From 8f9d3050ac6cd3b77df6ea69530f663f38e401ca Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 12 Sep 2024 16:44:45 +0200 Subject: [PATCH 1/9] id_provider no longer accepts files Updated the test scenarios for a valid option. Signed-off-by: Marcus Burghardt --- .../guide/services/sssd/service_sssd_enabled/tests/common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/services/sssd/service_sssd_enabled/tests/common.sh b/linux_os/guide/services/sssd/service_sssd_enabled/tests/common.sh index c3dc61518fe..342a3f2c6c1 100644 --- a/linux_os/guide/services/sssd/service_sssd_enabled/tests/common.sh +++ b/linux_os/guide/services/sssd/service_sssd_enabled/tests/common.sh @@ -7,7 +7,7 @@ services = nss, pam domains = example.com [domain/example.com] -id_provider = files +id_provider = ldap access_provider = simple simple_allow_users = user1, user2 From 3c43e69aa0ec26f9da1f869a4ce64598750890bc Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 12 Sep 2024 16:46:44 +0200 Subject: [PATCH 2/9] Fix the package for sssd in test scenarios This is a templated rule but the test scenarios are overridden in order to create a sssd.conf file for testing purposes. The package name in the custom test scenarios was not correct. Signed-off-by: Marcus Burghardt --- .../sssd/service_sssd_enabled/tests/service_disabled.fail.sh | 2 +- .../sssd/service_sssd_enabled/tests/service_enabled.pass.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/services/sssd/service_sssd_enabled/tests/service_disabled.fail.sh b/linux_os/guide/services/sssd/service_sssd_enabled/tests/service_disabled.fail.sh index 306b0cdbb7d..e21ceea1aaa 100644 --- a/linux_os/guide/services/sssd/service_sssd_enabled/tests/service_disabled.fail.sh +++ b/linux_os/guide/services/sssd/service_sssd_enabled/tests/service_disabled.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# packages = sssd +# packages = sssd-common source common.sh diff --git a/linux_os/guide/services/sssd/service_sssd_enabled/tests/service_enabled.pass.sh b/linux_os/guide/services/sssd/service_sssd_enabled/tests/service_enabled.pass.sh index 0028951340c..f5c4d18505b 100644 --- a/linux_os/guide/services/sssd/service_sssd_enabled/tests/service_enabled.pass.sh +++ b/linux_os/guide/services/sssd/service_sssd_enabled/tests/service_enabled.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# packages = sssd +# packages = sssd-common source common.sh From d7bcea484d93ca416d0b335aa469b14848a3e8a4 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 13 Sep 2024 10:33:10 +0200 Subject: [PATCH 3/9] Remove assumptions and unnecessary changes sssd remediation should not create sssd configuration files if they were not previous created by sys admins. The reason the sssd configuration files are not created by default is because its parameters may differ for each site policy, therefore manual intervention is necessary to ensure the sssd parameters are compliant. The bash remediation was creating a new file only to satisfy a parameter. This creates incosistent sssd configuration and makes the sssd service to fail. Signed-off-by: Marcus Burghardt --- .../sssd_enable_pam_services/bash/shared.sh | 68 ++++++++----------- 1 file changed, 28 insertions(+), 40 deletions(-) diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh index 09e863e4a9c..7b1187c286f 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/bash/shared.sh @@ -1,51 +1,39 @@ # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol - - -# sssd configuration files must be created with 600 permissions if they don't exist -# otherwise the sssd module fails to start -OLD_UMASK=$(umask) -umask u=rw,go= - SSSD_CONF="/etc/sssd/sssd.conf" SSSD_CONF_DIR="/etc/sssd/conf.d/*.conf" if [ ! -f "$SSSD_CONF" ] && [ ! -f "$SSSD_CONF_DIR" ]; then - mkdir -p /etc/sssd - touch "$SSSD_CONF" -fi - -# Flag to check if there is already services with pam -service_already_exist=false -for f in $SSSD_CONF $SSSD_CONF_DIR; do - if [ ! -e "$f" ]; then - continue - fi - # finds all services entries under [sssd] configuration category, get