Add default domain to SSSD related remediations and fix Fedora test failures#14726
Open
Arden97 wants to merge 3 commits into
Open
Add default domain to SSSD related remediations and fix Fedora test failures#14726Arden97 wants to merge 3 commits into
Arden97 wants to merge 3 commits into
Conversation
|
Skipping CI for Draft Pull Request. |
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_xwayland_disabled' differs.
--- xccdf_org.ssgproject.content_rule_xwayland_disabled
+++ xccdf_org.ssgproject.content_rule_xwayland_disabled
@@ -26,6 +26,8 @@
found=true
fi
+
+
done
# if section not in any file, append section with key = value to FIRST file in files parameter
bash remediation for rule 'xccdf_org.ssgproject.content_rule_disable_weak_deps' differs.
--- xccdf_org.ssgproject.content_rule_disable_weak_deps
+++ xccdf_org.ssgproject.content_rule_disable_weak_deps
@@ -26,6 +26,8 @@
found=true
fi
+
+
done
# if section not in any file, append section with key = value to FIRST file in files parameter
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates' differs.
--- xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
+++ xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
@@ -26,6 +26,8 @@
found=true
fi
+
+
done
# if section not in any file, append section with key = value to FIRST file in files parameter
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only' differs.
--- xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
+++ xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
@@ -26,6 +26,8 @@
found=true
fi
+
+
done
# if section not in any file, append section with key = value to FIRST file in files parameter
bash remediation for rule 'xccdf_org.ssgproject.content_rule_require_singleuser_auth' differs.
--- xccdf_org.ssgproject.content_rule_require_singleuser_auth
+++ xccdf_org.ssgproject.content_rule_require_singleuser_auth
@@ -26,6 +26,8 @@
found=true
fi
+
+
done
# if section not in any file, append section with key = value to FIRST file in files parameter
bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_compress' differs.
--- xccdf_org.ssgproject.content_rule_journald_compress
+++ xccdf_org.ssgproject.content_rule_journald_compress
@@ -26,6 +26,8 @@
found=true
fi
+
+
done
# if section not in any file, append section with key = value to FIRST file in files parameter
bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog' differs.
--- xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog
+++ xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog
@@ -26,6 +26,8 @@
found=true
fi
+
+
done
# if section not in any file, append section with key = value to FIRST file in files parameter
bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_forward_to_syslog' differs.
--- xccdf_org.ssgproject.content_rule_journald_forward_to_syslog
+++ xccdf_org.ssgproject.content_rule_journald_forward_to_syslog
@@ -26,6 +26,8 @@
found=true
fi
+
+
done
# if section not in any file, append section with key = value to FIRST file in files parameter
bash remediation for rule 'xccdf_org.ssgproject.content_rule_journald_storage' differs.
--- xccdf_org.ssgproject.content_rule_journald_storage
+++ xccdf_org.ssgproject.content_rule_journald_storage
@@ -26,6 +26,8 @@
found=true
fi
+
+
done
# if section not in any file, append section with key = value to FIRST file in files parameter
bash remediation for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_backtraces' differs.
--- xccdf_org.ssgproject.content_rule_coredump_disable_backtraces
+++ xccdf_org.ssgproject.content_rule_coredump_disable_backtraces
@@ -26,6 +26,8 @@
found=true
fi
+
+
done
# if section not in any file, append section with key = value to FIRST file in files parameter
bash remediation for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_storage' differs.
--- xccdf_org.ssgproject.content_rule_coredump_disable_storage
+++ xccdf_org.ssgproject.content_rule_coredump_disable_storage
@@ -26,6 +26,8 @@
found=true
fi
+
+
done
# if section not in any file, append section with key = value to FIRST file in files parameter
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' differs.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -9,12 +9,64 @@
OLD_UMASK=$(umask)
umask u=rw,go=
-MAIN_CONF="/etc/sssd/conf.d/certificate_verification.conf"
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+ touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain\/[^]]*]' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+ found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "$SSSD_CONF"); do
+ if [ ! -e "$f" ]; then
+ continue
+ fi
+
+ # find key in section and change value
+ if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*domains" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*domains[[:space:]]*=[[:space:]]*default" "$f"; then
+
+ sed -i "/^[[:space:]]*domains/s/\([[:blank:]]*=[[:blank:]]*\).*/\1default/" "$f"
+
+ fi
+
+ found=true
+
+ # find section and add key = value to it
+ elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
+
+ sed -i "/^[[:space:]]*\[sssd\]/a domains=default" "$f"
+
+ found=true
+ fi
+
+
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+ file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
+ mkdir -p "$(dirname "$file")"
+
+ echo -e "[sssd]\ndomains=default" >> "$file"
+
+fi
+ cat >> "$SSSD_CONF" << EOF
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
+
+MAIN_CONF="$SSSD_CONF_DIR/certificate_verification.conf"
found=false
# set value in all files if they contain section or key
-for f in $(echo -n "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
+for f in $(echo -n "$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf"); do
if [ ! -e "$f" ]; then
continue
fi
@@ -36,11 +88,13 @@
found=true
fi
+
+
done
# if section not in any file, append section with key = value to FIRST file in files parameter
if ! $found ; then
- file=$(echo "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
+ file=$(echo "$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf" | cut -f1 -d ' ')
mkdir -p "$(dirname "$file")"
echo -e "[sssd]\ncertificate_verification=ocsp_dgst=$var_sssd_certificate_verification_digest_function" >> "$file"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' differs.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -16,6 +16,92 @@
var_sssd_certificate_verification_digest_function: !!str
tags:
- always
+
+- name: Certificate status checking in SSSD - Ensure sssd config directory exists
+ ansible.builtin.file:
+ path: /etc/sssd
+ state: directory
+ mode: '0755'
+ when: '"sssd-common" in ansible_facts.packages'
+ tags:
+ - CCE-86120-3
+ - DISA-STIG-RHEL-08-010400
+ - NIST-800-53-IA-2(11)
+ - configure_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_certificate_verification
+
+- name: Certificate status checking in SSSD - Test for domain group in main config
+ ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+ register: test_grep_domain
+ failed_when: false
+ changed_when: false
+ check_mode: false
+ when: '"sssd-common" in ansible_facts.packages'
+ tags:
+ - CCE-86120-3
+ - DISA-STIG-RHEL-08-010400
+ - NIST-800-53-IA-2(11)
+ - configure_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_certificate_verification
+
+- name: Certificate status checking in SSSD - Test for domain group in conf.d
+ ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+ register: test_grep_domain_conf_d
+ failed_when: false
+ changed_when: false
+ check_mode: false
+ when: '"sssd-common" in ansible_facts.packages'
+ tags:
+ - CCE-86120-3
+ - DISA-STIG-RHEL-08-010400
+ - NIST-800-53-IA-2(11)
+ - configure_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_certificate_verification
+
+- name: Certificate status checking in SSSD - Add default domain group (if no domain
+ there)
+ community.general.ini_file:
+ path: /etc/sssd/sssd.conf
+ section: '{{ item.section }}'
+ option: '{{ item.option }}'
+ value: '{{ item.value }}'
+ create: true
+ mode: 384
+ with_items:
+ - section: sssd
+ option: domains
+ value: default
+ - section: domain/default
+ option: id_provider
+ value: files
+ when:
+ - '"sssd-common" in ansible_facts.packages'
+ - test_grep_domain.stdout is defined
+ - test_grep_domain.stdout | length < 1
+ - test_grep_domain_conf_d.stdout is defined
+ - test_grep_domain_conf_d.stdout | length < 1
+ tags:
+ - CCE-86120-3
+ - DISA-STIG-RHEL-08-010400
+ - NIST-800-53-IA-2(11)
+ - configure_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_certificate_verification
- name: Ensure that "certificate_verification" is not set in /etc/sssd/sssd.conf
community.general.ini_file:
@@ -36,7 +122,7 @@
- no_reboot_needed
- sssd_certificate_verification
-- name: Ensure that "certificate_verification" is not set in /etc/sssd/conf.d/*.conf
+- name: Ensure that "certificate_verification" is not set in /etc/sssd/conf.d/*.conf
community.general.ini_file:
path: /etc/sssd/conf.d/*.conf
section: sssd
