grep module should allow use for a full pattern

Question

grep module should allow use for a full pattern

dgmorrisjr opened this issue 8 years ago · 6 comments

In pam.d files, the pam libraries can be listed multiple times and depending on what you are tyring to enforce, you may want to specify which specific library line you want to search on. To do this, we need more expanded use of patterns.

given this system-auth line:

password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow

CIS-6.3.4 is looking for the specific instance of password sufficient pam_unix.so and not session required pam_unix.so or auth sufficient pam_unix.so try_first_pass nullok.

The following block, will return any line that has pam_unix.so and then further search for the match_output string.

    limit_password_reuse:
      data:
        'Red Hat Enterprise Linux Server-6':
          - '/etc/pam.d/system-auth':
              tag: 'CIS-6.3.4'
              pattern: "pam_unix.so"
              match_output: "remember=5"  # number of passwords to remember
      description: 'PAM Password Reuse (Scored)'

to be more specific, what we really need is:

    limit_password_reuse:
      data:
        'Red Hat Enterprise Linux Server-6':
          - '/etc/pam.d/system-auth':
              tag: 'CIS-6.3.4'
              pattern: "^password\s*sufficient\s*pam_unix\.so.*"
              match_output: "remember=5"  # number of passwords to remember
      description: 'PAM Password Reuse (Scored)'

however, when entering this pattern, this causes nothing to be returned.

Answer 1 · 2016-04-25T21:41:33.000Z

Is this caused by #55 ?

Answer 2 · 2016-04-26T00:39:34.000Z

well... in #55 the grep Extended Grep patters are not supported by regular grep. So #55 was requesting the ability to pass -E as an argument from the YAML file to the file.grep module. The grep pattern above does not require the -E argument when run at the command line or using file.grep.

Here is an example of running file.grep at the command line:

[root@manager ~]# salt manager file.grep /etc/pam.d/system-auth "^password.*sufficient.*pam_unix\.so.*"
manager:
    ----------
    pid:
        6175
    retcode:
        0
    stderr:
    stdout:
        password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow

Answer 3 · 2016-04-26T16:01:26.000Z

But it's not working in hubble? Hmmmm, I'll have to test this specific example at some point.

Answer 4 · 2016-05-09T01:28:36.000Z

in STIG inspections, the -r option is something i'm seeing quite often. For example:

$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d

Answer 5 · 2016-07-12T20:55:40.000Z

The grep module does support all arguments now.

@dgmorrisjr for this issue, the line you were forgetting was the match_output. The check will fail if the string in match_output is not found in the output of the grep command. Maybe matching the output is overkill. But I don't think this is a bug in the module, but rather the yaml.

Thoughts?

Answer 6 · 2016-07-12T20:57:27.000Z

I'm going to close this since I don't think there's a bug in the grep module. It's working as far as I can tell. We should open a new issue if the check is incorrect and the match_output needs to be removed.