Remove groupmems command from ensure_pam_wheel_group_empty rule #11210
Conversation
It was noticed that groupmems command, which initially seemed like a handy command, does not work on all distros or behaves differently among distros. It is better to avoid it and use a more generic approach that works for all distros.
marcusburghardt
added
bugfix
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_pam_wheel_group_empty' differs.
--- xccdf_org.ssgproject.content_rule_ensure_pam_wheel_group_empty
+++ xccdf_org.ssgproject.content_rule_ensure_pam_wheel_group_empty
@@ -9,7 +9,7 @@
fi
# group must be empty
-groupmems -g ${var_pam_wheel_group_for_su} -p
+gpasswd -M '' ${var_pam_wheel_group_for_su}
else
>&2 echo 'Remediation is not applicable, nothing was done' |
| @@ -7,4 +7,4 @@ if ! grep -q "^${var_pam_wheel_group_for_su}:[^:]*:[^:]*:[^:]*" /etc/group; then | |||
| fi | |||
|
|
|||
| # group must be empty | |||
| groupmems -g ${var_pam_wheel_group_for_su} -p | |||
| sed -i -E "s/^(${var_pam_wheel_group_for_su}:[^:]*:[^:]*:)[^:]*/\1/g" /etc/group | |||
There was a problem hiding this comment.
What is your opinion on using gpasswd instead of sed directly to edit the group file, say:
gpasswd -M '' ${var_pam_wheel_group_for_su}
There was a problem hiding this comment.
It should work fine for rhel. It is fine for Ubuntu too @dodys ? If so I would prefer to use the command suggested by @teacup-on-rockingchair instead of directly editing the file.
There was a problem hiding this comment.
Hi @teacup-on-rockingchair @marcusburghardt
I checked and it works fine on Ubuntu 20.04 and 22.04.
There was a problem hiding this comment.
Great. I will update it now.
There was a problem hiding this comment.
Done. Thanks @teacup-on-rockingchair and @mpurg
Thanks @teacup-on-rockingchair for suggesting this command. Also used the command in group_without_members.pass.sh test scenario. It is intentional to not update the Ansible remediation since it would demand to use the command module. But the gpasswd command doesn't have different return codes to know when members were removed or not from the group. It would make the Ansible task to be reported as changed always or never, which may cause confusion.
marcusburghardt
force-pushed
the
groupmems_alternative
branch
from
15e170a to
6450fa7
Compare
|
Code Climate has analyzed commit 6450fa7 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 57.0%. View more on Code Climate. |
|
Thanks for the fix @marcusburghardt and @teacup-on-rockingchair. |
|
The SLES15 failure is not related to this PR, waving. |
Description:
It was noticed that
groupmemscommand, which initially seemed like a handy command, does not work on all distros or behaves differently among distros.It is better to avoid it and use a more generic approach that works for all distros.
The issue was discovered after #11192
Rationale:
ensure_pam_wheel_group_emptyrule in SLE context #11203Review Hints:
automatus tests should be enough to test the change.