Add Ansible remediation to sssd_enable_pam_services #11796
Conversation
This commit adds an Ansible remediation to rule sssd_enable_pam_services. Fixes: ComplianceAsCode#11753
jan-cerny
added
bugfix
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffNew data stream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_pam_services'. |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
|
/packit retest-failed |
There was a problem hiding this comment.
Besides my comments in the Ansible remediation, I also saw some test scenarios confusing in this rule. For example, variables not used (services_pam_missing.fail.sh). I missed a pass test scenario using drop-in files in /etc/sssd/conf.d/. I know the test scenarios are not part of this PR but it could be valid to take a look on them.
linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml
Show resolved
Hide resolved
linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml
Outdated
Show resolved
Hide resolved
Imrpove the regular expression so that it won't match entries containing the pam entry. This would lead to duplication of pam entries if the Playbook is executed twice or multiple times.
This test scenario tests a pass situation if the conf.d directory is used for configuration.
|
I have add rule titles, changed the regexes and I have add the test scenario. |
|
/packit retest-failed |
Resolves this fail on CentOS 7: 34/44 Test #34: ansible-playbook-syntax-check-rhel7 ..............................***Failed 2.69 sec [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all' ERROR! couldn't resolve module/action 'community.general.ini_file'. This often indicates a misspelling, missing collection, or incorrect module path.
The problem will be fixed by PR ComplianceAsCode/content#11796 which will add an Ansible remediation for sssd_enable_pam_services.
|
I have created PR RHSecurityCompliance/contest#148 in contest project. |
| path: /etc/sssd/sssd.conf | ||
| section: sssd | ||
| option: services | ||
| value: pam |
There was a problem hiding this comment.
There is an issue with this last task. It is here to ensure a case where the services line is not present in [sssd]. However in most cases, if not all cases, the services is already there and commonly would include more services instead of only pam.
For example, if the line is:
services = nss,pam
This last task will remove nss and leave the line as services = pam. This is not desired.
I believe the way to solve this is creating another task in check mode only to test if there is already a line with services = * and use the result in this last task.
There was a problem hiding this comment.
I believe the same logic used here can be useful for this case:
https://github.com/ComplianceAsCode/content/blob/master/shared/macros/10-ansible.jinja#L1435-L1462
If a services key exists, and contains a compliant line in sssd.conf which also contains other services, eg. `services = nss,pam` we shouldn't remove the other services but we should keep them.
|
I have changed the Ansible code to prevent removing existing entries |
@jan-cerny , unfortunately now it is not creating the line if it is missing in |
It seems I can't commit in this PR, but here is an update that should resolve the issue: |
The task was updated to ensure that last task is only executed when there isn't already any definition of "services" in sssd section. Only this case a new line will be included. This is to avoid removing existing options from existing configuration.
|
I have added that commit to this PR. |
|
Code Climate has analyzed commit 1f7b478 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.2% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
Thanks @jan-cerny . I tested the changes also in local VMs and everything is working as expected. I am just waiting the CI tests to finish.
|
/packit retest-failed |
This commit adds an Ansible remediation to rule sssd_enable_pam_services.
Fixes: #11753