Incorrect placement of certificate_verification within sssd.conf file.

[dglinder]

The code to address V-230274, "RHEL 8 must implement certificate status checking for multifactor authentication." is placed in the incorrect section of the sssd.conf file in some situations.

This section of the fix-cat2.yml attempts to enforce the STIG V-230274 finding using the ansible.builtin.lineinfile: module:

RHEL8-STIG/tasks/fix-cat2.yml

Lines 1392 to 1403 in 461d572

	- name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication."
	ansible.builtin.lineinfile:
	path: '{{ rhel8stig_sssd_conf }}'
	regexp: '^certificate_verification = {{ item.regexp }}'
	state: "{{ item.state }}"
	line: "{{ item.line | default(omit) }}"
	with_items:
	- { regexp: 'no_ocsp, no_verification', state: absent }
	- { regexp: 'no_ocsp', state: absent }
	- { regexp: 'no_verification', state: absent }
	- { regexp: 'ocsp_dgst=sha1', state: present, line: 'certificate_verification = ocsp_dgst=sha1' }
	notify: restart sssd

This is addressing this STIG finding:

If the certificate_verification line is missing from the [sssd] section, or is missing "ocsp_dgst=sha1", ask the administrator to indicate what type of multifactor authentication is being utilized and how the system implements certificate status checking. If there is no evidence of certificate status checking being used, this is a finding.

(Emphasis mine.)

The lineinfile: module will only ensure the line is in the file, but it does not account for which section of this INI formatted file it must reside. This has bit me on a few occasions when the sections of the sssd.conf file are rearranged.

If we can use the community.general.ini_file: module, this section can be rewritten to address this issue:

- name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication."
  community.general.ini_file:
      path: '{{ rhel8stig_sssd_conf }}'
      state: "{{ item.state }}"
      section: "{{ item.section | default(omit) }}"
      option: "certificate_verification"
      value: "{{ item.value }}"
  with_items:
      - { value: 'no_ocsp, no_verification', state: absent }
      - { value: 'no_ocsp', state: absent }
      - { value: 'no_verification', state: absent }
      - { value: 'ocsp_dgst=sha1', state: present, section: "sssd" }
  notify: restart sssd

Since the state: present entries only need the section, the ini_file: parameter for section: is omitted if the with_items: don't have a section (and conveniently those are only state: absent so should still work regardless of the section the value appears.

(I apologize if there are errors in the code, or corner cases it doesn't address - I'm not able to execute this on a test system, but this has bit us in some of our test configurations and I wanted to log this issue for visibility.)

[uk-bolly]

hi @dglinder

Brilliant thank you for this issue. You have summarised the issue and provided a great solution. Really appreciated. Hope t o get this out in the next couple of days in a v1r14 release.

Kindest regards

uk-bolly