Merge pull request #14426 from teacup-on-rockingchair/fix_sle16_pam_options

Fix sle16 pam options

Author: teacup-on-rockingchair

linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml

@@ -61,3 +61,14 @@ vuldiscussion: |-
     When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.
 
 platform: package[pam]
+
+template:
+  name: pam_options
+  vars:
+    path: /etc/pam.d/su
+    type: auth
+    control_flag: required
+    module: pam_wheel.so
+    arguments:
+      - argument: use_uid
+        new_argument: use_uid

linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh

@@ -37,9 +37,24 @@ ocil: |-
     Run the following command to check if the line is present:
     <pre>grep pam_wheel /etc/pam.d/su</pre>
     The output should contain the following line:
-    <pre>auth required pam_wheel.so use_uid group={{{ xccdf_value("var_pam_wheel_group_for_su") }}}</pre>
+    <pre>auth required pam_wheel.so use_uid group={{{ xccdf_value("var_pam_wheel_group_for_su.var") }}}</pre>
 
 warnings:
     - general: |-
         Note that <tt>ensure_pam_wheel_group_empty</tt> rule complements this requirement by
         ensuring the referenced group exists and has no members.
+
+template:
+  name: pam_options
+  vars:
+    path: /etc/pam.d/su
+    type: auth
+    control_flag: required
+    module: pam_wheel.so
+    arguments:
+      - variable: group
+        variable_name: var_pam_wheel_group_for_su
+        operation: equals
+        datatype: string
+      - argument: use_uid
+        new_argument: use_uid

linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml

@@ -10,13 +10,14 @@
 # updated the Ansible pamd module to do that, we will need to use regexp
 # for now.
 
-
-# declare the XCCDF vars if any
-{{% for arg in ARGUMENTS %}}
-{{% if arg['variable']|length %}}
-- (xccdf-var var_password_pam_{{{ arg['variable'] }}})
+{{% if product == 'sle16' %}}
+- name: Copy default /usr/lib/pam.d/{{ '{{{ PATH }}}' | basename }} to {{{ PATH }}}
+  ansible.builtin.copy:
+    src: /usr/lib/pam.d/{{ '{{{ PATH }}}' | basename }}
+    dest: {{{ PATH }}}
+    force: no
+    mode: '0644'
 {{% endif %}}
-{{% endfor %}}
 
 - name: Set control_flag fact
   ansible.builtin.set_fact:
@@ -33,15 +34,15 @@
     path: {{{ PATH }}}
     line: '{{{ TYPE }}} {{{ CONTROL_FLAG }}} {{{ MODULE }}}'
     state: present
-  when: check_pam_module_result.stdout is defined and '"{{{ MODULE }}}" not in check_pam_module_result.stdout'
+  when: check_pam_module_result is not skipped and check_pam_module_result.stdout is defined and "{{{ MODULE }}}" not in check_pam_module_result.stdout
 
 - name: Ensure '{{{ MODULE }}}' module has conforming control flag
   ansible.builtin.lineinfile:
     path: {{{ PATH }}}
     regexp: '^(\s*{{{ TYPE }}}\s+)\S+(\s+{{{ MODULE }}}\s+.*)'
     line: '\g<1>{{{ CONTROL_FLAG }}}\g<2>'
     backrefs: yes
-  when: control_flag|length
+  when: check_pam_module_result is not skipped and control_flag|length
 
 {{% for arg in ARGUMENTS %}}
 # NOTE: if 'remove_argument' is present and set to some value, we assume
@@ -56,13 +57,22 @@
 {{% elif arg['variable']|length %}}
 # NOTE(gyee): if 'var' is used, user is meant to set the argument to a
 # static value
+{{% if arg['variable_name'] %}}
+{{% set pam_variable_name = arg['variable_name'] %}}
+{{% else %}}
+{{% set pam_variable_name = "var_password_pam_" + arg['variable'] %}}
+{{% endif %}}
+{{{ ansible_instantiate_variables(pam_variable_name) }}}
+
+{{% set pam_variable_value = "{{ " + pam_variable_name + " }}" %}}
 
