Check sssd conf.d files and fix bash remediation for sssd_enable_pam_services

[ggbecker]

Description:

Rule sssd_enable_pam_services:

• Update OVAL check to consider /etc/sssd/conf.d/ directory and to correctly detect the configuration.
• Fix BASH remediation. Use awk combined with grep and uniq to get exact lines that need to be changed in the configuration file. Inspired from: https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/services/sssd/sssd_run_as_sssd_user/bash/shared.sh

Rationale:

• Better align with V-72427

Help needed:

- Since /etc/sssd/conf.d/ can be empty, we need a way to skip the check in this case. Using existence=any_exist does not help because if a given file exists and it doesn't comply with the requirement it will evaluate as True.
- Since we are using this multi line regex, I didn't find a way to combine this with sed to use in the remediation. Right now it will look for the line services = and append pam when needed.
- Maybe we don't need to be strict in many ways so we could drop the check of /etc/sssd/conf.d/, but the remediation fix part is definitely something that needs to be fixed because the it is right now, it will always append services = pam to the file.

Note: to test this it is needed to have sssd installed. This is something to be added to test scenarios yet.

[openshift-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[jan-cerny]

Since /etc/sssd/conf.d/ can be empty, we need a way to skip the check in this case. Using existence=any_exist does not help because if a given file exists and it doesn't comply with the requirement it will evaluate as True.

A single regex which describes all possible locations together with check_existence="at_least_one_exists". Can that work?

[ggbecker]

Since /etc/sssd/conf.d/ can be empty, we need a way to skip the check in this case. Using existence=any_exist does not help because if a given file exists and it doesn't comply with the requirement it will evaluate as True.

A single regex which describes all possible locations together with check_existence="at_least_one_exists". Can that work?

That might improve the situation, but I'm not sure if it would entirely solve it. If I understood correctly, if there is no services = something at all, the check should pass (according to STIG), so in this case it would be check_existence="any_exist", but then if it happens that there is a services = nss (without pam) line in one file for example, it would pass even if it doesn't comply with the check because of the any_exist, is that a correct assumption?

I think we should split the check in two then and make one to check if there is any services = something line evaluating to true if no entry is found and the other one checking for the actual values of services = something. And combine then with OR operation.

[yuumasato]

* Since `/etc/sssd/conf.d/` can be empty, we need a way to skip the check in this case. Using `existence=any_exist` does not help because if a given file exists and it doesn't comply with the requirement it will evaluate as `True`.

I think the problem is that the test is already looking for the object with the desired state. If the test has an explicit state it can work.

For example, if the object is the services line, and we capture the services list:
<ind:pattern operation="pattern match">^[\s]*\[sssd]([^\n\[\]]*\n+)+?[\s]*services[\s]*=[\s]*(.*)$</ind:pattern>
And then state makes sure that pam is one of the captured services:

    <ind:subexpression operation="pattern_match">.*pam.*</ind:subexpression>
  </ind:textfilecontent54_state>

Edit: added explanation below.

This would work with check_existence="any_exist", any number of services = line can be found.
And with check="all", all objects need to conform to the state, i.e. any services = line found need to contain pam.

[ggbecker]

<ind:subexpression operation="pattern_match">.pam.</ind:subexpression>

Thanks for the thoroughly explanation, I'll run some tests based on feedback and then I'll submit new changes.

[ggbecker]

I have pushed new changes but the OVAL is not working properly, I can't make the check pass, even with sssd.conf containing correct content. @yuumasato can you take a look at the OVAL check if you can find any discrepancies? Thank you.

[mildas]

Changes identified:
Rule sssd_enable_pam_services:
 Found change in bash remediation.
 New node inserted to OVAL check.
 Node moved within OVAL check.
 Attribute value changed in OVAL check.
 Text changed in OVAL check.
 Node deleted from OVAL check.
 Text added outsite tags in OVAL check.

Recommended tests to execute:
 build_product ol7
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using bash --datastream build/ssg-ol7-ds.xml sssd_enable_pam_services

[ggbecker]

/retest

[openshift-ci-robot]

@ggbecker: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-aws-rhcos4-moderate	169e26c	link	/test e2e-aws-rhcos4-moderate

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[yuumasato]

Nice work.