Stabilization: fix sle16 pam options#14425
Open
teacup-on-rockingchair wants to merge 2 commits intoComplianceAsCode:stabilizationfrom
Open
Stabilization: fix sle16 pam options#14425teacup-on-rockingchair wants to merge 2 commits intoComplianceAsCode:stabilizationfrom
teacup-on-rockingchair wants to merge 2 commits intoComplianceAsCode:stabilizationfrom
Conversation
…/etc directories In SLE16 it is the case the distribution default configuration comes in /usr subdirs and system-wide custom configuration sits in /etc so we need to handle both in the template - add ability to specify the external variable name to template - add ability to specify variable type: integer or string - for now this template is only used for 2 rules: use_pam_wheel_for_su and use_pam_wheel_group_for_su, but the approach needs to be applied to other PAM related rules
…heel_group_for_su
teacup-on-rockingchair
added
SLES
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
@@ -6,12 +6,12 @@
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount within GNOME3, add or set
-automount to false in /etc/dconf/db/gdm.d/00-security-settings.
+automount to false in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
automount=false
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount' differs.
--- ocil:ssg-dconf_gnome_disable_automount_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_automount_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.media-handling automount
If properly configured, the output for automount should be false.
To ensure that users cannot enable automount in GNOME3, run the following:
-$ grep 'automount' /etc/dconf/db/gdm.d/locks/*
+$ grep 'automount' /etc/dconf/db/local.d/locks/*
If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount
Is it the case that GNOME automounting is not disabled?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
@@ -2,6 +2,7 @@
if rpm --quiet -q gdm; then
# apply fix for enable_dconf_user_profile, OVAL checks it
+
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
@@ -6,12 +6,12 @@
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount-open within GNOME3, add or set
-automount-open to false in /etc/dconf/db/gdm.d/00-security-settings.
+automount-open to false in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
automount-open=false
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount-open
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open' differs.
--- ocil:ssg-dconf_gnome_disable_automount_open_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_automount_open_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.media-handling automount-open
If properly configured, the output for automount-openshould be false.
To ensure that users cannot enable automount opening in GNOME3, run the following:
-$ grep 'automount-open' /etc/dconf/db/gdm.d/locks/*
+$ grep 'automount-open' /etc/dconf/db/local.d/locks/*
If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open
Is it the case that GNOME automounting is not disabled?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
@@ -2,6 +2,7 @@
if rpm --quiet -q gdm; then
# apply fix for enable_dconf_user_profile, OVAL checks it
+
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
@@ -6,12 +6,12 @@
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable autorun-never within GNOME3, add or set
-autorun-never to true in /etc/dconf/db/gdm.d/00-security-settings.
+autorun-never to true in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
autorun-never=true
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/autorun-never
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun' differs.
--- ocil:ssg-dconf_gnome_disable_autorun_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_autorun_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.media-handling autorun-never
If properly configured, the output for autorun-nevershould be true.
To ensure that users cannot enable autorun in GNOME3, run the following:
-$ grep 'autorun-never' /etc/dconf/db/gdm.d/locks/*
+$ grep 'autorun-never' /etc/dconf/db/local.d/locks/*
If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never
Is it the case that GNOME autorun is not disabled?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
@@ -6,12 +6,12 @@
By default, GNOME does not require credentials when using Vino for
remote access. To configure the system to require remote credentials, add or set
authentication-methods to ['vnc'] in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/Vino]
authentication-methods=['vnc']
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt' differs.
--- ocil:ssg-dconf_gnome_remote_access_credential_prompt_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_remote_access_credential_prompt_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.Vino authentication-methods
If properly configured, the output should be false.
To ensure that users cannot disable credentials for remote access, run the following:
-$ grep authentication-methods /etc/dconf/db/gdm.d/locks/*
+$ grep authentication-methods /etc/dconf/db/local.d/locks/*
If properly configured, the output should be
/org/gnome/Vino/authentication-methods
Is it the case that wireless network notification is enabled and not disabled?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
@@ -6,12 +6,12 @@
By default, GNOME requires encryption when using Vino for remote access.
To prevent remote access encryption from being disabled, add or set
require-encryption to true in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/Vino]
require-encryption=true
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/require-encryption
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption' differs.
--- ocil:ssg-dconf_gnome_remote_access_encryption_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_remote_access_encryption_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.Vino require-encrpytion
If properly configured, the output should be true.