a unique list so it doesn't add redundant fix - services_list=$( awk '/^\s*\[/{f=0} /^\s*\[sssd\]/{f=1}f' $f | grep -P '^services[ \t]*=' | uniq ) - if [ -z "$services_list" ]; then - continue - fi - - while IFS= read -r services; do - if [[ ! $services =~ "pam" ]]; then - sed -i "s/$services$/&, pam/" $f - fi - # Either pam service was already there or got added now - service_already_exist=true - done <<< "$services_list" - -done - -# If there was no service in [sssd], add it to first config -if [ "$service_already_exist" = false ]; then + echo " + sssd configuration files not found. Ensure a valid configuration is present. + Manual modification of configuration files may be necessary to align with site policies." +else + # Flag to check if there is already services with pam + service_already_exist=false for f in $SSSD_CONF $SSSD_CONF_DIR; do - cat << EOF >> "$f" + if [ ! -e "$f" ]; then + continue + fi + # finds all services entries under [sssd] configuration category, get a unique list so it doesn't add redundant fix + services_list=$( awk '/^\s*\[/{f=0} /^\s*\[sssd\]/{f=1}f' $f | grep -P '^services[ \t]*=' | uniq ) + if [ -z "$services_list" ]; then + continue + fi + + while IFS= read -r services; do + if [[ ! $services =~ "pam" ]]; then + sed -i "s/$services$/&, pam/" $f + fi + # Either pam service was already there or got added now + service_already_exist=true + done <<< "$services_list" + done + + # If there was no service in [sssd], add it to first config + if [ "$service_already_exist" = false ]; then + cat << EOF >> "$SSSD_CONF" [sssd] services = pam EOF - break - done + fi fi - -umask $OLD_UMASK From 8a0057db8513ffd1e237708782c2f2664d9017e6 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 13 Sep 2024 10:51:36 +0200 Subject: [PATCH 4/9] Fix sssd package name in test scenarios scripts Signed-off-by: Marcus Burghardt --- .../tests/custom_conf_services_pam_missing.fail.sh | 4 +--- .../sssd_enable_pam_services/tests/missing_sections.fail.sh | 2 +- .../tests/multiple_wrong_entries.fail.sh | 5 ++--- .../tests/services_pam_missing.fail.sh | 2 +- .../tests/services_pam_wrong_section.fail.sh | 3 +-- .../tests/sssd_config_missing.fail.sh | 2 +- .../sssd_enable_pam_services/tests/sssd_pam_services.pass.sh | 3 +-- .../tests/sssd_pam_services_conf_d.pass.sh | 2 +- .../sssd/sssd_enable_pam_services/tests/wrong_sssd.conf | 2 +- 9 files changed, 10 insertions(+), 15 deletions(-) diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/custom_conf_services_pam_missing.fail.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/custom_conf_services_pam_missing.fail.sh index a40c32001f1..98dd578bae5 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/custom_conf_services_pam_missing.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/custom_conf_services_pam_missing.fail.sh @@ -1,7 +1,5 @@ - -# packages = sssd #!/bin/bash -# +# packages = sssd-common rm -rf /etc/sssd/conf.d/ mkdir -p /etc/sssd/conf.d/ diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/missing_sections.fail.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/missing_sections.fail.sh index e1493838916..2240c45aaa1 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/missing_sections.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/missing_sections.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# packages = sssd +# packages = sssd-common rm /etc/sssd/sssd.conf rm -rf /etc/sssd/conf.d/ diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/multiple_wrong_entries.fail.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/multiple_wrong_entries.fail.sh index f8e319afdfa..4ee2a97e537 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/multiple_wrong_entries.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/multiple_wrong_entries.fail.sh @@ -1,6 +1,5 @@ #!/bin/bash -# packages = sssd -# +# packages = sssd-common rm -rf /etc/sssd/conf.d/ mkdir -p /etc/sssd/conf.d/ @@ -23,7 +22,7 @@ domains = shadowutils services = pam [domain/shadowutils] -id_provider = files +id_provider = ldap auth_provider = proxy proxy_pam_target = sssd-shadowutils diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_missing.fail.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_missing.fail.sh index 31662f48d05..901ac907483 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_missing.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_missing.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# packages = sssd +# packages = sssd-common # SSSD_CONF="/etc/sssd/sssd.conf" diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_wrong_section.fail.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_wrong_section.fail.sh index 6a9563c18f7..201b1c9d923 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_wrong_section.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_wrong_section.fail.sh @@ -1,6 +1,5 @@ #!/bin/bash -# packages = sssd -# +# packages = sssd-common rm -rf /etc/sssd/conf.d/ SSSD_CONF="/etc/sssd/sssd.conf" diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_config_missing.fail.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_config_missing.fail.sh index 967b2fae997..92fa2a0b48f 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_config_missing.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_config_missing.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# packages = sssd +# packages = sssd-common rm /etc/sssd/sssd.conf rm -rf /etc/sssd/conf.d/ diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services.pass.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services.pass.sh index f5981b0434d..3fac47c8b1c 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services.pass.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services.pass.sh @@ -1,6 +1,5 @@ #!/bin/bash -# packages = sssd -# +# packages = sssd-common SSSD_CONF="/etc/sssd/sssd.conf" diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services_conf_d.pass.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services_conf_d.pass.sh index 42519ee006f..e3c1deb06d1 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services_conf_d.pass.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services_conf_d.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# packages = sssd +# packages = sssd-common rm -rf "/etc/sssd/conf.d/" rm -f "/etc/sssd/sssd.conf" diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/wrong_sssd.conf b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/wrong_sssd.conf index 0fcad10e84d..648d9ec6522 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/wrong_sssd.conf +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/wrong_sssd.conf @@ -8,7 +8,7 @@ domains = shadowutils services = pam [domain/shadowutils] -id_provider = files +id_provider = ldap auth_provider = proxy proxy_pam_target = sssd-shadowutils From 25e647718945d6b7b103d319ea27501254b66818 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 13 Sep 2024 10:52:30 +0200 Subject: [PATCH 5/9] Remediation should not create files Signed-off-by: Marcus Burghardt --- .../sssd_enable_pam_services/tests/sssd_config_missing.fail.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_config_missing.fail.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_config_missing.fail.sh index 92fa2a0b48f..8cd9b81a0e7 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_config_missing.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_config_missing.fail.sh @@ -1,5 +1,6 @@ #!/bin/bash # packages = sssd-common +# remediation = none rm /etc/sssd/sssd.conf rm -rf /etc/sssd/conf.d/ From b191bdd622b41dd7dd148b259fd2471d9bf6fcf3 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 13 Sep 2024 11:23:51 +0200 Subject: [PATCH 6/9] Simplify and align logic in test scenarios Signed-off-by: Marcus Burghardt --- .../custom_conf_services_pam_missing.fail.sh | 13 +++++++------ .../tests/missing_sections.fail.sh | 9 ++++++--- .../tests/multiple_wrong_entries.fail.sh | 16 ++++++++-------- .../tests/services_pam_missing.fail.sh | 10 +++++----- .../tests/services_pam_wrong_section.fail.sh | 8 +++++--- .../tests/sssd_config_missing.fail.sh | 6 ++++-- .../tests/sssd_pam_services.pass.sh | 9 +++++---- .../tests/sssd_pam_services_conf_d.pass.sh | 11 +++++++---- 8 files changed, 47 insertions(+), 35 deletions(-) diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/custom_conf_services_pam_missing.fail.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/custom_conf_services_pam_missing.fail.sh index 98dd578bae5..e255caf2163 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/custom_conf_services_pam_missing.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/custom_conf_services_pam_missing.fail.sh @@ -1,11 +1,12 @@ #!/bin/bash # packages = sssd-common -rm -rf /etc/sssd/conf.d/ -mkdir -p /etc/sssd/conf.d/ -SSSD_CONF="/etc/sssd/conf.d/sssd.conf" +SSSD_CONF_FILE="/etc/sssd/sssd.conf" +SSSD_CONF_DIR_FILE="/etc/sssd/conf.d/sssd.conf" +SSSD_CONF_DIR_FILES="/etc/sssd/conf.d/*.conf" -cp wrong_sssd.conf $SSSD_CONF +rm -rf $SSSD_CONF_FILE $SSSD_CONF_DIR_FILES -SSSD_CONF="/etc/sssd/sssd.conf" -cp wrong_sssd.conf $SSSD_CONF +for file in $SSSD_CONF_FILE $SSSD_CONF_DIR_FILE; do + cp wrong_sssd.conf $file +done diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/missing_sections.fail.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/missing_sections.fail.sh index 2240c45aaa1..0b7a7c033af 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/missing_sections.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/missing_sections.fail.sh @@ -1,7 +1,10 @@ #!/bin/bash # packages = sssd-common -rm /etc/sssd/sssd.conf -rm -rf /etc/sssd/conf.d/ +SSSD_CONF_FILE="/etc/sssd/sssd.conf" +SSSD_CONF_DIR_FILES="/etc/sssd/conf.d/*.conf" + +rm -rf $SSSD_CONF_FILE $SSSD_CONF_DIR_FILES + # Only empty config without any section -touch /etc/sssd/sssd.conf +touch $SSSD_CONF_FILE diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/multiple_wrong_entries.fail.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/multiple_wrong_entries.fail.sh index 4ee2a97e537..05db3904b93 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/multiple_wrong_entries.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/multiple_wrong_entries.fail.sh @@ -1,17 +1,17 @@ #!/bin/bash # packages = sssd-common -rm -rf /etc/sssd/conf.d/ -mkdir -p /etc/sssd/conf.d/ -SSSD_CONF="/etc/sssd/conf.d/sssd.conf" +SSSD_CONF_FILE="/etc/sssd/sssd.conf" +SSSD_CONF_DIR_FILE="/etc/sssd/conf.d/sssd.conf" +SSSD_CONF_DIR_FILES="/etc/sssd/conf.d/*.conf" -cp wrong_sssd.conf $SSSD_CONF +rm -rf $SSSD_CONF_FILE $SSSD_CONF_DIR_FILES -SSSD_CONF="/etc/sssd/sssd.conf" -cp wrong_sssd.conf $SSSD_CONF +for file in $SSSD_CONF_FILE $SSSD_CONF_DIR_FILE; do + cp wrong_sssd.conf $file +done -SSSD_CONF="/etc/sssd/sssd_custom.conf" -cat < $SSSD_CONF +cat < "/etc/sssd/conf.d/sssd_custom.conf" [sssd] services = nss domains = shadowutils diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_missing.fail.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_missing.fail.sh index 901ac907483..05c1dff7715 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_missing.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_missing.fail.sh @@ -1,12 +1,12 @@ #!/bin/bash # packages = sssd-common -# -SSSD_CONF="/etc/sssd/sssd.conf" +SSSD_CONF_FILE="/etc/sssd/sssd.conf" +SSSD_CONF_DIR_FILES="/etc/sssd/conf.d/*.conf" -rm -rf /etc/sssd/conf.d/ -rm -f $SSSD_CONF -cat < $SSSD_CONF +rm -rf $SSSD_CONF_FILE $SSSD_CONF_DIR_FILES + +cat < $SSSD_CONF_FILE [sssd] section1 = key section2 = nss diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_wrong_section.fail.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_wrong_section.fail.sh index 201b1c9d923..8d50ef189e5 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_wrong_section.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/services_pam_wrong_section.fail.sh @@ -1,6 +1,8 @@ #!/bin/bash # packages = sssd-common -rm -rf /etc/sssd/conf.d/ -SSSD_CONF="/etc/sssd/sssd.conf" -cp wrong_sssd.conf $SSSD_CONF +SSSD_CONF_FILE="/etc/sssd/sssd.conf" +SSSD_CONF_DIR_FILES="/etc/sssd/conf.d/*.conf" + +rm -rf $SSSD_CONF_FILE $SSSD_CONF_DIR_FILES +cp wrong_sssd.conf $SSSD_CONF_FILE diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_config_missing.fail.