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_pam_services' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
+++ xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
@@ -7,16 +7,60 @@
umask u=rw,go=
SSSD_CONF="/etc/sssd/sssd.conf"
-SSSD_CONF_DIR="/etc/sssd/conf.d/*.conf"
-
-if [ ! -f "$SSSD_CONF" ] && [ ! -f "$SSSD_CONF_DIR" ]; then
- mkdir -p /etc/sssd
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
touch "$SSSD_CONF"
fi
+if ! grep -qsrP '^\s*\[domain\/[^]]*]' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+ found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "$SSSD_CONF"); do
+ if [ ! -e "$f" ]; then
+ continue
+ fi
+
+ # find key in section and change value
+ if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*domains" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*domains[[:space:]]*=[[:space:]]*default" "$f"; then
+
+ sed -i "/^[[:space:]]*domains/s/\([[:blank:]]*=[[:blank:]]*\).*/\1default/" "$f"
+
+ fi
+
+ found=true
+
+ # find section and add key = value to it
+ elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
+
+ sed -i "/^[[:space:]]*\[sssd\]/a domains=default" "$f"
+
+ found=true
+ fi
+
+
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+ file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
+ mkdir -p "$(dirname "$file")"
+
+ echo -e "[sssd]\ndomains=default" >> "$file"
+
+fi
+ cat >> "$SSSD_CONF" << EOF
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
# Flag to check if there is already services with pam
service_already_exist=false
-for f in $SSSD_CONF $SSSD_CONF_DIR; do
+for f in $SSSD_CONF $SSSD_CONF_DIR/*.conf; do
if [ ! -e "$f" ]; then
continue
fi
@@ -38,13 +82,43 @@
# If there was no service in [sssd], add it to first config
if [ "$service_already_exist" = false ]; then
- for f in $SSSD_CONF $SSSD_CONF_DIR; do
- cat << EOF >> "$f"
-[sssd]
-services = pam
-EOF
- break
- done
+found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "$SSSD_CONF $SSSD_CONF_DIR/*.conf"); do
+ if [ ! -e "$f" ]; then
+ continue
+ fi
+
+ # find key in section and change value
+ if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*services" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*services[[:space:]]*=[[:space:]]*pam" "$f"; then
+
+ sed -i "/^[[:space:]]*services/s/\([[:blank:]]*=[[:blank:]]*\).*/\1pam/" "$f"
+
+ fi
+
+ found=true
+
+ # find section and add key = value to it
+ elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
+
+ sed -i "/^[[:space:]]*\[sssd\]/a services=pam" "$f"
+
+ found=true
+ fi
+
+
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+ file=$(echo "$SSSD_CONF $SSSD_CONF_DIR/*.conf" | cut -f1 -d ' ')
+ mkdir -p "$(dirname "$file")"
+
+ echo -e "[sssd]\nservices=pam" >> "$file"
+
+fi
fi
umask $OLD_UMASK
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_pam_services' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
+++ xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
@@ -12,11 +12,96 @@
- no_reboot_needed
- sssd_enable_pam_services
-- name: Configure PAM in SSSD Services - Find all the conf files inside the /etc/sssd/conf.d/
+- name: Configure PAM in SSSD Services - Ensure sssd config directory exists
+ ansible.builtin.file:
+ path: /etc/sssd
+ state: directory
+ mode: '0755'
+ when: '"sssd-common" in ansible_facts.packages'
+ tags:
+ - CCE-82446-6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-2(1)
+ - configure_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_enable_pam_services
+
+- name: Configure PAM in SSSD Services - Test for domain group in main config
+ ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+ register: test_grep_domain
+ failed_when: false
+ changed_when: false
+ check_mode: false
+ when: '"sssd-common" in ansible_facts.packages'
+ tags:
+ - CCE-82446-6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-2(1)
+ - configure_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_enable_pam_services
+
+- name: Configure PAM in SSSD Services - Test for domain group in conf.d
+ ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+ register: test_grep_domain_conf_d
+ failed_when: false
+ changed_when: false
+ check_mode: false
+ when: '"sssd-common" in ansible_facts.packages'
+ tags:
+ - CCE-82446-6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-2(1)
+ - configure_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_enable_pam_services
+
+- name: Configure PAM in SSSD Services - Add default domain group (if no domain there)
+ community.general.ini_file:
+ path: /etc/sssd/sssd.conf
+ section: '{{ item.section }}'
+ option: '{{ item.option }}'
+ value: '{{ item.value }}'
+ create: true
+ mode: 384
+ with_items:
+ - section: sssd
+ option: domains
+ value: default
+ - section: domain/default
+ option: id_provider
+ value: files
+ when:
+ - '"sssd-common" in ansible_facts.packages'
+ - test_grep_domain.stdout is defined
+ - test_grep_domain.stdout | length < 1
+ - test_grep_domain_conf_d.stdout is defined
+ - test_grep_domain_conf_d.stdout | length < 1
+ tags:
+ - CCE-82446-6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-2(1)
+ - configure_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_enable_pam_services
+
+- name: Configure PAM in SSSD Services - Find all the conf files inside the /etc/sssd/conf.d
directory
ansible.builtin.find:
paths:
- - /etc/sssd/conf.d/
+ - /etc/sssd/conf.d
patterns: '*.conf'
register: sssd_conf_d_files
when: '"sssd-common" in ansible_facts.packages'
@@ -31,7 +116,7 @@
- no_reboot_needed
- sssd_enable_pam_services
-- name: Configure PAM in SSSD Services - Modify lines in files in the /etc/sssd/conf.d/
+- name: Configure PAM in SSSD Services - Modify lines in files in the /etc/sssd/conf.d
directory
ansible.builtin.replace:
path: '{{ item }}'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -6,10 +6,62 @@
OLD_UMASK=$(umask)
umask u=rw,go=
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+ touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain\/[^]]*]' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+ found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "$SSSD_CONF"); do
+ if [ ! -e "$f" ]; then
+ continue
+ fi
+
+ # find key in section and change value
+ if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*domains" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*domains[[:space:]]*=[[:space:]]*default" "$f"; then
+
+ sed -i "/^[[:space:]]*domains/s/\([[:blank:]]*=[[:blank:]]*\).*/\1default/" "$f"
+
+ fi
+
+ found=true
+
+ # find section and add key = value to it
+ elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
+
+ sed -i "/^[[:space:]]*\[sssd\]/a domains=default" "$f"
+
+ found=true
+ fi
+
+
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+ file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
+ mkdir -p "$(dirname "$file")"
+
+ echo -e "[sssd]\ndomains=default" >> "$file"
+
+fi
+ cat >> "$SSSD_CONF" << EOF
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
+
found=false
# set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
+for f in $(echo -n "$SSSD_CONF $SSSD_CONF_DIR/*.conf"); do
if [ ! -e "$f" ]; then
continue
fi
@@ -31,11 +83,13 @@
found=true
fi
+
+
done
# if section not in any file, append section with key = value to FIRST file in files parameter
if ! $found ; then
- file=$(echo "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
+ file=$(echo "$SSSD_CONF $SSSD_CONF_DIR/*.conf" | cut -f1 -d ' ')
mkdir -p "$(dirname "$file")"
echo -e "[pam]\npam_cert_auth=True" >> "$file"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -12,7 +12,24 @@
- no_reboot_needed
- sssd_enable_smartcards
-- name: Test for domain group
+- name: Enable Smartcards in SSSD - Ensure sssd config directory exists
+ ansible.builtin.file:
+ path: /etc/sssd
+ state: directory
+ mode: '0755'
+ when: '"sssd-common" in ansible_facts.packages'
+ tags:
+ - CCE-80909-5
+ - DISA-STIG-RHEL-08-020250
+ - PCI-DSS-Req-8.3
+ - configure_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_enable_smartcards
+
+- name: Enable Smartcards in SSSD - Test for domain group in main config
ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
register: test_grep_domain
failed_when: false
@@ -30,7 +47,25 @@
- no_reboot_needed
- sssd_enable_smartcards
-- name: Add default domain group (if no domain there)
+- name: Enable Smartcards in SSSD - Test for domain group in conf.d
+ ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+ register: test_grep_domain_conf_d
+ failed_when: false
+ changed_when: false
+ check_mode: false
+ when: '"sssd-common" in ansible_facts.packages'
+ tags:
+ - CCE-80909-5
+ - DISA-STIG-RHEL-08-020250
+ - PCI-DSS-Req-8.3
+ - configure_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_enable_smartcards
+
+- name: Enable Smartcards in SSSD - Add default domain group (if no domain there)
community.general.ini_file:
path: /etc/sssd/sssd.conf
section: '{{ item.section }}'
@@ -49,6 +84,8 @@
- '"sssd-common" in ansible_facts.packages'
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length < 1
+ - test_grep_domain_conf_d.stdout is defined
+ - test_grep_domain_conf_d.stdout | length < 1
tags:
- CCE-80909-5
- DISA-STIG-RHEL-08-020250
@@ -80,9 +117,9 @@
- no_reboot_needed
- sssd_enable_smartcards
-- name: Find all the conf files inside /etc/sssd/conf.d/
+- name: Find all the conf files inside /etc/sssd/conf.d
ansible.builtin.find:
- paths: /etc/sssd/conf.d/
+ paths: /etc/sssd/conf.d
patterns: '*.conf'
register: sssd_conf_d_files
when: '"sssd-common" in ansible_facts.packages'
@@ -97,7 +134,7 @@
- no_reboot_needed
- sssd_enable_smartcards
-- name: Fix pam_cert_auth configuration in /etc/sssd/conf.d/
+- name: Fix pam_cert_auth configuration in /etc/sssd/conf.d
ansible.builtin.replace:
path: '{{ item.path }}'
regexp: '[^#]*pam_cert_auth.*'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_memcache_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
@@ -9,10 +9,62 @@
OLD_UMASK=$(umask)
umask u=rw,go=
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+ touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain\/[^]]*]' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+ found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "$SSSD_CONF"); do
+ if [ ! -e "$f" ]; then
+ continue
+ fi
+
+ # find key in section and change value
+ if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*domains" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*domains[[:space:]]*=[[:space:]]*default" "$f"; then
+
+ sed -i "/^[[:space:]]*domains/s/\([[:blank:]]*=[[:blank:]]*\).*/\1default/" "$f"
+
+ fi
+
+ found=true
+
+ # find section and add key = value to it
+ elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
+
+ sed -i "/^[[:space:]]*\[sssd\]/a domains=default" "$f"
+
+ found=true
+ fi
+
+
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+ file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
+ mkdir -p "$(dirname "$file")"
+
+ echo -e "[sssd]\ndomains=default" >> "$file"
+
+fi
+ cat >> "$SSSD_CONF" << EOF
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
+
found=false
# set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf"); do
+for f in $(echo -n "$SSSD_CONF"); do
if [ ! -e "$f" ]; then
continue
fi
@@ -34,11 +86,13 @@
found=true
fi
+
+
done
# if section not in any file, append section with key = value to FIRST file in files parameter
if ! $found ; then
- file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ')
+ file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
mkdir -p "$(dirname "$file")"
echo -e "[nss]\nmemcache_timeout=$var_sssd_memcache_timeout" >> "$file"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_memcache_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
@@ -17,8 +17,25 @@
tags:
- always
-- name: Test for domain group
- ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+- name: Configure SSSD's Memory Cache to Expire - Ensure sssd config directory exists
+ ansible.builtin.file:
+ path: /etc/sssd
+ state: directory
+ mode: '0755'
+ when: '"sssd-common" in ansible_facts.packages'
+ tags:
+ - CCE-80910-3
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-5(13)
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_memcache_timeout
+ - unknown_strategy
+
+- name: Configure SSSD's Memory Cache to Expire - Test for domain group in main config
+ ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
register: test_grep_domain
failed_when: false
changed_when: false
@@ -35,7 +52,26 @@
- sssd_memcache_timeout
- unknown_strategy
-- name: Add default domain group (if no domain there)
+- name: Configure SSSD's Memory Cache to Expire - Test for domain group in conf.d
+ ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+ register: test_grep_domain_conf_d
+ failed_when: false
+ changed_when: false
+ check_mode: false
+ when: '"sssd-common" in ansible_facts.packages'
+ tags:
+ - CCE-80910-3
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-5(13)
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_memcache_timeout
+ - unknown_strategy
+
+- name: Configure SSSD's Memory Cache to Expire - Add default domain group (if no
+ domain there)
community.general.ini_file:
path: /etc/sssd/sssd.conf
section: '{{ item.section }}'
@@ -54,6 +90,8 @@
- '"sssd-common" in ansible_facts.packages'
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length < 1
+ - test_grep_domain_conf_d.stdout is defined
+ - test_grep_domain_conf_d.stdout | length < 1
tags:
- CCE-80910-3
- NIST-800-53-CM-6(a)
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' differs.
--- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
+++ xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
@@ -6,10 +6,62 @@
OLD_UMASK=$(umask)
umask u=rw,go=
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+ touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain\/[^]]*]' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+ found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "$SSSD_CONF"); do
+ if [ ! -e "$f" ]; then
+ continue
+ fi
+
+ # find key in section and change value
+ if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*domains" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*domains[[:space:]]*=[[:space:]]*default" "$f"; then
+
+ sed -i "/^[[:space:]]*domains/s/\([[:blank:]]*=[[:blank:]]*\).*/\1default/" "$f"
+
+ fi
+
+ found=true
+
+ # find section and add key = value to it
+ elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
+
+ sed -i "/^[[:space:]]*\[sssd\]/a domains=default" "$f"
+
+ found=true
+ fi
+
+
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+ file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
+ mkdir -p "$(dirname "$file")"
+
+ echo -e "[sssd]\ndomains=default" >> "$file"
+
+fi
+ cat >> "$SSSD_CONF" << EOF
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
+
found=false
# set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
+for f in $(echo -n "$SSSD_CONF $SSSD_CONF_DIR/*.conf"); do
if [ ! -e "$f" ]; then
continue
fi
@@ -31,11 +83,13 @@
found=true
fi
+
+
done
# if section not in any file, append section with key = value to FIRST file in files parameter
if ! $found ; then
- file=$(echo "/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
+ file=$(echo "$SSSD_CONF $SSSD_CONF_DIR/*.conf" | cut -f1 -d ' ')
mkdir -p "$(dirname "$file")"
echo -e "[pam]\noffline_credentials_expiration=1" >> "$file"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' differs.
--- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
+++ xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
@@ -13,8 +13,28 @@
- no_reboot_needed
- sssd_offline_cred_expiration
-- name: Test for domain group
- ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+- name: Configure SSSD to Expire Offline Credentials - Ensure sssd config directory
+ exists
+ ansible.builtin.file:
+ path: /etc/sssd
+ state: directory
+ mode: '0755'
+ when: '"sssd-common" in ansible_facts.packages'
+ tags:
+ - CCE-82460-7
+ - DISA-STIG-RHEL-08-020290
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-5(13)
+ - configure_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_offline_cred_expiration
+
+- name: Configure SSSD to Expire Offline Credentials - Test for domain group in main
+ config
+ ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
register: test_grep_domain
failed_when: false
changed_when: false
@@ -32,7 +52,27 @@
- no_reboot_needed
- sssd_offline_cred_expiration
-- name: Add default domain group (if no domain there)
+- name: Configure SSSD to Expire Offline Credentials - Test for domain group in conf.d
+ ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+ register: test_grep_domain_conf_d
+ failed_when: false
+ changed_when: false
+ check_mode: false
+ when: '"sssd-common" in ansible_facts.packages'
+ tags:
+ - CCE-82460-7
+ - DISA-STIG-RHEL-08-020290
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-5(13)
+ - configure_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_offline_cred_expiration
+
+- name: Configure SSSD to Expire Offline Credentials - Add default domain group (if
+ no domain there)
community.general.ini_file:
path: /etc/sssd/sssd.conf
section: '{{ item.section }}'
@@ -51,6 +91,8 @@
- '"sssd-common" in ansible_facts.packages'
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length < 1
+ - test_grep_domain_conf_d.stdout is defined
+ - test_grep_domain_conf_d.stdout | length < 1
tags:
- CCE-82460-7
- DISA-STIG-RHEL-08-020290
@@ -84,9 +126,9 @@
- no_reboot_needed
- sssd_offline_cred_expiration
-- name: Find all the conf files inside /etc/sssd/conf.d/
+- name: Find all the conf files inside /etc/sssd/conf.d
ansible.builtin.find:
- paths: /etc/sssd/conf.d/
+ paths: /etc/sssd/conf.d
patterns: '*.conf'
register: sssd_conf_d_files
when: '"sssd-common" in ansible_facts.packages'
@@ -102,7 +144,7 @@
- no_reboot_needed
- sssd_offline_cred_expiration
-- name: Fix offline_credentials_expiration configuration in /etc/sssd/conf.d/
+- name: Fix offline_credentials_expiration configuration in /etc/sssd/conf.d
ansible.builtin.replace:
path: '{{ item.path }}'
regexp: '[^#]*offline_credentials_expiration.*'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user' differs.
--- xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user
+++ xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user
@@ -1,17 +1,69 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q sssd-common; then
-
-MAIN_CONF="/etc/sssd/conf.d/ospp.conf"
# sssd configuration files must be created with 600 permissions if they don't exist
# otherwise the sssd module fails to start
OLD_UMASK=$(umask)
umask u=rw,go=
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+ touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain\/[^]]*]' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+ found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "$SSSD_CONF"); do
+ if [ ! -e "$f" ]; then
+ continue
+ fi
+
+ # find key in section and change value
+ if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*domains" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*domains[[:space:]]*=[[:space:]]*default" "$f"; then
+
+ sed -i "/^[[:space:]]*domains/s/\([[:blank:]]*=[[:blank:]]*\).*/\1default/" "$f"
+
+ fi
+
+ found=true
+
+ # find section and add key = value to it
+ elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
+
+ sed -i "/^[[:space:]]*\[sssd\]/a domains=default" "$f"
+
+ found=true
+ fi
+
+
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+ file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
+ mkdir -p "$(dirname "$file")"
+
+ echo -e "[sssd]\ndomains=default" >> "$file"
+
+fi
+ cat >> "$SSSD_CONF" << EOF
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
+
+MAIN_CONF="$SSSD_CONF_DIR/ospp.conf"
+
found=false
# set value in all files if they contain section or key
-for f in $(echo -n "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
+for f in $(echo -n "$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf"); do
if [ ! -e "$f" ]; then
continue
fi
@@ -33,11 +85,18 @@
found=true
fi
+
+
+ # within [sssd], remove entries where user has wrong value
+
+ sed -i "/^[[:space:]]*\[sssd\]/,/^[[:space:]]*\[/{/^[[:space:]]*user[[:blank:]]*=/{ /=[[:blank:]]*sssd/!d }}" "$f"
+
+
done
# if section not in any file, append section with key = value to FIRST file in files parameter
if ! $found ; then
- file=$(echo "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
+ file=$(echo "$MAIN_CONF $SSSD_CONF $SSSD_CONF_DIR/*.conf" | cut -f1 -d ' ')
mkdir -p "$(dirname "$file")"
echo -e "[sssd]\nuser=sssd" >> "$file"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
@@ -9,10 +9,62 @@
OLD_UMASK=$(umask)
umask u=rw,go=
+SSSD_CONF="/etc/sssd/sssd.conf"
+SSSD_CONF_DIR="/etc/sssd/conf.d"
+mkdir -p "$(dirname "$SSSD_CONF")"
+if [ ! -f "$SSSD_CONF" ]; then
+ touch "$SSSD_CONF"
+fi
+if ! grep -qsrP '^\s*\[domain\/[^]]*]' "$SSSD_CONF" "$SSSD_CONF_DIR"/*.conf 2>/dev/null; then
+ found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "$SSSD_CONF"); do
+ if [ ! -e "$f" ]; then
+ continue
+ fi
+
+ # find key in section and change value
+ if grep -qzosP "(?m)^[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*domains" "$f"; then
+ if ! grep -qzosP "(?m)^[[:space:]]*domains[[:space:]]*=[[:space:]]*default" "$f"; then
+
+ sed -i "/^[[:space:]]*domains/s/\([[:blank:]]*=[[:blank:]]*\).*/\1default/" "$f"
+
+ fi
+
+ found=true
+
+ # find section and add key = value to it
+ elif grep -qs "^[[:space:]]*\[sssd\]" "$f"; then
+
+ sed -i "/^[[:space:]]*\[sssd\]/a domains=default" "$f"
+
+ found=true
+ fi
+
+
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+ file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
+ mkdir -p "$(dirname "$file")"
+
+ echo -e "[sssd]\ndomains=default" >> "$file"
+
+fi
+ cat >> "$SSSD_CONF" << EOF
+
+[domain/default]
+id_provider = files
+EOF
+fi
+
+
found=false
# set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf"); do
+for f in $(echo -n "$SSSD_CONF"); do
if [ ! -e "$f" ]; then
continue
fi
@@ -34,11 +86,13 @@
found=true
fi
+
+
done
# if section not in any file, append section with key = value to FIRST file in files parameter
if ! $found ; then
- file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ')
+ file=$(echo "$SSSD_CONF" | cut -f1 -d ' ')
mkdir -p "$(dirname "$file")"
echo -e "[ssh]\nssh_known_hosts_timeout=$var_sssd_ssh_known_hosts_timeout" >> "$file"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
@@ -17,8 +17,25 @@
tags:
- always
-- name: Test for domain group
- ansible.builtin.command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
+- name: Configure SSSD to Expire SSH Known Hosts - Ensure sssd config directory exists
+ ansible.builtin.file:
+ path: /etc/sssd
+ state: directory
+ mode: '0755'
+ when: '"sssd-common" in ansible_facts.packages'
+ tags:
+ - CCE-82442-5
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-5(13)
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_ssh_known_hosts_timeout
+ - unknown_strategy
+
+- name: Configure SSSD to Expire SSH Known Hosts - Test for domain group in main config
+ ansible.builtin.command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
register: test_grep_domain
failed_when: false
changed_when: false
@@ -35,7 +52,26 @@
- sssd_ssh_known_hosts_timeout
- unknown_strategy
-- name: Add default domain group (if no domain there)
+- name: Configure SSSD to Expire SSH Known Hosts - Test for domain group in conf.d
+ ansible.builtin.shell: grep -rs '^\s*\[domain\/[^]]*]' /etc/sssd/conf.d/*.conf 2>/dev/null
+ register: test_grep_domain_conf_d
+ failed_when: false
+ changed_when: false
+ check_mode: false
+ when: '"sssd-common" in ansible_facts.packages'
+ tags:
+ - CCE-82442-5
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-5(13)
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sssd_ssh_known_hosts_timeout
+ - unknown_strategy
+
+- name: Configure SSSD to Expire SSH Known Hosts - Add default domain group (if no
+ domain there)
community.general.ini_file:
path: /etc/sssd/sssd.conf
section: '{{ item.section }}'
@@ -54,6 +90,8 @@
- '"sssd-common" in ansible_facts.packages'
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length < 1
+ - test_grep_domain_conf_d.stdout is defined
+ - test_grep_domain_conf_d.stdout | length < 1
tags:
- CCE-82442-5
- NIST-800-53-CM-6(a) |
|
Change in Ansible Please consider using more suitable Ansible module than |
|
Change in Ansible Please consider using more suitable Ansible module than |
|
Change in Ansible Please consider using more suitable Ansible module than |
jan-cerny
reviewed
May 25, 2026
|
Change in Ansible Please consider using more suitable Ansible module than |
|
Change in Ansible Please consider using more suitable Ansible module than |
|
Change in Ansible Please consider using more suitable Ansible module than |
Arden97
requested review from
Mab879,
matusmarhefka and
vojtapolasek
as code owners
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
Contributor
Author
|
@jan-cerny I've updated new macros in response to your comments. Can you please review it again? |
Mab879
reviewed
May 29, 2026
| - name: "Enable Smartcards in SSSD" | ||
| community.general.ini_file: | ||
| dest: /etc/sssd/sssd.conf | ||
| dest: {{{ sssd_conf }}} |
Member
There was a problem hiding this comment.
