Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adjust set_password_hashing_algorithm_* for RHEL 10 #12782

Conversation

Mab879
Copy link
Member

@Mab879 Mab879 commented Jan 7, 2025

Description:

  • Add RHEL 10 to tests for set_password_hashing_algorithm_systemauth and set_password_hashing_algorithm_passwordauth
  • Adjust RHEL 10 profiles to use yescrypt
  • Adjust text in set_password_hashing_algorithm_systemauth and set_password_hashing_algorithm_passwordauth for RHEL 10
  • Fix

Rationale:

Fixes #12769

Review Hints:

  1. ./build_product rhel10
  2. cd tests
  3. ./automatus.py rule --datastream ../build/ssg-rhel10-ds.xml --libvirt qemu:///system automatus_rhel10 set_password_hashing_algorithm_passwordauth,set_password_hashing_algorithm_systemauth

@Mab879 Mab879 added Bash Bash remediation update. RHEL10 Red Hat Enterprise Linux 10 product related. labels Jan 7, 2025
@Mab879 Mab879 added this to the 0.1.76 milestone Jan 7, 2025
Copy link

github-actions bot commented Jan 7, 2025

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

Copy link

github-actions bot commented Jan 7, 2025

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
bash remediation for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth' differs.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
@@ -5,7 +5,7 @@
 
 
 PAM_FILE_PATH="/etc/pam.d/system-auth"
-CONTROL="sufficient"
+
 
 if [ -e "$PAM_FILE_PATH" ] ; then
     PAM_FILE_PATH="$PAM_FILE_PATH"
@@ -42,18 +42,18 @@
     fi
     
 
-        if ! grep -qP "^\s*password\s+\$CONTROL\s+pam_unix.so\s*.*" "$PAM_FILE_PATH"; then
+        if ! grep -qP "^\s*password\s+sufficient\s+pam_unix.so\s*.*" "$PAM_FILE_PATH"; then
             # Line matching group + control + module was not found. Check group + module.
             if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
                 # The control is updated only if one single line matches.
-                sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_unix.so.*)/\1$CONTROL \2/" "$PAM_FILE_PATH"
+                sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_unix.so.*)/\1sufficient \2/" "$PAM_FILE_PATH"
             else
-                echo "password    $CONTROL    pam_unix.so" >> "$PAM_FILE_PATH"
+                echo "password    sufficient    pam_unix.so" >> "$PAM_FILE_PATH"
             fi
         fi
         # Check the option
-        if ! grep -qP "^\s*password\s+\$CONTROL\s+pam_unix.so\s*.*\s$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then
-            sed -i -E --follow-symlinks "/\s*password\s+\$CONTROL\s+pam_unix.so.*/ s/$/ $var_password_hashing_algorithm_pam/" "$PAM_FILE_PATH"
+        if ! grep -qP "^\s*password\s+sufficient\s+pam_unix.so\s*.*\s$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then
+            sed -i -E --follow-symlinks "/\s*password\s+sufficient\s+pam_unix.so.*/ s/$/ $var_password_hashing_algorithm_pam/" "$PAM_FILE_PATH"
         fi
     if [ -f /usr/bin/authselect ]; then
         

Copy link

codeclimate bot commented Jan 7, 2025

Code Climate has analyzed commit 105a8ca and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.6% (0.0% change).

View more on Code Climate.

@jan-cerny jan-cerny self-assigned this Jan 10, 2025
Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It fixed the failing automatus test scenarios for me.

Verified locally:

jcerny@fedora:~/work/git/scap-security-guide (pr/12782)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel10 --remediate-using ansible set_password_hashing_algorithm_passwordauth
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-01-10-1358/test_suite.log
WARNING - Script correct.pass.sh is not applicable on given platform
WARNING - Script missing.fail.sh is not applicable on given platform
WARNING - Script wrong_control.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
INFO - Script authselect_correct_value.pass.sh using profile (all) OK
INFO - Script authselect_incorrect_option.fail.sh using profile (all) OK
INFO - Script authselect_missing_option.fail.sh using profile (all) OK
INFO - Script authselect_modified_pam.fail.sh using profile (all) OK
INFO - Script authselect_multiple_options.fail.sh using profile (all) OK
INFO - Script authselect_wrong_control.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/12782)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel10 --remediate-using ansible set_password_hashing_algorithm_systemauth
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-01-10-1402/test_suite.log
WARNING - Script commented_value.fail.sh is not applicable on given platform
WARNING - Script correct.pass.sh is not applicable on given platform
WARNING - Script missing.fail.sh is not applicable on given platform
WARNING - Script wrong_control.fail.sh is not applicable on given platform
WARNING - Script wrong_value_concat.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
INFO - Script authselect_correct_value.pass.sh using profile (all) OK
INFO - Script authselect_incorrect_option.fail.sh using profile (all) OK
INFO - Script authselect_missing_option.fail.sh using profile (all) OK
INFO - Script authselect_modified_pam.fail.sh using profile (all) OK
INFO - Script authselect_multiple_options.fail.sh using profile (all) OK
INFO - Script authselect_wrong_control.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/12782)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel10 set_password_hashing_algorithm_passwordauth
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-01-10-1406/test_suite.log
WARNING - Script correct.pass.sh is not applicable on given platform
WARNING - Script missing.fail.sh is not applicable on given platform
WARNING - Script wrong_control.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
INFO - Script authselect_correct_value.pass.sh using profile (all) OK
INFO - Script authselect_incorrect_option.fail.sh using profile (all) OK
INFO - Script authselect_missing_option.fail.sh using profile (all) OK
INFO - Script authselect_modified_pam.fail.sh using profile (all) OK
INFO - Script authselect_multiple_options.fail.sh using profile (all) OK
INFO - Script authselect_wrong_control.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/12782)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel10 set_password_hashing_algorithm_systemauth
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-01-10-1408/test_suite.log
WARNING - Script commented_value.fail.sh is not applicable on given platform
WARNING - Script correct.pass.sh is not applicable on given platform
WARNING - Script missing.fail.sh is not applicable on given platform
WARNING - Script wrong_control.fail.sh is not applicable on given platform
WARNING - Script wrong_value_concat.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
INFO - Script authselect_correct_value.pass.sh using profile (all) OK
INFO - Script authselect_incorrect_option.fail.sh using profile (all) OK
INFO - Script authselect_missing_option.fail.sh using profile (all) OK
INFO - Script authselect_modified_pam.fail.sh using profile (all) OK
INFO - Script authselect_multiple_options.fail.sh using profile (all) OK
INFO - Script authselect_wrong_control.fail.sh using profile (all) OK

@jan-cerny jan-cerny merged commit 3c4aa91 into ComplianceAsCode:master Jan 10, 2025
99 of 105 checks passed
@Mab879 Mab879 deleted the fix_set_password_hashing_algorithm_systemauth branch January 10, 2025 13:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bash Bash remediation update. RHEL10 Red Hat Enterprise Linux 10 product related.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Rule set_password_hashing_algorithm_systemauth fails on RHEL 10
2 participants