From f11e958ed052cfaedbd478357282be70a03d23b9 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 4 Sep 2023 16:27:00 +0200 Subject: [PATCH 1/4] Simulate interaction for pkcs11-switch command --- .../configure_opensc_nss_db/ansible/shared.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml index ca3fd9a8d840..062b9ef69c6e 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml @@ -3,17 +3,17 @@ # strategy = configure # complexity = low # disruption = low -- name: Check existence of pkcs11-switch - stat: - path: /usr/bin/pkcs11-switch - register: pkcs11switch +- name: "{{{ rule_title }}} - Check Existence of pkcs11-switch" + ansible.builtin.stat: + path: /usr/bin/pkcs11-switch + register: pkcs11switch -- name: Get NSS database smart card configuration - command: /usr/bin/pkcs11-switch +- name: "{{{ rule_title }}} - Get NSS Database Smart Card Configuration" + ansible.builtin.command: /usr/bin/pkcs11-switch changed_when: True register: pkcsw_output when: pkcs11switch.stat.exists -- name: "{{{ rule_title }}}" - command: /usr/bin/pkcs11-switch opensc +- name: "{{{ rule_title }}} - Select opensc Module" + ansible.builtin.shell: echo -e "\n" | /usr/bin/pkcs11-switch opensc when: pkcs11switch.stat.exists and pkcsw_output.stdout != "opensc" From 04a0df5a7f005d0055c154e947d22212c22bdb08 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 4 Sep 2023 16:30:44 +0200 Subject: [PATCH 2/4] Align bash and Ansible remediation --- .../smart_card_login/configure_opensc_nss_db/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/bash/shared.sh index ff943d7de9a9..3d912c276e7a 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/bash/shared.sh @@ -7,5 +7,5 @@ PKCSSW=$(/usr/bin/pkcs11-switch) if [ ${PKCSSW} != "opensc" ] ; then - ${PKCSSW} opensc + echo -e "\n" | ${PKCSSW} opensc fi From 80051e4c2c3f6001e9f8adffa0c16aa11f10c76f Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 5 Sep 2023 12:36:49 +0200 Subject: [PATCH 3/4] Remove wrong OVAL check The OVAL check in configure_opensc_nss_db was wrong and unreliable. It was expecting to find the opensc module information in pkcs11.txt file but it is not expected to find this information there. This information should be properly checked by consulting the NSS database through proper commands. Currently, there is no file to be consulted and no OVAL check for NSS database. Removing this OVAL is the correct approach. --- .../configure_opensc_nss_db/oval/shared.xml | 23 ------------------- 1 file changed, 23 deletions(-) delete mode 100644 linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/oval/shared.xml diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/oval/shared.xml deleted file mode 100644 index 6a7338df1660..000000000000 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/oval/shared.xml +++ /dev/null @@ -1,23 +0,0 @@ - - - {{{ oval_metadata("The NSS DB should be set to use opensc library.") }}} - - - - - - - - - - - /etc/pki/nssdb/pkcs11.txt - ^library=opensc.*\.so$ - 1 - - - From 2359eecddf96b174192bace480fb561af65546b6 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 5 Sep 2023 12:40:04 +0200 Subject: [PATCH 4/4] Include warning about missing OVAL check Make it clear why there is no OVAL check for this rule. --- .../smart_card_login/configure_opensc_nss_db/rule.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/rule.yml index eb4186084d63..a989dfda8ca7 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/rule.yml @@ -40,3 +40,9 @@ ocil: |- run the following command: 
$ pkcs11-switch
The output should return 
opensc
+ +warnings: + - general: |- + NSS modules information are stored in NSS database which is in binary format. Currently + it is not possible to check NSS database using OVAL. This is the reason there is no OVAL + check for this rule.