Matches on pam configuration files failing
Closed this issue · 5 comments
Completely stumped as to why this is failing. Possibly related to the report in #61
Currently focused on CIS-5.3.4: Ensure password hashing algorithm is SHA-512
grep at the command line matches on the file
$ grep -E '^password\s+\w+\s+pam_unix\.so.*sha512.*' /etc/pam.d/password-auth
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
The above should be enough to satisfy the CIS rule. As described below
password_hash:
data:
CentOS Linux-7:
- /etc/pam.d/password-auth:
pattern: '^password\s+\w+\s+pam_unix\.so.*sha512.*'
grep_args:
- '-E'
tag: CIS-5.3.4
description: Ensure password hashing algorithm is SHA-512
Note: this current pattern deviates from the current file in develop branch which does not match at all.
osfinger returns
myminion:
CentOS Linux-7
Which is applying cis/centos-7-level-1-scored-v2-1-0.yaml
Any help to track this down would be appreciated. I am stumped.
Here is output from minion log that might help:
2016-09-27 17:23:01,439 [salt.loaded.int.module.cmdmod][INFO ][8017] Executing command 'grep -E ^password\\s+\\w+\\s+pam_unix\\.so.*sha512.* /etc/pam.d/password-auth-ac' in directory '/root'
2016-09-27 17:23:01,446 [salt.loaded.int.module.cmdmod][DEBUG ][8017] retcode: 1
2016-09-27 17:23:01,446 [salt.loaded.int.module.cmdmod][INFO ][8017] Executing command 'grep pam_unix.so /etc/pam.d/system-auth' in directory '/root'
2016-09-27 17:23:01,453 [salt.loaded.int.module.cmdmod][DEBUG ][8017] stdout: auth sufficient pam_unix.so nullok try_first_pass
account required pam_unix.so
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
session required pam_unix.so
Not clear to me if this is two commands happening in parallel?
I assume the check is in the whitelist
section of grep
in the profile?
The two commands are not happening in parallel. Note the retcode: 1
from the command we're worried about. Grep isn't finding that pattern. The question is why...
Could it be the lack of quoting on the command as shown in the logs? Perhaps try this:
password_hash:
data:
CentOS Linux-7:
- /etc/pam.d/password-auth:
pattern: '"^password\s+\w+\s+pam_unix\.so.*sha512.*"'
grep_args:
- '-E'
tag: CIS-5.3.4
description: Ensure password hashing algorithm is SHA-512
The double quotes should make it through to the grep command. Curious if it makes a difference.
A bit obvious when I look at it and the one combination I did not try...
PR submitted.