Issue with Task 4.4.3.4.1 Ensure pam_unix does not include nullok

[msachikanta]

Describe the Issue
Noticed regex is not updating the values properly in /etc/pam.d/password-auth and /etc/pam.d/system-auth.

ansible.builtin.replace section of the Task 4.4.3.4.1 seems not to be working as expected.

- name: "4.4.3.4.1 | PATCH | Ensure pam_unix does not include nullok | pam_files"
  when:
      - discovered_pam_nullok.stdout | length > 0
      - not rhel8cis_allow_authselect_updates
  ansible.builtin.replace:
      path: "/etc/pam.d/{{ item }}-auth"
      regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)nullok(.*$)
      replace: \1\2\3
  loop:
      - password
      - system

I could see its updating the pam files as below:

password    sufficient                                   pam_unix.sosufficient sha512 shadow

word sufficient is getting replaced with nullok, which should not be happening.

Expected Behavior
After updating the pam files, they should have following line:

password    sufficient                                   pam_unix.so sha512 shadow

Actual Behavior
After updating the pam files, the line is appearing as below:

password    sufficient                                   pam_unix.sosufficient sha512 shadow

Environment (please complete the following information):

• branch being used: [e.g. devel]

Additional Notes
Updating the regex can fix the issue.

Possible Solution
Here is my proposed solution. I have tested the fix, and it is working fine for me.

 ansible.builtin.replace:
      path: "/etc/pam.d/{{ item }}-auth"
      regexp: (^\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so\s+.*)(nullok)(\s*.*)$
      replace: \1\4

[uk-bolly]

hi @msachikanta

Thank you for raising this issue, i'm looking and putting a few fixes together and submitting the PR shortly.

Many thanks

uk-bolly

[msachikanta]

Hi @uk-bolly this is not fixed yet. I just did an AMI build, and found its been updated as below:

[root@ip-***-***-***-** pam.d]# cat system-auth
password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.sosufficientsha512 sha512
password    [success=1 default=ignore]                   pam_localuser.so
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

[root@ip-***-***-***-** pam.d]# cat password-auth
password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.sosufficientsha512 sha512
password    [success=1 default=ignore]                   pam_localuser.so
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

If you see, the lines in both system-auth and password-auth files password sufficient still have wrong entries as pam_unix.sosufficientsha512 sha512 rather it should be without sufficientsha512 as pam_unix.so sha512 shadow use_authtok

I think you would have to check the regex that is being used in the ansible role, I would suggest to use following regex, because I have tested it locally and it works fine.

path: "/etc/pam.d/{{ item }}-auth"
regexp: (^\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so\s+.*)(nullok)(\s*.*)$
replace: \1\4

[uk-bolly]

hi @msachikanta

You should find this issue has been resolved and is in devel?
I am planning on merging to main over the next week, it would be great to get this one confirmed.

Many thanks

uk-bolly