Remove assumptions and unnecessary changes

sssd remediation should not create sssd configuration files if they were not previous created by sys admins. The reason the sssd configuration files are not created by default is because its parameters may differ for each site policy, therefore manual intervention is necessary to ensure the sssd parameters are compliant. The bash remediation was creating a new file only to satisfy a parameter. This creates incosistent sssd configuration and makes the sssd service to fail. Signed-off-by: Marcus Burghardt <[email protected]>
ComplianceAsCode · Sep 13, 2024 · e5ea14c · e5ea14c
1 parent bea9c3d
commit e5ea14c
Showing 1 changed file with 28 additions and 40 deletions.
diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh
@@ -1,51 +1,39 @@
 # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol
 
-
-
-# sssd configuration files must be created with 600 permissions if they don't exist
-# otherwise the sssd module fails to start
-OLD_UMASK=$(umask)
-umask u=rw,go=
-
 SSSD_CONF="/etc/sssd/sssd.conf"
 SSSD_CONF_DIR="/etc/sssd/conf.d/*.conf"
 
 if [ ! -f "$SSSD_CONF" ] && [ ! -f "$SSSD_CONF_DIR" ]; then
-    mkdir -p /etc/sssd
-    touch "$SSSD_CONF"
-fi
-
-# Flag to check if there is already services with pam
-service_already_exist=false
-for f in $SSSD_CONF $SSSD_CONF_DIR; do
-	if [ ! -e "$f" ]; then
-		continue
-	fi
-	# finds all services entries under [sssd] configuration category, get a unique list so it doesn't add redundant fix
-	services_list=$( awk '/^\s*\[/{f=0} /^\s*\[sssd\]/{f=1}f' $f | grep -P '^services[ \t]*=' | uniq )
-    if [ -z "$services_list" ]; then
-        continue
-    fi
-
-	while IFS= read -r services; do
-		if [[ ! $services =~ "pam" ]]; then
-			sed -i "s/$services$/&, pam/" $f
-		fi
-        # Either pam service was already there or got added now
-        service_already_exist=true
-	done <<< "$services_list"
-
-done
-
-# If there was no service in [sssd], add it to first config
-if [ "$service_already_exist" = false ]; then
+    echo "
+    sssd configuration files not found. Ensure a valid configuration is present.
+    Manual modification of configuration files may be necessary to align with site policies."
+else
+    # Flag to check if there is already services with pam
+    service_already_exist=false
     for f in $SSSD_CONF $SSSD_CONF_DIR; do
-        cat << EOF >> "$f"
+        if [ ! -e "$f" ]; then
+            continue
+        fi
+        # finds all services entries under [sssd] configuration category, get a unique list so it doesn't add redundant fix
+        services_list=$( awk '/^\s*\[/{f=0} /^\s*\[sssd\]/{f=1}f' $f | grep -P '^services[ \t]*=' | uniq )
+        if [ -z "$services_list" ]; then
+            continue
+        fi
+
+        while IFS= read -r services; do
+            if [[ ! $services =~ "pam" ]]; then
+                sed -i "s/$services$/&, pam/" $f
+            fi
+            # Either pam service was already there or got added now
+            service_already_exist=true
+        done <<< "$services_list"
+    done
+
+    # If there was no service in [sssd], add it to first config
+    if [ "$service_already_exist" = false ]; then
+        cat << EOF >> "$SSSD_CONF"
 [sssd]
 services = pam
 EOF
-        break
-    done
+    fi
 fi
-
-umask $OLD_UMASK