Fix sssd_enable_smartcards

[jan-cerny]

If authselect doesn't exist and no entry for group + control + module is present in /etc/pam.d/system-auth the Bash remediation inserted square brackets with backslashes to system-auth. The backslashes shouldn't be inserted there.

The issue manifested when the Bash remediation is used during a build of a bootable container image.

The solution is to escape the control string only if it's a part of a regular expression (in sed and grep commands) but not escape the control string if it's used in echo command.

[github-actions[bot]]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions[bot]]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

```diff bash remediation for rule 'xccdf_org.ssgproject.content_rule_display_login_attempts' differs. --- xccdf_org.ssgproject.content_rule_display_login_attempts +++ xccdf_org.ssgproject.content_rule_display_login_attempts @@ -77,7 +77,9 @@ authselect apply-changes -b fi - if ! grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s*.*" "$PAM_FILE_PATH"; then + + + if ! grep -qP "^\s*session\s+\\[default=1\\]\s+pam_lastlog.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then # The control is updated only if one single line matches. @@ -92,8 +94,8 @@ fi fi # Check the option - if ! grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s*.*\sshowfailed\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "/\s*session\s+\[default=1\]\s+pam_lastlog.so.*/ s/$/ showfailed/" "$PAM_FILE_PATH" + if ! grep -qP "^\s*session\s+\\[default=1\\]\s+pam_lastlog.so\s*.*\sshowfailed\b" "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks "/\s*session\s+\\[default=1\\]\s+pam_lastlog.so.*/ s/$/ showfailed/" "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then @@ -181,7 +183,9 @@ authselect apply-changes -b fi - if ! grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s*.*" "$PAM_FILE_PATH"; then + + + if ! grep -qP "^\s*session\s+\\[default=1\\]\s+pam_lastlog.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then # The control is updated only if one single line matches. @@ -196,8 +200,8 @@ fi fi # Check the option - if ! grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s*.*\sshowfailed\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "/\s*session\s+\[default=1\]\s+pam_lastlog.so.*/ s/$/ showfailed/" "$PAM_FILE_PATH" + if ! grep -qP "^\s*session\s+\\[default=1\\]\s+pam_lastlog.so\s*.*\sshowfailed\b" "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks "/\s*session\s+\\[default=1\\]\s+pam_lastlog.so.*/ s/$/ showfailed/" "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs. --- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth +++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth @@ -50,7 +50,8 @@ PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b - if ! grep -qP "^\s*password\s+$var_password_pam_remember_control_flag\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then + + if ! grep -qP "^\s*password\s+\$var_password_pam_remember_control_flag\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then # The control is updated only if one single line matches. @@ -66,7 +67,8 @@ fi fi else - if ! grep -qP "^\s*password\s+$var_password_pam_remember_control_flag\s+pam_pwhistory.so\s*.*" "/etc/pam.d/password-auth"; then + + if ! grep -qP "^\s*password\s+\$var_password_pam_remember_control_flag\s+pam_pwhistory.so\s*.*" "/etc/pam.d/password-auth"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/password-auth")" -eq 1 ]; then # The control is updated only if one single line matches. @@ -168,6 +170,8 @@ authselect apply-changes -b fi + + if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs. --- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth +++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth @@ -50,7 +50,8 @@ PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b - if ! grep -qP "^\s*password\s+$var_password_pam_remember_control_flag\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then + + if ! grep -qP "^\s*password\s+\$var_password_pam_remember_control_flag\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then # The control is updated only if one single line matches. @@ -66,7 +67,8 @@ fi fi else - if ! grep -qP "^\s*password\s+$var_password_pam_remember_control_flag\s+pam_pwhistory.so\s*.*" "/etc/pam.d/system-auth"; then + + if ! grep -qP "^\s*password\s+\$var_password_pam_remember_control_flag\s+pam_pwhistory.so\s*.*" "/etc/pam.d/system-auth"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then # The control is updated only if one single line matches. @@ -168,6 +170,8 @@ authselect apply-changes -b fi + + if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember' differs. --- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember +++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember @@ -51,6 +51,7 @@ PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b + if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then @@ -67,6 +68,7 @@ fi fi else + if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "/etc/pam.d/system-auth"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then @@ -169,6 +171,8 @@ authselect apply-changes -b fi + + if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth' differs. --- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth +++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth @@ -34,7 +34,8 @@ authselect apply-changes -b fi - if ! grep -qP "^\s*password\s+requisite\s+pam_pwquality.so\s*.*" "$PAM_FILE_PATH"; then + +if ! grep -qP "^\s*password\s+requisite\s+pam_pwquality.