Matches on pam configuration files failing

Question

Matches on pam configuration files failing

Closed this issue 8 years ago · 5 comments

Completely stumped as to why this is failing. Possibly related to the report in #61

Currently focused on CIS-5.3.4: Ensure password hashing algorithm is SHA-512

grep at the command line matches on the file

$ grep -E '^password\s+\w+\s+pam_unix\.so.*sha512.*' /etc/pam.d/password-auth
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

The above should be enough to satisfy the CIS rule. As described below

    password_hash:
      data:
        CentOS Linux-7:
        - /etc/pam.d/password-auth:
            pattern: '^password\s+\w+\s+pam_unix\.so.*sha512.*'
            grep_args:
              - '-E'
            tag: CIS-5.3.4
      description: Ensure password hashing algorithm is SHA-512

Note: this current pattern deviates from the current file in develop branch which does not match at all.

osfinger returns

myminion:
    CentOS Linux-7

Which is applying cis/centos-7-level-1-scored-v2-1-0.yaml

Any help to track this down would be appreciated. I am stumped.

Answer 1 · 2016-09-27T17:28:22.000Z

Here is output from minion log that might help:

2016-09-27 17:23:01,439 [salt.loaded.int.module.cmdmod][INFO    ][8017] Executing command 'grep  -E ^password\\s+\\w+\\s+pam_unix\\.so.*sha512.* /etc/pam.d/password-auth-ac' in directory '/root'
2016-09-27 17:23:01,446 [salt.loaded.int.module.cmdmod][DEBUG   ][8017] retcode: 1
2016-09-27 17:23:01,446 [salt.loaded.int.module.cmdmod][INFO    ][8017] Executing command 'grep   pam_unix.so /etc/pam.d/system-auth' in directory '/root'
2016-09-27 17:23:01,453 [salt.loaded.int.module.cmdmod][DEBUG   ][8017] stdout: auth        sufficient    pam_unix.so nullok try_first_pass
account     required      pam_unix.so
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
session     required      pam_unix.so

Not clear to me if this is two commands happening in parallel?

Answer 2 · 2016-09-27T20:20:11.000Z

I assume the check is in the whitelist section of grep in the profile?

Answer 3 · 2016-09-27T20:22:20.000Z

The two commands are not happening in parallel. Note the retcode: 1 from the command we're worried about. Grep isn't finding that pattern. The question is why...

Answer 4 · 2016-09-27T20:23:30.000Z

Could it be the lack of quoting on the command as shown in the logs? Perhaps try this:

    password_hash:
      data:
        CentOS Linux-7:
        - /etc/pam.d/password-auth:
            pattern: '"^password\s+\w+\s+pam_unix\.so.*sha512.*"'
            grep_args:
              - '-E'
            tag: CIS-5.3.4
      description: Ensure password hashing algorithm is SHA-512

The double quotes should make it through to the grep command. Curious if it makes a difference.

Answer 5 · 2016-09-27T21:04:59.000Z

A bit obvious when I look at it and the one combination I did not try...

PR submitted.