You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the Issue
Direct Editing of PAM files managed by authselect in section 5.5.1-4 causes any later use of authselect profiles to abort with an error due to the current live pam files having unexpected changes in them.
$ sudo authselect select sssd with-mkhomedir
[error] [/etc/authselect/system-auth] has unexpected content!
[error] [/etc/authselect/password-auth] has unexpected content!
[error] Unexpected changes to the configuration were detected.
[error] Refusing to activate profile unless those changes are removed or overwrite is requested.
Some unexpected changes to the configuration were detected.
Use --force parameter if you want to overwrite these changes.
The files being edited are symlinks to the authselect versions
$ ls -alrt /etc/pam.d/
total 88
-rw-r--r--. 1 root root 322 Feb 15 2019 crond
-rw-r--r--. 1 root root 168 May 14 2022 passwd
-rw-r--r--. 1 root root 155 Apr 21 2023 polkit-1
-rw-r--r-- 1 root root 214 Jun 23 2023 sssd-shadowutils
-rw-r--r-- 1 root root 154 Oct 28 09:26 other
-rw-r--r-- 1 root root 232 Oct 28 09:26 config-util
-rw-r--r-- 1 root root 84 Oct 31 21:28 vlock
-rw-r--r-- 1 root root 137 Nov 6 01:14 su-l
-rw-r--r-- 1 root root 566 Nov 6 01:14 su
-rw-r--r-- 1 root root 138 Nov 6 01:14 runuser-l
-rw-r--r-- 1 root root 143 Nov 6 01:14 runuser
-rw-r--r-- 1 root root 640 Nov 6 01:14 remote
-rw-r--r-- 1 root root 676 Nov 6 01:14 login
-rw-r--r-- 1 root root 910 Dec 12 15:47 cockpit
-rw-r--r-- 1 root root 414 Jan 23 10:22 systemd-user
-rw-r--r-- 1 root root 178 Feb 14 19:23 sudo-i
-rw-r--r-- 1 root root 154 Feb 14 19:23 sudo
-rw-r--r-- 1 root root 727 Mar 6 10:01 sshd
lrwxrwxrwx 1 root root 27 Mar 13 03:02 system-auth -> /etc/authselect/system-auth
lrwxrwxrwx 1 root root 30 Mar 13 03:02 smartcard-auth -> /etc/authselect/smartcard-auth
lrwxrwxrwx 1 root root 25 Mar 13 03:02 postlogin -> /etc/authselect/postlogin
lrwxrwxrwx 1 root root 29 Mar 13 03:02 password-auth -> /etc/authselect/password-auth
lrwxrwxrwx 1 root root 32 Mar 13 03:02 fingerprint-auth -> /etc/authselect/fingerprint-auth
drwxr-xr-x. 2 root root 4096 Mar 13 03:02 .
drwxr-xr-x. 97 root root 8192 Mar 14 19:24 ..
This is also different behavior than the way 5.4.1 operates regarding pam files and authselect. For the 5.4.1 edits, one either
creates a custom profile, which then appropriately runs the authselect select <profile> directive
sets the "ACCEPT" the risk flag for direct pam file editing when not using authselect.
Expected Behavior
5.5.1 - 5.5.4 would either use a custom authselect profile, or require a similar rhel9cis_5_4_2_risks == 'ACCEPT' type flag
Actual Behavior
5.5.1 though 5.5.4 directly edit pam files managed by authselect without telling authselect
Control(s) Affected
5.5.1 though 5.5.4
Environment (please complete the following information):
branch being used: devel
Ansible Version: [e.g. 2.10]
Host Python Version: [e.g. Python 3.7.6]
Ansible Server Python Version: [e.g. Python 3.7.6]
Additional Details:
Additional Notes
Anything additional goes here
Possible Solution
Enter a suggested fix here
The text was updated successfully, but these errors were encountered:
Describe the Issue
Direct Editing of PAM files managed by authselect in section 5.5.1-4 causes any later use of authselect profiles to abort with an error due to the current live pam files having unexpected changes in them.
https://github.com/ansible-lockdown/RHEL9-CIS/blob/devel/tasks/section_5/cis_5.5.x.yml
The files being edited are symlinks to the authselect versions
This is also different behavior than the way 5.4.1 operates regarding pam files and authselect. For the 5.4.1 edits, one either
authselect select <profile>
directiveExpected Behavior
5.5.1 - 5.5.4 would either use a custom authselect profile, or require a similar
rhel9cis_5_4_2_risks == 'ACCEPT'
type flagActual Behavior
5.5.1 though 5.5.4 directly edit pam files managed by authselect without telling authselect
Control(s) Affected
5.5.1 though 5.5.4
Environment (please complete the following information):
Additional Notes
Anything additional goes here
Possible Solution
Enter a suggested fix here
The text was updated successfully, but these errors were encountered: