3 Replies Latest reply on Oct 25, 2012 9:58 AM by Antonio Caputo

    Compliance rule on Configuration files with same Name entries

    Antonio Caputo

      Hi all,

      I have the file /etc/pam.d/system-auth that contains the following:

       

      ------------------------------------------------------------------
      #%PAM-1.0
      # This file is auto-generated.
      # User changes will be destroyed the next time authconfig is run.
      auth        required      pam_env.so
      auth        sufficient    pam_unix.so nullok try_first_pass
      auth        requisite     pam_succeed_if.so uid >= 500 quiet
      auth        required      pam_deny.so

      account     required      pam_unix.so
      account     sufficient    pam_succeed_if.so uid < 500 quiet
      account     required      pam_permit.so

      password    requisite     pam_cracklib.so try_first_pass retry=3
      password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
      password    required      pam_deny.so

      session     optional      pam_keyinit.so revoke
      session     required      pam_limits.so
      session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
      session     required      pam_unix.so
      ------------------------------------------------------------------

      I need to write a compliance rule that verify if the word "md5" is contained into the line where we see "password sufficient".

       

      To do this I made a CT adding as part the Config File /etc/pam.d/system-auth and defining a rule like:

       

      "Configuration File Entry:/etc/pam.d/system-auth//password"."Value3 as String (All OS)" equal md5

       

      But it doesn't seem to work. The Compliance Job returns compliant and it does the same even if I change the md5 word in something else: the job results is still the same (compliant).

       

      I have understood from some tests it is because the line tested by the rule is not that one I need but the previous one. Infact if I test on the previous line (that one with "password requisite") the Compliance Job works fine.

       

      So I tried to use the if statement like:

       

      if
         "Configuration File Entry:/etc/pam.d/system-auth//password"."Value1 as String (All OS)" = "sufficient"
      then
         "Configuration File Entry:/etc/pam.d/system-auth//password"."Value3 as String (All OS)" = "md5"
      end

       

      but nothing happened. So I think I use the if statement wrongly or I miss something else.

       

      Any clue?

       

      Thanks,

      Antonio