Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Accept required and requisite control flag for pam_pwhistory #10175

Merged
merged 6 commits into from
Feb 8, 2023
Merged

Accept required and requisite control flag for pam_pwhistory #10175

merged 6 commits into from
Feb 8, 2023

Conversation

marcusburghardt
Copy link
Member

Description:

In RHEL8.8 and RHEL9.2 it was introduced a new authselect feature to enable pam_pwhistory module.
Before the feature, the module was enabled by creating a custom authselect profile.
Historically, the control flag used to enable pam_pwhistory.so was required.
However, the authselect feature uses requisite instead.
These two control flags are correct and the differences are only about the module reporting, without affecting its effect.
Therefore, the assessment should pass if either required or requisite is used.

Rationale:

Thanks to @vojtapolasek researches, it was noticed a possible scenario where the feature is introduced in a system with a custom profile based in older authselect versions. In these cases, the system would be compliant by using the required control flag. However, since the rule is expecting only requisite, it will fail and the remediation would be executed.
However, in these cases, the remediation can't be safely ensured because the remediation will try to use the feature but the custom profile is not aware of the feature. The custom profile should be updated or recreated by the administrator.

Review Hints:

This is a corner case difficult to be tested.
Basically, it would be necessary to scan and remediate a system with the authselect package in a old version, like in the current RHEL8.7.
Then, the system should be updated to use the new authselect package version, which includes the with-pwhistory feature.

Before this patch, the scan with the new authselect package should fail because the control flag is set to required. Consequently, the remediation will fail due to the above mentioned issue.

After this patch, the scan with the new authselect package will pass because both required and requisite are accepted. No remediation will be necessary.

@marcusburghardt marcusburghardt added RHEL9 Red Hat Enterprise Linux 9 product related. Update Rule Issues or pull requests related to Rules updates. RHEL8 Red Hat Enterprise Linux 8 product related. CIS CIS Benchmark related. STIG STIG Benchmark related. labels Feb 7, 2023
@marcusburghardt marcusburghardt added this to the 0.1.67 milestone Feb 7, 2023
@marcusburghardt marcusburghardt requested a review from a team as a code owner February 7, 2023 12:53
@github-actions
Copy link

github-actions bot commented Feb 7, 2023

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@marcusburghardt
Copy link
Member Author

The #10021 is also related to this.

yuumasato
yuumasato requested changes Feb 8, 2023
View reviewed changes
Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@marcusburghardt I'm okay leaving the consolidation of the variables to unique selector to a future PR.

...ocking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml Outdated Show resolved Hide resolved
marcusburghardt and others added 5 commits February 8, 2023 09:00
@marcusburghardt
Introduce variable values with two values for RHEL
81c0c57 
In RHEL8.8 and RHEL9.2 it was introduced a new authselect feature to
enable pam_pwhistory module. Previously, it was enabled by creating a
custom authselect profile. Historically, the control flag used to enable
pam_pwhistory.so was "required". However, the authselect feature uses
"requisite". These two control flags are correct and the differences
relies on how the module result will be reported to the user, without
affecting the module action. Therefore, the assessment should also pass
if required is used.
@marcusburghardt
Update variable value for CIS RHEL8 and RHEL9
397b768
@marcusburghardt
Update variable value for RHEL8 STIG
ff8b8b4
@marcusburghardt
Update variable value in SRG-OS-000077-GPOS-00045
73ff676
@marcusburghardt @yuumasato
Update warning about pwhistory feature in authselect
d6ddb41 
It was noticed a possible scenario where the feature is introduced in a
system with a custom profile based in older authselect versions. In
these cases, the remediation can't be safely ensured and the custom
profile should be updated by the administrator. Included this
information in the rule warning.

Co-authored-by: Watson Yuuma Sato <[email protected]>
yuumasato
yuumasato approved these changes Feb 8, 2023
View reviewed changes
Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, waiting for tests by @vojtapolasek

vojtapolasek
vojtapolasek requested changes Feb 8, 2023
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @marcusburghardt and thanks for this fix. I have tested it on 8.7 -> 8.8 as well as on 9.1 -> 9.2 and it works nicely.
Just a small note, see the comment and it is ready to be merged.

tests/data/profile_stability/rhel8/stig.profile Outdated Show resolved Hide resolved
@marcusburghardt marcusburghardt mentioned this pull request Feb 8, 2023
Merged
@vojtapolasek
Copy link
Collaborator

@marcusburghardt Please note that the profile stability test was passing even before you shuffled the ssh_keys_passphrase_protected lines in the /tests/data/profile_stability/rhel8/stig.profile. The profile stability test is based on set comparison, the order of lines does not matter. I have tested it - I have checked out the master branch before your PR and the profile stability test for RHEL 8 was passing.
Therefore, I am sure that the change of lines involving a/tests/data/profile_stability/rhel8/stig.profile is not in scope of this PR and actually does not have any considerable impact at all. I see you proposed the change in a separate PR #10182 . That is nice, but this PR does not have to wait for that PR to be merged. Please remove changes WRT ssh_keys_passphrase_protected from this PR so that it can be treated as a single unit.

@codeclimate
Copy link

codeclimate bot commented Feb 8, 2023

Code Climate has analyzed commit f02788a and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 49.5% (0.0% change).

View more on Code Climate.

@marcusburghardt
Copy link
Member Author

@marcusburghardt Please note that the profile stability test was passing even before you shuffled the ssh_keys_passphrase_protected lines in the /tests/data/profile_stability/rhel8/stig.profile. The profile stability test is based on set comparison, the order of lines does not matter. I have tested it - I have checked out the master branch before your PR and the profile stability test for RHEL 8 was passing. Therefore, I am sure that the change of lines involving a/tests/data/profile_stability/rhel8/stig.profile is not in scope of this PR and actually does not have any considerable impact at all. I see you proposed the change in a separate PR #10182 . That is nice, but this PR does not have to wait for that PR to be merged. Please remove changes WRT ssh_keys_passphrase_protected from this PR so that it can be treated as a single unit.

Yes @vojtapolasek , I am aware that this ordering does not affect the result of the test, but I still can't be complacent with the issue that caused the line to be reordered in this PR. We should rely on the stig.profile and stig_gui.profile which are generated automatically and ideally should never be necessary to do manual changes like this on them.

I believe you missed my last comment in the thread, where I informed that the last commit was already updated and the condition on which I agreed to make this manual change in this PR. In any case, the source of issue will now be resolved by #10182, which should be merged as soon as possible to avoid possible "extra updates" in future PRs related to changes in STIG profiles.

@vojtapolasek
Copy link
Collaborator

Great. I will merge it as soon as all tests pass.a

@vojtapolasek vojtapolasek merged commit a191ae5 into ComplianceAsCode:master Feb 8, 2023
@marcusburghardt marcusburghardt deleted the pwhistory_control branch February 8, 2023 14:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuumasato yuumasato yuumasato approved these changes

@vojtapolasek vojtapolasek vojtapolasek approved these changes

Assignees

@vojtapolasek vojtapolasek

Labels
CIS CIS Benchmark related. RHEL8 Red Hat Enterprise Linux 8 product related. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.67
Development

Successfully merging this pull request may close these issues.
3 participants
@marcusburghardt @vojtapolasek @yuumasato