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_config_missing.fail.sh index 8cd9b81a0e7..2c2a9a715b1 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_config_missing.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_config_missing.fail.sh @@ -2,5 +2,7 @@ # packages = sssd-common # remediation = none -rm /etc/sssd/sssd.conf -rm -rf /etc/sssd/conf.d/ +SSSD_CONF_FILE="/etc/sssd/sssd.conf" +SSSD_CONF_DIR_FILES="/etc/sssd/conf.d/*.conf" + +rm -rf $SSSD_CONF_FILE $SSSD_CONF_DIR_FILES diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services.pass.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services.pass.sh index 3fac47c8b1c..e3bf6f5e6c2 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services.pass.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services.pass.sh @@ -1,11 +1,12 @@ #!/bin/bash # packages = sssd-common -SSSD_CONF="/etc/sssd/sssd.conf" +SSSD_CONF_FILE="/etc/sssd/sssd.conf" +SSSD_CONF_DIR_FILES="/etc/sssd/conf.d/*.conf" -rm -rf /etc/sssd/conf.d/ -rm -f SSSD_CONF -cat < $SSSD_CONF +rm -rf $SSSD_CONF_FILE $SSSD_CONF_DIR_FILES + +cat < $SSSD_CONF_FILE [sssd] services = nss,pam [pam] diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services_conf_d.pass.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services_conf_d.pass.sh index e3c1deb06d1..6868bb35fea 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services_conf_d.pass.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_pam_services_conf_d.pass.sh @@ -1,10 +1,13 @@ #!/bin/bash # packages = sssd-common -rm -rf "/etc/sssd/conf.d/" -rm -f "/etc/sssd/sssd.conf" -mkdir -p "/etc/sssd/conf.d/" -cat < "/etc/sssd/conf.d/sssd.conf" +SSSD_CONF_FILE="/etc/sssd/sssd.conf" +SSSD_CONF_DIR_FILE="/etc/sssd/conf.d/sssd.conf" +SSSD_CONF_DIR_FILES="/etc/sssd/conf.d/*.conf" + +rm -rf $SSSD_CONF_FILE $SSSD_CONF_DIR_FILES + +cat < $SSSD_CONF_DIR_FILE [sssd] services = nss,pam [pam] From d4ba4d32e11c0299d7f42d91b71438e770d99d3e Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 16 Sep 2024 12:15:24 +0200 Subject: [PATCH 7/9] Aling Ansible remediation with Bash The sssd.conf should only modified if already present. It is not created by this remediation. Signed-off-by: Marcus Burghardt --- .../ansible/shared.yml | 20 +++++-------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml index 83d10952196..fd71ad274fd 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml @@ -4,14 +4,14 @@ # complexity = low # disruption = medium -- name: {{{ rule_title }}} - Find all the conf files inside the /etc/sssd/conf.d/ directory +- name: {{{ rule_title }}} - Find all conf files inside the /etc/sssd/conf.d/ directory ansible.builtin.find: paths: - "/etc/sssd/conf.d/" patterns: "*.conf" register: sssd_conf_d_files -- name: {{{ rule_title }}} - Modify lines in files in the /etc/sssd/conf.d/ directory +- name: {{{ rule_title }}} - Modify lines in files found in the /etc/sssd/conf.d/ directory ansible.builtin.replace: path: "{{ item }}" regexp: '^(\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*services\s*=(?!.*\bpam\b).*)$' @@ -20,7 +20,7 @@ register: modify_lines_sssd_conf_d_files when: sssd_conf_d_files.matched is defined and sssd_conf_d_files.matched >= 1 -- name: {{{ rule_title }}} - Find /etc/sssd/sssd.conf +- name: {{{ rule_title }}} - Check existence of /etc/sssd/sssd.conf ansible.builtin.stat: path: /etc/sssd/sssd.conf register: sssd_conf_file @@ -33,17 +33,7 @@ register: modify_lines_sssd_conf_file when: sssd_conf_file.stat.exists -- name: {{{ rule_title }}} - Find services key in /etc/sssd/sssd.conf - ansible.builtin.replace: - path: "/etc/sssd/sssd.conf" - regexp: '^\s*\[sssd\][^\[\]]*?(?:\n(?!