Fix no_empty_passwords remediation for RHCOS 9#14602
Open
sebrandon1 wants to merge 1 commit intoComplianceAsCode:masterfrom
Open
Fix no_empty_passwords remediation for RHCOS 9#14602sebrandon1 wants to merge 1 commit intoComplianceAsCode:masterfrom
sebrandon1 wants to merge 1 commit intoComplianceAsCode:masterfrom
Conversation
On RHCOS 9, /usr/bin/authselect exists but PAM files are not managed by authselect. Using authselect rewrites the PAM stack with RHEL 8 era templates (including pam_fprintd.so and a 2018 authselect header) that don't match the actual RHCOS 9 PAM configuration. After applying the authselect-based remediation, the compliance scan still reports FAIL because the OVAL check doesn't recognize the RHEL 8 PAM template as a valid remediated state. Fix: Add an rhcos-specific branch that uses direct sed (via bash_remove_pam_module_option) to surgically remove nullok from the existing PAM files, preserving the RHCOS 9 PAM stack. Verified on OCP 4.22 (RHCOS 9.8): no_empty_passwords flips from FAIL to PASS with the direct sed approach.
|
Hi @sebrandon1. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
On RHCOS 9, the
no_empty_passwordsbash remediation usesauthselectto removenullokfrom PAM files. Although/usr/bin/authselectexists on RHCOS 9, the PAM files are not managed by authselect. Running authselect rewrites the PAM stack with RHEL 8 era templates that includepam_fprintd.soand a 2018 authselect header — these don't match the actual RHCOS 9 PAM configuration.After applying the authselect-based remediation, the compliance scan still reports FAIL because the OVAL check doesn't recognize the RHEL 8 PAM template as a valid remediated state.
Fix
Add an
rhcos-specific branch in the Jinja template that uses directbash_remove_pam_module_option(sed-based) to surgically removenullokfrom the existing PAM files, preserving the native RHCOS 9 PAM stack.Verification
Tested on OCP 4.22 (RHCOS 9.8, 3 masters + 2 workers):
no_empty_passwords= FAIL (even after applying remediation)no_empty_passwords= PASSRoot Cause Detail
RHCOS 9
/etc/pam.d/system-authusespam_usertype.soandpam_sss.so— notpam_fprintd.soor the RHEL 8 authselect template. The authselect remediation replaces the entire file with content that doesn't match what the OVAL check expects on RHCOS 9.