From c9dfb2665c2cb21dca5b19434c7cb41ecec247e3 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 23 Aug 2022 12:05:54 +0200
Subject: [PATCH 11/11] Ensure check and remediation work on RHEL7 regardless
 of authconfig runs

Patch-name: scap-security-guide-0.1.64-fix_smartcard_auth_rhel7-PR_9387.patch
Patch-status: Ensure smartcard_auth check and remediation work on RHEL7
---
 .../smartcard_auth/bash/shared.sh             | 44 ++++++++++-----
 .../smartcard_auth/oval/shared.xml            |  2 +
 .../tests/installed_with_authconfig.fail.sh   | 53 +++++++++++++++++++
 .../installed_with_pam_faildelay.pass.sh      | 11 ++++
 .../installed_without_authconfig.fail.sh      | 52 ++++++++++++++++++
 5 files changed, 150 insertions(+), 12 deletions(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_authconfig.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_pam_faildelay.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_without_authconfig.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh
index 9d421063f7..925ec7bd8e 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh
@@ -23,6 +23,7 @@
 SYSTEM_AUTH_CONF="/etc/pam.d/system-auth"
 # Define expected 'pam_env.so' row in $SYSTEM_AUTH_CONF
 PAM_ENV_SO="auth.*required.*pam_env.so"
+PAM_FAIL_DELAY="auth.*required.*pam_faildelay.so"
 
 # Define 'pam_succeed_if.so' row to be appended past $PAM_ENV_SO row into $SYSTEM_AUTH_CONF
 SYSTEM_AUTH_PAM_SUCCEED="\
@@ -37,31 +38,50 @@ pam_pkcs11.so nodebug"
 # Define smartcard-auth config location
 SMARTCARD_AUTH_CONF="/etc/pam.d/smartcard-auth"
 # Define 'pam_pkcs11.so' auth section to be appended past $PAM_ENV_SO into $SMARTCARD_AUTH_CONF
-SMARTCARD_AUTH_SECTION="\
-auth        [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card"
+SMARTCARD_AUTH_SECTION="auth        [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card"
 # Define expected 'pam_permit.so' row in $SMARTCARD_AUTH_CONF
 PAM_PERMIT_SO="account.*required.*pam_permit.so"
 # Define 'pam_pkcs11.so' password section
-SMARTCARD_PASSWORD_SECTION="\
-password    required      pam_pkcs11.so"
+SMARTCARD_PASSWORD_SECTION="password    required      pam_pkcs11.so"
 
 # First Correct the SYSTEM_AUTH_CONF configuration
 if ! grep -q 'pam_pkcs11.so' "$SYSTEM_AUTH_CONF"
 then
-	# Append (expected) pam_succeed_if.so row past the pam_env.so into SYSTEM_AUTH_CONF file
-	# and append (expected) pam_pkcs11.so row right after the pam_succeed_if.so we just added
-	# in SYSTEM_AUTH_CONF file
-	# This will preserve any other already existing row equal to "$SYSTEM_AUTH_PAM_SUCCEED"
-	echo "$(awk '/^'"$PAM_ENV_SO"'/{print $0 RS "'"$SYSTEM_AUTH_PAM_SUCCEED"'" RS "'"$SYSTEM_AUTH_PAM_PKCS11"'";next}1' "$SYSTEM_AUTH_CONF")" > "$SYSTEM_AUTH_CONF"
+    # Append pam_succeed_if.so row after pam_env.so or after pam_faildelay.so when it exists.
+    # Then append pam_pkcs11.so row right after the pam_succeed_if.so we just added
+    # in SYSTEM_AUTH_CONF file
+    # This will preserve any other already existing row equal to "$SYSTEM_AUTH_PAM_SUCCEED"
+    if ! grep -q 'pam_faildelay.so' "$SYSTEM_AUTH_CONF"
+    then
+        echo "$(awk '/^'"$PAM_ENV_SO"'/{print $0 RS "'"$SYSTEM_AUTH_PAM_SUCCEED"'" RS "'"$SYSTEM_AUTH_PAM_PKCS11"'";next}1' "$SYSTEM_AUTH_CONF")" > "$SYSTEM_AUTH_CONF"
+    else
+        echo "$(awk '/^'"$PAM_FAIL_DELAY"'/{print $0 RS "'"$SYSTEM_AUTH_PAM_SUCCEED"'" RS "'"$SYSTEM_AUTH_PAM_PKCS11"'";next}1' "$SYSTEM_AUTH_CONF")" > "$SYSTEM_AUTH_CONF"
+    fi
+
 fi
 