\[)[^\n]*?services\s*=)+' - replace: '' - changed_when: false - check_mode: true - register: sssd_conf_file_services - when: sssd_conf_file.stat.exists - -- name: {{{ rule_title }}} - Insert entry to /etc/sssd/sssd.conf +- name: {{{ rule_title }}} - Ensure services entry in sssd section of /etc/sssd/sssd.conf ini_file: path: /etc/sssd/sssd.conf section: sssd @@ -52,4 +42,4 @@ when: - not modify_lines_sssd_conf_d_files.changed - not modify_lines_sssd_conf_file.changed - - (sssd_conf_file_services.msg is defined and "replacements" not in sssd_conf_file_services.msg) or not sssd_conf_file.stat.exists + - sssd_conf_file.stat.exists From 2cacdb6fe7d4f2b16e9f8eab309ada8440dc0b1a Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 16 Sep 2024 16:10:05 +0200 Subject: [PATCH 8/9] Introduce applicability for sssd config files Some SSSD related rules are only applicable when there is already SSSD configuration files present in the system. Signed-off-by: Marcus Burghardt --- .../oval/sssd_conf_files_present.xml | 27 +++++++++++++++++++ .../applicability/sssd_conf_files_present.yml | 3 +++ 2 files changed, 30 insertions(+) create mode 100644 shared/applicability/oval/sssd_conf_files_present.xml create mode 100644 shared/applicability/sssd_conf_files_present.yml diff --git a/shared/applicability/oval/sssd_conf_files_present.xml b/shared/applicability/oval/sssd_conf_files_present.xml new file mode 100644 index 00000000000..1b90db054f8 --- /dev/null +++ b/shared/applicability/oval/sssd_conf_files_present.xml @@ -0,0 +1,27 @@ + + + + SSSD configuration files are present + + multi_platform_all + + /etc/sssd/sssd.conf is present or there are custom files within /etc/sssd/conf.d + + + + + + + + + + + + + ^/etc/sssd/(sssd|conf\.d/.*)\.conf$ + + diff --git a/shared/applicability/sssd_conf_files_present.yml b/shared/applicability/sssd_conf_files_present.yml new file mode 100644 index 00000000000..db6abf7362d --- /dev/null +++ b/shared/applicability/sssd_conf_files_present.yml @@ -0,0 +1,3 @@ +name: cpe:/a:sssd_conf_files_present +title: SSSD configuration files are present +check_id: sssd_conf_files_present From 6e3a497286a7a0336bf6a40bc892e1da89853772 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 16 Sep 2024 16:31:32 +0200 Subject: [PATCH 9/9] Use sssd_conf_files_present applicability in sssd_enable_pam_services This rule is only applicable when SSSD is already in use and consequently configured. Signed-off-by: Marcus Burghardt --- .../services/sssd/sssd_enable_pam_services/rule.yml | 9 ++++++++- .../tests/sssd_config_missing.fail.sh | 3 +++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml b/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml index 29b3f397906..dd12e77d0c8 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml @@ -1,6 +1,5 @@ documentation_complete: true - title: 'Configure PAM in SSSD Services' description: |- @@ -37,6 +36,8 @@ references: srg: SRG-OS-000375-GPOS-00160,SRG-OS-000376-GPOS-00161,SRG-OS-000377-GPOS-00162 stigid@ol7: OL07-00-041002 +platform: sssd_conf_files_present + ocil_clause: 'it does not exist or ''pam'' is not added to the ''services'' option under the ''sssd'' section' ocil: |- @@ -44,3 +45,9 @@ ocil: |- 
$ sudo grep services /etc/sssd/sssd.conf
If configured properly, output should be similar to 
services = pam
+ +warnings: + - general: + This rule will report as "notapplicable" if there is no SSSD configuration file present + in the system. The SSSD configuration might be different for each site and therefore a new + configuration file is not automatically created. diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_config_missing.fail.sh b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_config_missing.fail.sh index 2c2a9a715b1..d4afd1157f9 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_config_missing.fail.sh +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/tests/sssd_config_missing.fail.sh @@ -2,6 +2,9 @@ # packages = sssd-common # remediation = none +# SSSD configuration files are expected to be created manually since the configuration can +# be different for each site. Therefore, if there is no configuration files previously created +# in the system, this rule will report "not applicable". SSSD_CONF_FILE="/etc/sssd/sssd.conf" SSSD_CONF_DIR_FILES="/etc/sssd/conf.d/*.conf"