Configure PAM in SSSD Services

An XCCDF Rule

Description

SSSD should be configured to run SSSD pam services. To configure SSSD to known SSH hosts, add pam to services under the [sssd] section in /etc/sssd/sssd.conf. For example:

[sssd]
services = sudo, autofs, pam

Rationale

Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

ID: xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
Severity: Medium
References: 1 12 15 16 5

DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10

CCI-001953 CCI-001954 CCI-004046

4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4

SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1

A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3

CM-6(a) IA-2(1)

PR.AC-1 PR.AC-6 PR.AC-7

SRG-OS-000375-GPOS-00160 SRG-OS-000376-GPOS-00161 SRG-OS-000377-GPOS-00162

R67
Updated: about 1 month ago

Remediation Templates

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-2(1)  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_enable_pam_services
- name: Configure PAM in SSSD Services - Find all the conf files inside the /etc/sssd/conf.d/
    directory
  ansible.builtin.find:
    paths:
    - /etc/sssd/conf.d/
    patterns: '*.conf'
  register: sssd_conf_d_files
  when: '"sssd-common" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-2(1)
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_enable_pam_services

- name: Configure PAM in SSSD Services - Modify lines in files in the /etc/sssd/conf.d/
    directory
  ansible.builtin.replace:
    path: '{{ item }}'
    regexp: ^(\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*services\s*=(?!.*\bpam\b).*)$
    replace: \1,pam
  with_items: '{{ sssd_conf_d_files.files | map(attribute=''path'') }}'
  register: modify_lines_sssd_conf_d_files
  when:
  - '"sssd-common" in ansible_facts.packages'
  - sssd_conf_d_files.matched is defined and sssd_conf_d_files.matched >= 1
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-2(1)
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_enable_pam_services

- name: Configure PAM in SSSD Services - Find /etc/sssd/sssd.conf
  ansible.builtin.stat:
    path: /etc/sssd/sssd.conf
  register: sssd_conf_file
  when: '"sssd-common" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-2(1)
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_enable_pam_services

- name: Configure PAM in SSSD Services - Modify lines in /etc/sssd/sssd.conf
  ansible.builtin.replace:
    path: /etc/sssd/sssd.conf
    regexp: ^(\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*services\s*=(?!.*\bpam\b).*)$
    replace: \1,pam
  register: modify_lines_sssd_conf_file
  when:
  - '"sssd-common" in ansible_facts.packages'
  - sssd_conf_file.stat.exists
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-2(1)
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_enable_pam_services

- name: Configure PAM in SSSD Services - Find services key in /etc/sssd/sssd.conf
  ansible.builtin.replace:
    path: /etc/sssd/sssd.conf
    regexp: ^\s*\[sssd\][^\[\]]*?(?:\n(?!\[)[^\n]*?services\s*=)+
    replace: ''
  changed_when: false
  check_mode: true
  register: sssd_conf_file_services
  when:
  - '"sssd-common" in ansible_facts.packages'
  - sssd_conf_file.stat.exists
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-2(1)
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_enable_pam_services

- name: Configure PAM in SSSD Services - Insert entry to /etc/sssd/sssd.conf
  ini_file:
    path: /etc/sssd/sssd.conf
    section: sssd
    option: services
    value: pam
  when:
  - '"sssd-common" in ansible_facts.packages'
  - not modify_lines_sssd_conf_d_files.changed
  - not modify_lines_sssd_conf_file.changed
  - (sssd_conf_file_services.msg is defined and "replacements" not in sssd_conf_file_services.msg)
    or not sssd_conf_file.stat.exists
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-2(1)
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_enable_pam_services

# Remediation is applicable only in certain platforms
if rpm --quiet -q sssd-common; then
# sssd configuration files must be created with 600 permissions if they don't exist
# otherwise the sssd module fails to start
OLD_UMASK=$(umask)
umask u=rw,go=
SSSD_CONF="/etc/sssd/sssd.conf"
SSSD_CONF_DIR="/etc/sssd/conf.d/*.conf"

if [ ! -f "$SSSD_CONF" ] && [ ! -f "$SSSD_CONF_DIR" ]; then
    mkdir -p /etc/sssd
    touch "$SSSD_CONF"
fi

# Flag to check if there is already services with pam
service_already_exist=false
for f in $SSSD_CONF $SSSD_CONF_DIR; do
	if [ ! -e "$f" ]; then
		continue
	fi
	# finds all services entries under [sssd] configuration category, get a unique list so it doesn't add redundant fix
	services_list=$( awk '/^\s*\[/{f=0} /^\s*\[sssd\]/{f=1}f' $f | grep -P '^services[ \t]*=' | uniq )
    if [ -z "$services_list" ]; then
        continue
    fi

	while IFS= read -r services; do
		if [[ ! $services =~ "pam" ]]; then
			sed -i "s/$services$/&, pam/" $f
		fi
        # Either pam service was already there or got added now
        service_already_exist=true
	done <<< "$services_list"

done

# If there was no service in [sssd], add it to first config
if [ "$service_already_exist" = false ]; then
    for f in $SSSD_CONF $SSSD_CONF_DIR; do
        cat << EOF >> "$f"
[sssd]
services = pam
EOF
        break
    done
fi

umask $OLD_UMASK

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure PAM in SSSD Services

Description

Rationale

Remediation Templates

An Ansible Snippet

A Shell Script