To ensure that users cannot disable encrypted remote connections, run the following:
-$ grep require-encryption /etc/dconf/db/gdm.d/locks/*
+$ grep require-encryption /etc/dconf/db/local.d/locks/*
If properly configured, the output should be
/org/gnome/Vino/require-encryption
Is it the case that remote access connections are not encrypted?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
@@ -5,11 +5,11 @@
[description]:
To activate the screensaver in the GNOME3 desktop after a period of inactivity,
add or set idle-activation-enabled to true in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
idle-activation-enabled=true
Once the setting has been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/idle-activation-enabled
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled' differs.
--- ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.screensaver idle-activation-enabled
If properly configured, the output should be true.
To ensure that users cannot disable the screensaver idle inactivity setting, run the following:
-$ grep idle-activation-enabled /etc/dconf/db/gdm.d/locks/*
+$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled
Is it the case that idle-activation-enabled is not enabled or configured?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
@@ -4,12 +4,12 @@
[description]:
The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
-setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/gdm.d directory
-and locked in /etc/dconf/db/gdm.d/locks directory to prevent user modification.
+setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
+and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
For example, to configure the system for a 15 minute delay, add the following to
-/etc/dconf/db/gdm.d/00-security-settings:
+/etc/dconf/db/local.d/00-security-settings:
[org/gnome/desktop/session]
idle-delay=uint32 900
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' differs.
--- ocil:ssg-dconf_gnome_screensaver_idle_delay_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_idle_delay_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.session idle-delay
If properly configured, the output should be 'uint32 '.
To ensure that users cannot change the screensaver inactivity timeout setting, run the following:
-$ grep idle-delay /etc/dconf/db/gdm.d/locks/*
+$ grep idle-delay /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/session/idle-delay
Is it the case that idle-delay is set to 0 or a value greater than <sub idref="inactivity_timeout_value" />?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
@@ -2,7 +2,6 @@
if rpm --quiet -q gdm; then
inactivity_timeout_value=''
-
# Check for setting in any of the DConf db directories
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
@@ -6,7 +6,7 @@
To activate the locking delay of the screensaver in the GNOME3 desktop when
the screensaver is activated, add or set lock-delay to uint32 'xccdf_org.ssgproject.content_value_var_screensaver_lock_delay'
in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-delay=uint32 'xccdf_org.ssgproject.content_value_var_screensaver_lock_delay'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
@@ -1,8 +1,10 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm; then
+# apply fix for enable_dconf_user_profile, OVAL checks it
+
+
var_screensaver_lock_delay=''
-
# Check for setting in any of the DConf db directories
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
@@ -5,12 +5,12 @@
[description]:
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set lock-enabled to true in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-enabled=true
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' differs.
--- ocil:ssg-dconf_gnome_screensaver_lock_enabled_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_lock_enabled_ocil:questionnaire:1
@@ -3,7 +3,7 @@
$ gsettings get org.gnome.desktop.screensaver lock-enabled
If properly configured, the output should be true.
To ensure that users cannot change how long until the screensaver locks, run the following:
-$ grep lock-enabled /etc/dconf/db/gdm.d/locks/*
+$ grep lock-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled
Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly?
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
@@ -76,7 +76,7 @@
- name: Enable GNOME3 Screensaver Lock After Idle Period - Enable GNOME3 Screensaver
Lock After Idle Period
community.general.ini_file:
- dest: /etc/dconf/db/gdm.d/00-security-settings
+ dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/lockdown
option: disable-lock-screen
value: 'false'
@@ -105,7 +105,7 @@
- name: Enable GNOME3 Screensaver Lock After Idle Period - Prevent user modification
of GNOME disable-lock-screen
ansible.builtin.lineinfile:
- path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock
+ path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/lockdown/disable-lock-screen$
line: /org/gnome/desktop/lockdown/disable-lock-screen
create: true
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
@@ -5,12 +5,12 @@
[description]:
To set the screensaver mode in the GNOME3 desktop to a blank screen,
add or set picture-uri to string '' in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
picture-uri=string ''
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank' differs.
--- ocil:ssg-dconf_gnome_screensaver_mode_blank_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_mode_blank_ocil:questionnaire:1
@@ -3,7 +3,7 @@
If properly configured, the output should be ''.
To ensure that users cannot set the screensaver background, run the following:
-$ grep picture-uri /etc/dconf/db/gdm.d/locks/*
+$ grep picture-uri /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri
Is it the case that it is not set or configured properly?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
@@ -5,7 +5,7 @@
[description]:
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-delay
-to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks' differs.
--- ocil:ssg-dconf_gnome_screensaver_user_locks_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_user_locks_ocil:questionnaire:1
@@ -1,5 +1,5 @@
To ensure that users cannot change session idle and lock settings, run the following:
-$ grep 'lock-delay' /etc/dconf/db/gdm.d/locks/*
+$ grep 'lock-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/screensaver/lock-delay
Is it the case that GNOME3 session settings are not locked or configured properly?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
@@ -5,7 +5,7 @@
[description]:
If not already configured, ensure that users cannot change GNOME3 session idle settings
by adding /org/gnome/desktop/session/idle-delay
-to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks' differs.
--- ocil:ssg-dconf_gnome_session_idle_user_locks_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_session_idle_user_locks_ocil:questionnaire:1
@@ -1,5 +1,5 @@
To ensure that users cannot change session idle and lock settings, run the following:
-$ grep 'idle-delay' /etc/dconf/db/gdm.d/locks/*
+$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/session/idle-delay
Is it the case that idle-delay is not locked?
OVAL for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su' differs.
--- oval:ssg-use_pam_wheel_for_su:def:1
+++ oval:ssg-use_pam_wheel_for_su:def:1
@@ -1,2 +1,2 @@
criteria AND
-criterion oval:ssg-test_use_pam_wheel_for_su:tst:1
+criterion oval:ssg-test_pam_auth_pam_wheel_use_uid:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su' differs.
--- xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su
+++ xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su
@@ -1,8 +1,57 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
-# uncomment the option if commented
-sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su
+declare -a VALUES=()
+declare -a VALUE_NAMES=()
+declare -a ARGS=()
+declare -a NEW_ARGS=()
+declare -a DEL_ARGS=()
+
+
+
+
+VALUES+=("")
+VALUE_NAMES+=("")
+ARGS+=("use_uid")
+NEW_ARGS+=("use_uid")
+
+
+for idx in "${!VALUES[@]}"
+do
+ if [ -e "/etc/pam.d/su" ] ; then
+ valueRegex="${VALUES[$idx]}" defaultValue="${VALUES[$idx]}"
+ # non-empty values need to be preceded by an equals sign
+ [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
+ # add an equals sign to non-empty values
+ [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
+
+ # fix the value for 'option' if one exists but does not match 'valueRegex'
+ if grep -q -P "^\\s*auth\\s+required\\s+pam_wheel.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/su" ; then
+ sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+required\\s+pam_wheel.so(\\s.+)?\\s)${VALUE_NAMES[$idx]}=[^[:space:]]*/\\1${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/su"
+
+ # add 'option=default' if option is not set
+ elif grep -q -E "^\\s*auth\\s+required\\s+pam_wheel.so" < "/etc/pam.d/su" &&
+ grep -E "^\\s*auth\\s+required\\s+pam_wheel.so" < "/etc/pam.d/su" | grep -q -E -v "\\s${VALUE_NAMES[$idx]}(=|\\s|\$)" ; then
+
+ sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+required\\s+pam_wheel.so[^\\n]*)/\\1 ${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/su"
+ # add a new entry if none exists
+ elif ! grep -q -P "^\\s*auth\\s+required\\s+pam_wheel.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}${valueRegex}(\\s|\$)" < "/etc/pam.d/su" ; then
+ echo "auth required pam_wheel.so ${VALUE_NAMES[$idx]}${defaultValue}" >> "/etc/pam.d/su"
+ fi
+ else
+ echo "/etc/pam.d/su doesn't exist" >&2
+ fi
+done
+
+for idx in "${!ARGS[@]}"
+do
+ if ! grep -q -P "^\s*auth\s+required\s+pam_wheel.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/su ; then
+ sed --follow-symlinks -i -E -e "s/^\\s*auth\\s+required\\s+pam_wheel.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/su
+ if [ -n "${DEL_ARGS[$idx]}" ]; then
+ sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/su
+ fi
+ fi
+done
else
>&2 echo 'Remediation is not applicable, nothing was done'
New data stream is missing ansible remediation for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su'.
OVAL for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su' differs.
--- oval:ssg-use_pam_wheel_group_for_su:def:1
+++ oval:ssg-use_pam_wheel_group_for_su:def:1
@@ -1,2 +1,3 @@
criteria AND
-criterion oval:ssg-test_use_pam_wheel_group_for_su:tst:1
+criterion oval:ssg-test_pam_auth_pam_wheel_group:tst:1
+criterion oval:ssg-test_pam_auth_pam_wheel_use_uid:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su' differs.
--- xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su
+++ xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su
@@ -1,21 +1,66 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
+declare -a VALUES=()
+declare -a VALUE_NAMES=()
+declare -a ARGS=()
+declare -a NEW_ARGS=()
+declare -a DEL_ARGS=()
+
+
+
+
+
+
var_pam_wheel_group_for_su=''
+VALUES+=("$var_pam_wheel_group_for_su")
+VALUE_NAMES+=("group")
+ARGS+=("")
+NEW_ARGS+=("")
-PAM_CONF=/etc/pam.d/su
+VALUES+=("")
+VALUE_NAMES+=("")
+ARGS+=("use_uid")
+NEW_ARGS+=("use_uid")
-pamstr=$(grep -P '^auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)(?=[^#]*\bgroup=)' ${PAM_CONF})
-if [ -z "$pamstr" ]; then
- sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' ${PAM_CONF} # remove any remaining uncommented pam_wheel.so line
- sed -Ei "/^auth\s+sufficient\s+pam_rootok\.so.*$/a auth required pam_wheel.so use_uid group=${var_pam_wheel_group_for_su}" ${PAM_CONF}
-else
- group_val=$(echo -n "$pamstr" | grep -Eo '\bgroup=[_a-z][-0-9_a-z]*' | cut -d '=' -f 2)
- if [ -z "${group_val}" ] || [ ${group_val} != ${var_pam_wheel_group_for_su} ]; then
- sed -Ei "s/(^auth\s+required\s+pam_wheel.so\s+[^#]*group=)[_a-z][-0-9_a-z]*/\1${var_pam_wheel_group_for_su}/" ${PAM_CONF}
+
+for idx in "${!VALUES[@]}"
+do
+ if [ -e "/etc/pam.d/su" ] ; then
+ valueRegex="${VALUES[$idx]}" defaultValue="${VALUES[$idx]}"
+ # non-empty values need to be preceded by an equals sign
+ [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
+ # add an equals sign to non-empty values
+ [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
+
+ # fix the value for 'option' if one exists but does not match 'valueRegex'
+ if grep -q -P "^\\s*auth\\s+required\\s+pam_wheel.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/su" ; then
+ sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+required\\s+pam_wheel.so(\\s.+)?\\s)${VALUE_NAMES[$idx]}=[^[:space:]]*/\\1${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/su"
+
+ # add 'option=default' if option is not set
+ elif grep -q -E "^\\s*auth\\s+required\\s+pam_wheel.so" < "/etc/pam.d/su" &&
+ grep -E "^\\s*auth\\s+required\\s+pam_wheel.so" < "/etc/pam.d/su" | grep -q -E -v "\\s${VALUE_NAMES[$idx]}(=|\\s|\$)" ; then
+
+ sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+required\\s+pam_wheel.so[^\\n]*)/\\1 ${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/su"
+ # add a new entry if none exists
+ elif ! grep -q -P "^\\s*auth\\s+required\\s+pam_wheel.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}${valueRegex}(\\s|\$)" < "/etc/pam.d/su" ; then
+ echo "auth required pam_wheel.so ${VALUE_NAMES[$idx]}${defaultValue}" >> "/etc/pam.d/su"
+ fi
+ else
+ echo "/etc/pam.d/su doesn't exist" >&2
fi
-fi
+done
+
+for idx in "${!ARGS[@]}"
+do
+ if ! grep -q -P "^\s*auth\s+required\s+pam_wheel.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/su ; then
+ sed --follow-symlinks -i -E -e "s/^\\s*auth\\s+required\\s+pam_wheel.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/su
+ if [ -n "${DEL_ARGS[$idx]}" ]; then
+ sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/su
+ fi
+ fi
+done
else
>&2 echo 'Remediation is not applicable, nothing was done'
New data stream is missing ansible remediation for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su'. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
In SLE16 it is the case the distribution default configuration comes in /usr subdirs and system-wide custom configuration sits in /etc so we need to handle both in the template
Review Hints: