Script authselect_smartcard_disabled.fail.sh using profile (all) OK
INFO - Script authselect_smartcard_enabled.pass.sh using profile (all) OK
INFO - Script authselect_smartcard_enabled_conf_d.pass.sh using profile (all) OK
INFO - Script authselect_smartcard_enabled_lower.pass.sh using profile (all) OK
INFO - Script authselect_sssd_parameter_false.fail.sh using profile (all) OK
INFO - Script authselect_sssd_parameter_false_conf_d.fail.sh using profile (all) OK
INFO - Script authselect_sssd_parameter_missing.fail.sh using profile (all) OK
INFO - Script authselect_sssd_parameter_missing_file.fail.sh using profile (all) OK
INFO - Script sssd_parameter_missing_remove_authselect.fail.sh using profile (all) OK
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
deny=5, if we have thedeny=or evendeny=-3the regex will fail to match the option