Suggested change
| dest: {{{ sssd_conf }}} | |
| path: {{{ sssd_conf }}} |
| - name: "Configure SSSD's Memory Cache to Expire" | ||
| community.general.ini_file: | ||
| dest: /etc/sssd/sssd.conf | ||
| dest: {{{ sssd_conf }}} |
Member
There was a problem hiding this comment.
Suggested change
| dest: {{{ sssd_conf }}} | |
| path: {{{ sssd_conf }}} |
| - name: "Configure SSD to Expire Offline Credentials" | ||
| community.general.ini_file: | ||
| dest: /etc/sssd/sssd.conf | ||
| dest: {{{ sssd_conf }}} |
Member
There was a problem hiding this comment.
Suggested change
| dest: {{{ sssd_conf }}} | |
| path: {{{ sssd_conf }}} |
| ansible.builtin.file: | ||
| path: "{{{ sssd_conf.rsplit('/', 1)[0] }}}" | ||
| state: directory | ||
| mode: '0755' |
Member
There was a problem hiding this comment.
Suggested change
| mode: '0755' | |
| mode: '0711' |
Double check that is the default.
Contributor
Author
There was a problem hiding this comment.
Are there any benefits of setting the permissions of /etc/sssd/conf.d/ to 0711, compared to 0750? I think the latter would be a better option, as it is the default permission for this directory.
Member
There was a problem hiding this comment.
750 is more permissive than the default for group, so that is one thing to consider. We shouldn't be expanding default permissions.
| {{% if remove_wrong_entries %}} | ||
| # within [{{{ section }}}], remove entries where {{{ key }}} has wrong value | ||
| {{% if no_quotes %}} | ||
| sed -i "/^[[:space:]]*\[{{{ section }}}\]/,/^[[:space:]]*\[/{/^[[:space:]]*{{{ key }}}[[:blank:]]*=/{ /=[[:blank:]]*{{{ value | replace("/", "\/") }}}/!d }}" "$f" |
Member
There was a problem hiding this comment.
Please review this comment from Claude. Seems worth double checking.
shared/macros/10-bash.jinja line 2343 — the sed pattern /=[[:blank:]]*{{{ value }}}/ matches the value as a substring. For sssd_run_as_sssd_user (the only consumer, with value sssd), a hypothetical entry user = sssd-extra would NOT be
deleted because sssd appears as a substring of sssd-extra. Extremely low practical risk for the specific user = sssd use case, but adding [[:space:]]*$ after the value would make it precise.
| SSSD_CONF="/etc/sssd/sssd.conf" | ||
| SSSD_CONF_DIR="/etc/sssd/conf.d" | ||
| {{{ bash_sssd_ensure_default_config("$SSSD_CONF", "$SSSD_CONF_DIR") }}} | ||
| {{% if product in ["fedora"] or (('rhel' in product or 'ol' in families) and product not in ['ol7', 'ol8', 'ol9', 'rhel8', 'rhel9']) %}} |
Member
There was a problem hiding this comment.
This segment is duplicated a decent amount.
Should we make this it's own macro?
Contributor
Author
There was a problem hiding this comment.
updated in ed90f52 for bash and ansible remediations
|
Change in Ansible Please consider using more suitable Ansible module than |
Contributor
Author
|
Please don't mind extra review requests caused by rebase error |
|
Change in Ansible Please consider using more suitable Ansible module than |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
ansible_sssd_ensure_default_domainandbash_sssd_ensure_default_domainRationale:
pam_cert_auth,certificate_verification,user), SSSD won't start if no domain is definedsssd_enable_smartcardstests,authselectpackage has to be installed and configured to usesssd, because default profile islocal, which has nowith-smartcardfeaturesssd_run_as_sssd_userremediation fails onwrong_value.fail.shtestwrong_value.fail.shtest createsuser=sssd+user=bobin the same section, thenbash_ensure_ini_configfindsuser=sssdalready matching, skips thesedand leavesuser=bobuntouchedbash_ensure_ini_configmacro to remove duplicated keys during remediationism_o,stigandanssiprofiles #14559