Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

5.5.1 through 5.5.4 do not account for authselect #191

Closed
numericillustration opened this issue Mar 14, 2024 · 1 comment
Closed

5.5.1 through 5.5.4 do not account for authselect #191

numericillustration opened this issue Mar 14, 2024 · 1 comment
Assignees
Labels
bug Something isn't working

Comments

@numericillustration
Copy link
Contributor

Describe the Issue
Direct Editing of PAM files managed by authselect in section 5.5.1-4 causes any later use of authselect profiles to abort with an error due to the current live pam files having unexpected changes in them.

https://github.com/ansible-lockdown/RHEL9-CIS/blob/devel/tasks/section_5/cis_5.5.x.yml

$ sudo authselect select sssd with-mkhomedir
[error] [/etc/authselect/system-auth] has unexpected content!
[error] [/etc/authselect/password-auth] has unexpected content!
[error] Unexpected changes to the configuration were detected.
[error] Refusing to activate profile unless those changes are removed or overwrite is requested.

Some unexpected changes to the configuration were detected.
Use --force parameter if you want to overwrite these changes.

The files being edited are symlinks to the authselect versions

$ ls -alrt /etc/pam.d/
total 88
-rw-r--r--.  1 root root  322 Feb 15  2019 crond
-rw-r--r--.  1 root root  168 May 14  2022 passwd
-rw-r--r--.  1 root root  155 Apr 21  2023 polkit-1
-rw-r--r--   1 root root  214 Jun 23  2023 sssd-shadowutils
-rw-r--r--   1 root root  154 Oct 28 09:26 other
-rw-r--r--   1 root root  232 Oct 28 09:26 config-util
-rw-r--r--   1 root root   84 Oct 31 21:28 vlock
-rw-r--r--   1 root root  137 Nov  6 01:14 su-l
-rw-r--r--   1 root root  566 Nov  6 01:14 su
-rw-r--r--   1 root root  138 Nov  6 01:14 runuser-l
-rw-r--r--   1 root root  143 Nov  6 01:14 runuser
-rw-r--r--   1 root root  640 Nov  6 01:14 remote
-rw-r--r--   1 root root  676 Nov  6 01:14 login
-rw-r--r--   1 root root  910 Dec 12 15:47 cockpit
-rw-r--r--   1 root root  414 Jan 23 10:22 systemd-user
-rw-r--r--   1 root root  178 Feb 14 19:23 sudo-i
-rw-r--r--   1 root root  154 Feb 14 19:23 sudo
-rw-r--r--   1 root root  727 Mar  6 10:01 sshd
lrwxrwxrwx   1 root root   27 Mar 13 03:02 system-auth -> /etc/authselect/system-auth
lrwxrwxrwx   1 root root   30 Mar 13 03:02 smartcard-auth -> /etc/authselect/smartcard-auth
lrwxrwxrwx   1 root root   25 Mar 13 03:02 postlogin -> /etc/authselect/postlogin
lrwxrwxrwx   1 root root   29 Mar 13 03:02 password-auth -> /etc/authselect/password-auth
lrwxrwxrwx   1 root root   32 Mar 13 03:02 fingerprint-auth -> /etc/authselect/fingerprint-auth
drwxr-xr-x.  2 root root 4096 Mar 13 03:02 .
drwxr-xr-x. 97 root root 8192 Mar 14 19:24 ..

This is also different behavior than the way 5.4.1 operates regarding pam files and authselect. For the 5.4.1 edits, one either

  • creates a custom profile, which then appropriately runs the authselect select <profile> directive
  • sets the "ACCEPT" the risk flag for direct pam file editing when not using authselect.

Expected Behavior
5.5.1 - 5.5.4 would either use a custom authselect profile, or require a similar rhel9cis_5_4_2_risks == 'ACCEPT' type flag

Actual Behavior
5.5.1 though 5.5.4 directly edit pam files managed by authselect without telling authselect

Control(s) Affected
5.5.1 though 5.5.4

Environment (please complete the following information):

  • branch being used: devel
  • Ansible Version: [e.g. 2.10]
  • Host Python Version: [e.g. Python 3.7.6]
  • Ansible Server Python Version: [e.g. Python 3.7.6]
  • Additional Details:

Additional Notes
Anything additional goes here

Possible Solution
Enter a suggested fix here

@numericillustration numericillustration added the bug Something isn't working label Mar 14, 2024
@uk-bolly uk-bolly self-assigned this Jun 5, 2024
uk-bolly added a commit that referenced this issue Jun 5, 2024
Signed-off-by: Mark Bolwell <[email protected]>
This was referenced Jun 6, 2024
@georgenalen
Copy link
Contributor

This has been merged into main for release on June 4th, 2024. Closing this ticket since fix is in release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants