3 Replies Latest reply on Oct 25, 2012 9:58 AM by Antonio Caputo

    Compliance rule on Configuration files with same Name entries

    Antonio Caputo

      Hi all,

      I have the file /etc/pam.d/system-auth that contains the following:


      # This file is auto-generated.
      # User changes will be destroyed the next time authconfig is run.
      auth        required      pam_env.so
      auth        sufficient    pam_unix.so nullok try_first_pass
      auth        requisite     pam_succeed_if.so uid >= 500 quiet
      auth        required      pam_deny.so

      account     required      pam_unix.so
      account     sufficient    pam_succeed_if.so uid < 500 quiet
      account     required      pam_permit.so

      password    requisite     pam_cracklib.so try_first_pass retry=3
      password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
      password    required      pam_deny.so

      session     optional      pam_keyinit.so revoke
      session     required      pam_limits.so
      session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
      session     required      pam_unix.so

      I need to write a compliance rule that verify if the word "md5" is contained into the line where we see "password sufficient".


      To do this I made a CT adding as part the Config File /etc/pam.d/system-auth and defining a rule like:


      "Configuration File Entry:/etc/pam.d/system-auth//password"."Value3 as String (All OS)" equal md5


      But it doesn't seem to work. The Compliance Job returns compliant and it does the same even if I change the md5 word in something else: the job results is still the same (compliant).


      I have understood from some tests it is because the line tested by the rule is not that one I need but the previous one. Infact if I test on the previous line (that one with "password requisite") the Compliance Job works fine.


      So I tried to use the if statement like:


         "Configuration File Entry:/etc/pam.d/system-auth//password"."Value1 as String (All OS)" = "sufficient"
         "Configuration File Entry:/etc/pam.d/system-auth//password"."Value3 as String (All OS)" = "md5"


      but nothing happened. So I think I use the if statement wrongly or I miss something else.


      Any clue?