-- name: Ensure "{{{ MODULE }}}" module has argument "{{{ arg['variable'] }}}={{ var_password_pam_{{{ arg['variable'] }}} }}"
+- name: Ensure "{{{ MODULE }}}" module has argument "{{{ arg['variable'] }}}={{{ pam_variable_value }}}"
   ansible.builtin.lineinfile:
     path: {{{ PATH }}}
     regexp: '^(\s*{{{ TYPE }}}\s+{{{ CONTROL_FLAG }}}\s+{{{ MODULE }}}(?:\s+\S+)*\s+{{{ arg['variable'] }}}=)(?:\S+)((\s+\S+)*\s*\\*\s*)$'
-    line: '\g<1>{{ var_password_pam_{{{ arg['variable'] }}} }}\g<2>'
+    line: '\g<1>{{{ pam_variable_value }}}\g<2>'
     backrefs: yes
+  when: check_pam_module_result is not skipped
 
 - name: Check the presence of "{{{ arg['variable'] }}}" argument in "{{{ MODULE }}}" module
   ansible.builtin.shell: |
@@ -74,9 +84,9 @@
   ansible.builtin.lineinfile:
     path: {{{ PATH }}}
     regexp: '^(\s*{{{ TYPE }}}\s+{{{ CONTROL_FLAG }}}\s+{{{ MODULE }}})((\s+\S+)*\s*(\\)*$)'
-    line: '\g<1> {{{ arg['variable'] }}}={{ var_password_pam_{{{ arg['variable'] }}} }}\g<2>'
+    line: '\g<1> {{{ arg['variable'] }}}={{{ pam_variable_value }}}\g<2>'
     backrefs: yes
-  when: check_pam_module_argument_result is not skipped and '"{{{ arg['variable'] }}}" not in check_pam_module_argument_result.stdout'
+  when: check_pam_module_argument_result is not skipped and "{{{ arg['variable'] }}}" not in check_pam_module_argument_result.stdout
 {{% else %}}
 - name: Set argument_value fact
   ansible.builtin.set_fact:
@@ -102,6 +112,6 @@
     regexp: '^(\s*{{{ TYPE }}}\s+{{{ CONTROL_FLAG }}}\s+{{{ MODULE }}})((\s+\S+)*\s*(\\)*$)'
     line: '\g<1> {{{ arg['new_argument'] }}}\g<2>'
     backrefs: yes
-  when: check_pam_module_argument_result is not skipped and '"{{{ arg['argument'] }}}" not in check_pam_module_argument_result.stdout'
+  when: check_pam_module_argument_result is not skipped and "{{{ arg['argument'] }}}" not in check_pam_module_argument_result.stdout
 {{% endif %}}
 {{% endfor %}}

linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml

@@ -10,10 +10,22 @@ declare -a ARGS=()
 declare -a NEW_ARGS=()
 declare -a DEL_ARGS=()
 
+{{% if product == 'sle16' %}}
+PAM_DEFAULTS_FILE_NAME="/usr/lib/pam.d/$(basename "{{{ PATH }}}")"
+if ! [ -e "{{{ PATH }}}" ] ; then
+    cp "${PAM_DEFAULTS_FILE_NAME}" "{{{ PATH }}}"
+fi
+{{% endif %}}
+
 {{% for arg in ARGUMENTS -%}}
 {{% if arg['variable'] | length -%}}
-{{{ bash_instantiate_variables("var_password_pam_" + arg['variable']) }}}
-VALUES+=("${{{ "var_password_pam_" + arg['variable'] }}}")
+{{% if arg['variable_name'] %}}
+{{% set pam_variable_name = arg['variable_name'] %}}
+{{% else %}}
+{{% set pam_variable_name = "var_password_pam_" + arg['variable'] %}}
+{{% endif %}}
+{{{ bash_instantiate_variables(pam_variable_name) }}}
+VALUES+=("${{{ pam_variable_name }}}")
 VALUE_NAMES+=("{{{ arg['variable'] }}}")
 {{%- else %}}
 VALUES+=("")