Topic
  • 1 reply
  • Latest Post - ‏2014-01-22T21:09:11Z by Jeff Saxton
lynchmv
lynchmv
5 Posts

Pinned topic RHEL-06-000030 False Positive

‏2013-11-19T17:17:56Z |

As the subject points out, RHEL-06-000030 may return a false positive as a system being compliant when it is not.  From what I've gathered, the check is as follows:

 

grep nullok /etc/pam.d/system-auth /etc/pam.d/system-auth-ac

 

Then, I'm guessing the check validates that the exit code isn't 0 (zero).  If it is not zero, the check assumes that nullok was not found in either file.  However, you can break this check if the file doesn't exist.  Here is how a check looks if it finds nullok on any line:

 

[root@dtutest ~]# grep nullok /etc/pam.d/system-auth /etc/pam.d/system-auth-ac
/etc/pam.d/system-auth:auth        sufficient    pam_unix.so nullok try_first_pass
/etc/pam.d/system-auth:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=13
/etc/pam.d/system-auth-ac:auth        sufficient    pam_unix.so nullok try_first_pass
/etc/pam.d/system-auth-ac:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=13
[root@dtutest ~]# echo $?
0
[root@dtutest ~]#

 

As you can see, the exit code is zero because grep successfully found nullok on a line (more than one acutally in this example). Now, to show what happens when nullok doesn't exist on any lines:

 

[root@dtutest ~]# grep nullok /etc/pam.d/system-auth /etc/pam.d/system-auth-ac
[root@dtutest ~]# echo $?
1
[root@dtutest ~]#

 

We get a non-zero exit code, so this means that we didn't find nullok, which means this box is compliant.  However, if either of the files does not exist, we also get a non-zero exit code, which fools the system into thinking this box is compliant.

 

[root@ledteglab1 ~]# grep nullok /etc/pam.d/system-auth-ac /etc/pam.d/system-auth
grep: /etc/pam.d/system-auth-ac: No such file or directory
/etc/pam.d/system-auth:auth        sufficient    pam_unix.so nullok try_first_pass
/etc/pam.d/system-auth:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=13
[root@ledteglab1 ~]# echo $?
2
[root@ledteglab1 ~]#

 

Oops, /etc/pam.d/system-auth-ac doesn't exist, so grep exits with a non-zero code...perhaps the check should see if grep exits with a code of 1 and any other exit code would mean the system is possibly not compliant.

  • Jeff Saxton
    Jeff Saxton
    21 Posts

    Re: RHEL-06-000030 False Positive

    ‏2014-01-22T21:09:11Z  

    good point, I'll fix that and should be able to release the fix next week:

    it was doing:

    grep "nullok" /etc/pam.d/system-auth /etc/pam.d/system-auth-ac > /dev/null 2>&1
    if [ $? -eq 0 ]; then
            RESULT=FAIL
            ......

    I'll change it to:

    grep "nullok" /etc/pam.d/system-auth /etc/pam.d/system-auth-ac > /dev/null 2>&1
    if [ $? -eq 0 ] || [ $? -eq 2 ]; then
            RESULT=FAIL