Disallow spaces in SSSD certificate_verification option #11728
Conversation
We will not allow spaces around the equal sign in the value of the certificate_verification option in SSSD configuration. This will align our content with RHEL 9 STIG requirements. Fixes: ComplianceAsCode#11708
jan-cerny
added
bugfix
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' differs.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -21,12 +21,12 @@
# find key in section and change value
if grep -qzosP "[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*certificate_verification" "$f"; then
- sed -i "s/certificate_verification[^(\n)]*/certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function/" "$f"
+ sed -i "s/certificate_verification[^(\n)]*/certificate_verification = ocsp_dgst=$var_sssd_certificate_verification_digest_function/" "$f"
found=true
# find section and add key = value to it
elif grep -qs "[[:space:]]*\[sssd\]" "$f"; then
- sed -i "/[[:space:]]*\[sssd\]/a certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" "$f"
+ sed -i "/[[:space:]]*\[sssd\]/a certificate_verification = ocsp_dgst=$var_sssd_certificate_verification_digest_function" "$f"
found=true
fi
done
@@ -35,7 +35,7 @@
if ! $found ; then
file=$(echo "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
mkdir -p "$(dirname "$file")"
- echo -e "[sssd]\ncertificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" >> "$file"
+ echo -e "[sssd]\ncertificate_verification = ocsp_dgst=$var_sssd_certificate_verification_digest_function" >> "$file"
fi
umask $OLD_UMASK
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' differs.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -60,7 +60,7 @@
path: /etc/sssd/conf.d/certificate_verification.conf
section: sssd
option: certificate_verification
- value: ocsp_dgst = {{ var_sssd_certificate_verification_digest_function }}
+ value: ocsp_dgst={{ var_sssd_certificate_verification_digest_function }}
state: present
mode: 384
when: '"sssd-common" in ansible_facts.packages' |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
|
Code Climate has analyzed commit 2e4027b and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.3% (0.0% change). View more on Code Climate. |
On VM the tests fail. |
|
@Mab879 Interesting. But I can't reproduce the fail locally. Are you on a correct branch? I tried it multiple times both on RHEL 8 and RHEL 9. |
Seems it was an issue on my side. The tests pass now. |
|
The failure of SLE15 Automatus is expected as this rule isn't in the benchmark. |
We will not allow spaces around the equal sign in the value of the certificate_verification option in SSSD configuration. This will align our content with RHEL 9 STIG requirements.
Fixes: #11708