Fix remediation of sssd_enable_smartcards

[Xeicker]

Description:

• remove unnecessary if statement

Rationale:

• Fix implementation in which there were unreachable code due to wrong macro usage

Review Hints:

Previously generated bash code:

if [ -f /usr/bin/authselect ]; then
    if authselect check; then
        if ! authselect check; then
        echo "
        authselect integrity check failed. Remediation aborted!
        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
        It is not recommended to manually edit the PAM files when authselect tool is available.
        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
        exit 1
        fi
        authselect enable-feature with-smartcard

        authselect apply-changes -b
    fi
else
[...]

Now it looks like this:

if [ -f /usr/bin/authselect ]; then
    if ! authselect check; then
    echo "
    authselect integrity check failed. Remediation aborted!
    This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
    It is not recommended to manually edit the PAM files when authselect tool is available.
    In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
    exit 1
    fi
    authselect enable-feature with-smartcard

    authselect apply-changes -b
else
[...]

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -37,19 +37,17 @@
 
 
 if [ -f /usr/bin/authselect ]; then
-    if authselect check; then
-        if ! authselect check; then
-        echo "
-        authselect integrity check failed. Remediation aborted!
-        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-        It is not recommended to manually edit the PAM files when authselect tool is available.
-        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-        exit 1
-        fi
-        authselect enable-feature with-smartcard
+    if ! authselect check; then
+    echo "
+    authselect integrity check failed. Remediation aborted!
+    This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+    It is not recommended to manually edit the PAM files when authselect tool is available.
+    In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+    exit 1
+    fi
+    authselect enable-feature with-smartcard
 
-        authselect apply-changes -b
-    fi
+    authselect apply-changes -b
 else
     if ! grep -qP '^\s*auth\s+'"sufficient"'\s+pam_sss.so\s*.*' "/etc/pam.d/smartcard-auth"; then
         # Line matching group + control + module was not found. Check group + module.

[openshift-ci]

Hi @Xeicker. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[codeclimate]

Code Climate has analyzed commit d512bac and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.3% (0.0% change).

View more on Code Climate.

[jan-cerny]

Nice catch!

The tests look OK:

[jcerny@fedora scap-security-guide{pr/10981}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using oscap  --dontclean  sssd_enable_smartcards
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-08-11-1054/test_suite.log
WARNING - Script sssd_parameter_false.fail.sh is not applicable on given platform
WARNING - Script sssd_parameter_missing.fail.sh is not applicable on given platform
WARNING - Script sssd_parameter_missing_file.fail.sh is not applicable on given platform
WARNING - Script sssd_parameter_true.pass.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
INFO - Script authselect_modified_pam.fail.sh using profile (all) OK
INFO - Script authselect_smartcard_disabled.fail.sh using profile (all) OK
INFO - Script authselect_smartcard_enabled.pass.sh using profile (all) OK
INFO - Script authselect_smartcard_enabled_lower.pass.sh using profile (all) OK
INFO - Script authselect_sssd_parameter_false.fail.sh using profile (all) OK
INFO - Script authselect_sssd_parameter_missing.fail.sh using profile (all) OK
INFO - Script authselect_sssd_parameter_missing_file.fail.sh using profile (all) OK

The CI fail is unrelated to the contents of this PR.