Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule sssd_enable_smartcards fails on RHEL 10 #12907

Open
matusmarhefka opened this issue Jan 27, 2025 · 4 comments
Open

Rule sssd_enable_smartcards fails on RHEL 10 #12907

matusmarhefka opened this issue Jan 27, 2025 · 4 comments
Labels
productization-issue Issue found in upstream stabilization process. RHEL10 Red Hat Enterprise Linux 10 product related.

Comments

@matusmarhefka
Copy link
Member

Description of problem:

Rule sssd_enable_smartcards fails on RHEL 10, the rule remediations (both Bash and Ansible) don't fix the rule, example output of Bash remediation:

Current configuration is valid.
[error] Unknown profile feature [with-smartcard]
[error] Unable to activate profile [custom/hardening] [22]: Invalid argument
Unable to enable feature [22]: Invalid argument
Backup stored at /var/lib/authselect/backups/2025-01-25-00-55-14.Tfhong
Changes were successfully applied.

This is caused by the authselect command which is executed by the remediation, the output of authselect command on a fresh RHEL 10.0 system:

# authselect enable-feature with-smartcard
[error] Unknown profile feature [with-smartcard]
[error] Unable to activate profile [local] [22]: Invalid argument
Unable to enable feature [22]: Invalid argument
# echo $?
1

The issue is caused by #12882 where the Jinja macros have been updated for RHEL 10.

SCAP Security Guide Version:

master @ 943f42c

Operating System Version:

RHEL-10.0

Steps to Reproduce:

  1. Run remediation of stig, stig_gui or ism_o profile.
@matusmarhefka matusmarhefka added productization-issue Issue found in upstream stabilization process. RHEL10 Red Hat Enterprise Linux 10 product related. labels Jan 27, 2025
@Mab879
Copy link
Member

Mab879 commented Jan 27, 2025

So we're somehow using the local auth select profile, we should be using the sssd auth select profile. That's concerning and if fix the profile selection should fix some of the issues here.

@matusmarhefka
Copy link
Member Author

So we're somehow using the local auth select profile, we should be using the sssd auth select profile. That's concerning and if fix the profile selection should fix some of the issues here.

Just a note to make sure we are on the same page, the output with local is on a vanilla RHEL-10.0 (without hardening). Our STIG hardening uses custom/hardening profile as can be seen from the first snippet from Bash remediation.

@Mab879
Copy link
Member

Mab879 commented Jan 28, 2025

You are correct. However, seems it that profile is based on local, not sssd. That might be the source of our issues. It seems we might have an ordering issue. enable_authselect needs to be before sssd_enable_smartcards.

@Mab879
Copy link
Member

Mab879 commented Jan 29, 2025

On RHEL 8 and 9 the default profile is sssd which has the smart-card feature. RHEL 10 defaults to the local profile which doesn't have this feature. So just for RHEL 10+ we need to ensure sssd is set as the current profile before we create custom/hardening.

So my question is that do want to update bash_ensure_authselect_custom_profile and ensure it selects sssd as its base?

@marcusburghardt any insight you have here would be helpful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
productization-issue Issue found in upstream stabilization process. RHEL10 Red Hat Enterprise Linux 10 product related.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Mab879 @matusmarhefka