RHEL8-CIS
RHEL8-CIS copied to clipboard
Issue with Task 4.4.3.4.1 Ensure pam_unix does not include nullok
Describe the Issue
Noticed regex is not updating the values properly in /etc/pam.d/password-auth
and /etc/pam.d/system-auth
.
ansible.builtin.replace
section of the Task 4.4.3.4.1 seems not to be working as expected.
- name: "4.4.3.4.1 | PATCH | Ensure pam_unix does not include nullok | pam_files"
when:
- discovered_pam_nullok.stdout | length > 0
- not rhel8cis_allow_authselect_updates
ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)nullok(.*$)
replace: \1\2\3
loop:
- password
- system
I could see its updating the pam files as below:
password sufficient pam_unix.sosufficient sha512 shadow
word sufficient
is getting replaced with nullok
, which should not be happening.
Expected Behavior After updating the pam files, they should have following line:
password sufficient pam_unix.so sha512 shadow
Actual Behavior After updating the pam files, the line is appearing as below:
password sufficient pam_unix.sosufficient sha512 shadow
Environment (please complete the following information):
- branch being used: [e.g. devel]
Additional Notes Updating the regex can fix the issue.
Possible Solution Here is my proposed solution. I have tested the fix, and it is working fine for me.
ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}-auth"
regexp: (^\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so\s+.*)(nullok)(\s*.*)$
replace: \1\4