Fix display_login_attempts

jan-cerny commented 1 week ago

Due to the change in Bash Jinja macros introduced by https://github.com/ComplianceAsCode/content/pull/12600 the regular expressions in Bash remediation in rule display_login_attempts have been broken. The escaping of the control parameter is now done inside bash_ensure_pam_module_option and therefore the bash remediation should pass the control parameter without escaping.

github-actions[bot] commented 1 week ago

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

github-actions[bot] commented 1 week ago

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

```diff bash remediation for rule 'xccdf_org.ssgproject.content_rule_display_login_attempts' differs. --- xccdf_org.ssgproject.content_rule_display_login_attempts +++ xccdf_org.ssgproject.content_rule_display_login_attempts @@ -79,23 +79,23 @@ fi - if ! grep -qP "^\s*session\s+\\[default=1\\]\s+pam_lastlog.so\s*.*" "$PAM_FILE_PATH"; then + if ! grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then # The control is updated only if one single line matches. - sed -i -E --follow-symlinks "s/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1\[default=1\] \2/" "$PAM_FILE_PATH" + sed -i -E --follow-symlinks "s/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1[default=1] \2/" "$PAM_FILE_PATH" else LAST_MATCH_LINE=$(grep -nP "^\s*session\s+.*pam_succeed_if\.so.*" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE" a session \[default=1\] pam_lastlog.so" "$PAM_FILE_PATH" + sed -i --follow-symlinks $LAST_MATCH_LINE" a session [default=1] pam_lastlog.so" "$PAM_FILE_PATH" else - echo "session \[default=1\] pam_lastlog.so" >> "$PAM_FILE_PATH" + echo "session [default=1] pam_lastlog.so" >> "$PAM_FILE_PATH" fi fi fi # Check the option - if ! grep -qP "^\s*session\s+\\[default=1\\]\s+pam_lastlog.so\s*.*\sshowfailed\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "/\s*session\s+\\[default=1\\]\s+pam_lastlog.so.*/ s/$/ showfailed/" "$PAM_FILE_PATH" + if ! grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s*.*\sshowfailed\b" "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks "/\s*session\s+\[default=1\]\s+pam_lastlog.so.*/ s/$/ showfailed/" "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then @@ -138,8 +138,8 @@ authselect apply-changes -b fi - if grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s.*\bsilent\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "s/(.*session.*\[default=1\].*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH" + if grep -qP "^\s*session\s+[default=1]\s+pam_lastlog.so\s.*\bsilent\b" "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks "s/(.*session.*[default=1].*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then @@ -185,23 +185,23 @@ fi - if ! grep -qP "^\s*session\s+\\[default=1\\]\s+pam_lastlog.so\s*.*" "$PAM_FILE_PATH"; then + if ! grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then # The control is updated only if one single line matches. - sed -i -E --follow-symlinks "s/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1\[default=1\] \2/" "$PAM_FILE_PATH" + sed -i -E --follow-symlinks "s/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1[default=1] \2/" "$PAM_FILE_PATH" else LAST_MATCH_LINE=$(grep -nP "^\s*session\s+.*pam_succeed_if\.so.*" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE" a session \[default=1\] pam_lastlog.so" "$PAM_FILE_PATH" + sed -i --follow-symlinks $LAST_MATCH_LINE" a session [default=1] pam_lastlog.so" "$PAM_FILE_PATH" else - echo "session \[default=1\] pam_lastlog.so" >> "$PAM_FILE_PATH" + echo "session [default=1] pam_lastlog.so" >> "$PAM_FILE_PATH" fi fi fi # Check the option - if ! grep -qP "^\s*session\s+\\[default=1\\]\s+pam_lastlog.so\s*.*\sshowfailed\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "/\s*session\s+\\[default=1\\]\s+pam_lastlog.so.*/ s/$/ showfailed/" "$PAM_FILE_PATH" + if ! grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s*.*\sshowfailed\b" "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks "/\s*session\s+\[default=1\]\s+pam_lastlog.so.*/ s/$/ showfailed/" "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then @@ -244,8 +244,8 @@ authselect apply-changes -b fi - if grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s.*\bsilent\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "s/(.*session.*\[default=1\].*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH" + if grep -qP "^\s*session\s+[default=1]\s+pam_lastlog.so\s.*\bsilent\b" "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks "s/(.*session.*[default=1].*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then ```

codeclimate[bot] commented 1 week ago

Code Climate has analyzed commit 7f4ef13f and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.

ComplianceAsCode / content

Fix display_login_attempts #12603