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwquality.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then # The control is updated only if one single line matches. bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth' differs. --- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth +++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth @@ -34,7 +34,8 @@ authselect apply-changes -b fi - if ! grep -qP "^\s*password\s+requisite\s+pam_pwquality.so\s*.*" "$PAM_FILE_PATH"; then + +if ! grep -qP "^\s*password\s+requisite\s+pam_pwquality.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwquality.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then # The control is updated only if one single line matches. bash remediation for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth' differs. --- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth +++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth @@ -38,7 +38,9 @@ authselect apply-changes -b fi - if ! grep -qP "^\s*password\s+sufficient\s+pam_unix.so\s*.*" "$PAM_FILE_PATH"; then + + + if ! grep -qP "^\s*password\s+sufficient\s+pam_unix.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then # The control is updated only if one single line matches. bash remediation for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth' differs. --- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth +++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth @@ -40,7 +40,9 @@ authselect apply-changes -b fi - if ! grep -qP "^\s*password\s+$CONTROL\s+pam_unix.so\s*.*" "$PAM_FILE_PATH"; then + + + if ! grep -qP "^\s*password\s+\$CONTROL\s+pam_unix.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then # The control is updated only if one single line matches. @@ -50,8 +52,8 @@ fi fi # Check the option - if ! grep -qP "^\s*password\s+$CONTROL\s+pam_unix.so\s*.*\s$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "/\s*password\s+$CONTROL\s+pam_unix.so.*/ s/$/ $var_password_hashing_algorithm_pam/" "$PAM_FILE_PATH" + if ! grep -qP "^\s*password\s+\$CONTROL\s+pam_unix.so\s*.*\s$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks "/\s*password\s+\$CONTROL\s+pam_unix.so.*/ s/$/ $var_password_hashing_algorithm_pam/" "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth' differs. --- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth +++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth @@ -38,7 +38,9 @@ authselect apply-changes -b fi - if ! grep -qP "^\s*password\s+sufficient\s+pam_unix.so\s*.*" "$PAM_FILE_PATH"; then + + + if ! grep -qP "^\s*password\s+sufficient\s+pam_unix.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then # The control is updated only if one single line matches. bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth' differs. --- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth +++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth @@ -37,7 +37,9 @@ authselect apply-changes -b fi - if ! grep -qP "^\s*password\s+sufficient\s+pam_unix.so\s*.*" "$PAM_FILE_PATH"; then + + + if ! grep -qP "^\s*password\s+sufficient\s+pam_unix.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then # The control is updated only if one single line matches. bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs. --- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards +++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards @@ -55,6 +55,8 @@ authselect apply-changes -b else + + if ! grep -qP "^\s*auth\s+sufficient\s+pam_sss.so\s*.*" "/etc/pam.d/smartcard-auth"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*auth\s+.*\s+pam_sss.so\s*' "/etc/pam.d/smartcard-auth")" -eq 1 ]; then @@ -68,13 +70,15 @@ if ! grep -qP "^\s*auth\s+sufficient\s+pam_sss.so\s*.*\sallow_missing_name\b" "/etc/pam.d/smartcard-auth"; then sed -i -E --follow-symlinks "/\s*auth\s+sufficient\s+pam_sss.so.*/ s/$/ allow_missing_name/" "/etc/pam.d/smartcard-auth" fi + + if ! grep -qP "^\s*auth\s+\[success=done authinfo_unavail=ignore ignore=ignore default=die\]\s+pam_sss.so\s*.*" "/etc/pam.d/system-auth"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*auth\s+.*\s+pam_sss.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then # The control is updated only if one single line matches. - sed -i -E --follow-symlinks "s/^(\s*auth\s+).*(\bpam_sss.so.*)/\1\[success=done authinfo_unavail=ignore ignore=ignore default=die\] \2/" "/etc/pam.d/system-auth" + sed -i -E --follow-symlinks "s/^(\s*auth\s+).*(\bpam_sss.so.*)/\1[success=done authinfo_unavail=ignore ignore=ignore default=die] \2/" "/etc/pam.d/system-auth" else - echo "auth \[success=done authinfo_unavail=ignore ignore=ignore default=die\] pam_sss.so" >> "/etc/pam.d/system-auth" + echo "auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so" >> "/etc/pam.d/system-auth" fi fi # Check the option ```

[codeclimate[bot]]

Code Climate has analyzed commit 46c1aaa8 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 0.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.

[jan-cerny]

Unfortunately, the change revealed that we have similar problems also in other rules, eg. display_login_attempts.

[jan-cerny]

Not everything is caught by the tests. The scenarios might pass, but if you look at the diff in the comment above, some of the differences are unwanted and they affect the behavior of the remediations. We need to address these changes or create a different solution for this rule.

[jan-cerny]

I will fix display_login_attempts by https://github.com/ComplianceAsCode/content/pull/12603.