このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Description
Configure user authentication setup to use the authselect
tool.
If authselect profile is selected, the rule will enable the sssd profile.
Rationale
Authselect is a successor to authconfig.
It is a tool to select system authentication and identity sources from a list of supported
profiles instead of letting the administrator manually build the PAM stack.
That way, it avoids potential breakage of configuration, as it ships several tested profiles
that are well tested and supported to solve different use-cases.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
var_authselect_profile='sssd'
authselect select "$var_authselect_profile"
if test "$?" -ne 0; then
if rpm --quiet --verify pam; then
authselect select --force "$var_authselect_profile"
else
echo "Files in the 'pam' package have been altered, so the authselect configuration won't be forced" >&2
fi
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: XCCDF Value var_authselect_profile # promote to variable
set_fact:
var_authselect_profile: !!str sssd
tags:
- always
- name: Enable authselect - Select authselect profile
ansible.builtin.command:
cmd: authselect select "{{ var_authselect_profile }}"
register: result_authselect_select
failed_when: false
tags:
- CCE-88248-0
- NIST-800-53-AC-3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Enable authselect - Verify if PAM has been altered
ansible.builtin.command:
cmd: rpm -qV pam
register: result_altered_authselect
failed_when: false
when: result_authselect_select.rc != 0
tags:
- CCE-88248-0
- NIST-800-53-AC-3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Enable authselect - Informative message based on the authselect integrity
check
ansible.builtin.assert:
that:
- result_altered_authselect is skipped or result_altered_authselect.rc == 0
fail_msg:
- Files in the 'pam' package have been altered, so the authselect configuration
won't be forced.
tags:
- CCE-88248-0
- NIST-800-53-AC-3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Enable authselect - Force authselect profile select
ansible.builtin.command:
cmd: authselect select --force "{{ var_authselect_profile }}"
when:
- result_authselect_select.rc != 0
- result_altered_authselect is skipped or result_altered_authselect.rc == 0
tags:
- CCE-88248-0
- NIST-800-53-AC-3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
Warning
If the sudo authselect select
command returns an error informing that the chosen
profile cannot be selected, it is probably because PAM files have already been modified by
the administrator. If this is the case, in order to not overwrite the desired changes made
by the administrator, the current PAM settings should be investigated before forcing the
selection of the chosen authselect profile.