 # Then also correct the SMARTCARD_AUTH_CONF
-if ! grep -q 'pam_pkcs11.so' "$SMARTCARD_AUTH_CONF"
+if ! grep -q 'auth.*pam_pkcs11.so' "$SMARTCARD_AUTH_CONF"
 then
 	# Append (expected) SMARTCARD_AUTH_SECTION row past the pam_env.so into SMARTCARD_AUTH_CONF file
-	sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SMARTCARD_AUTH_SECTION" "$SMARTCARD_AUTH_CONF"
+	sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a \
+        '"$SMARTCARD_AUTH_SECTION" "$SMARTCARD_AUTH_CONF"
+else
+    if ! grep -q 'auth.*pam_pkcs11.so.*no_debug.*wait_for_card' "$SMARTCARD_AUTH_CONF"
+    then
+        sed -i --follow-symlinks -e 's/^auth.*pam_pkcs11.so.*/'"$SMARTCARD_AUTH_SECTION"'/' "$SMARTCARD_AUTH_CONF"
+    fi
+fi
+if ! grep -q 'password.*pam_pkcs11.so' "$SMARTCARD_AUTH_CONF"
+then
 	# Append (expected) SMARTCARD_PASSWORD_SECTION row past the pam_permit.so into SMARTCARD_AUTH_CONF file
-	sed -i --follow-symlinks -e '/^'"$PAM_PERMIT_SO"'/a '"$SMARTCARD_PASSWORD_SECTION" "$SMARTCARD_AUTH_CONF"
+	sed -i --follow-symlinks -e '/^'"$PAM_PERMIT_SO"'/a \
+        '"$SMARTCARD_PASSWORD_SECTION" "$SMARTCARD_AUTH_CONF"
+else
+    if ! grep -q 'password.*required.*pam_pkcs11.so' "$SMARTCARD_AUTH_CONF"
+    then
+        sed -i --follow-symlinks -e 's/password.*pam_pkcs11.so.*/'"$SMARTCARD_PASSWORD_SECTION"'/' "$SMARTCARD_AUTH_CONF"
+    fi
 fi
 
 # Perform /etc/pam_pkcs11/pam_pkcs11.conf settings below
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml
index 343da51124..e284636e8a 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml
@@ -46,6 +46,7 @@
   comment="Regular expression to check if smartcard authentication is enabled in /etc/pam.d/system-auth" version="1">
     <concat>
       <literal_component>\nauth[\s]+required[\s]+pam_env.so</literal_component>
+      <literal_component>(\nauth[\s]+required[\s]+pam_faildelay.so[\s]+delay=2000000)?</literal_component>
       <literal_component>\nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s]</literal_component>
       <literal_component>login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid</literal_component>
       <literal_component>\nauth[\s]+\[success=done[\s]authinfo_unavail=ignore[\s]ignore=ignore[\s]default=die\][\s]</literal_component>
@@ -70,6 +71,7 @@
   comment="Regular expressiion to check if smartcard authentication is required in /etc/pam.d/system-auth" version="1">
     <concat>
       <literal_component>\nauth[\s]+required[\s]+pam_env.so</literal_component>
+      <literal_component>(\nauth[\s]+required[\s]+pam_faildelay.so[\s]+delay=2000000)?</literal_component>
       <literal_component>\nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s]</literal_component>
       <literal_component>login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid</literal_component>
       <literal_component>\nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s]</literal_component>
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_authconfig.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_authconfig.fail.sh
new file mode 100644
index 0000000000..b0bbd7a8c0
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_authconfig.fail.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+# packages = pcsc-lite pam_pkcs11 esc
+
+systemctl enable pcscd.socket
+systemctl start pcscd.socket
+
+cat << EOF > "/etc/pam.d/system-auth"
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth        required      pam_env.so
+auth        required      pam_faildelay.so delay=2000000
+auth        sufficient    pam_unix.so nullok try_first_pass
+auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 1000 quiet
+account     required      pam_permit.so
+
+password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
+EOF
+
+cat << EOF > "/etc/pam.d/smartcard-auth"
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth        required      pam_env.so
+auth        [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 1000 quiet
+account     required      pam_permit.so
+
+password    required      pam_pkcs11.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
+EOF
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_pam_faildelay.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_pam_faildelay.pass.sh
new file mode 100644
index 0000000000..c36ecbdb02
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_pam_faildelay.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = pcsc-lite pam_pkcs11 esc
+
+systemctl enable pcscd.socket
+systemctl start pcscd.socket
+
+. ./configure_pam_stack.sh
+
+# Add pam_faildelay line to system-auth
+PAM_ENV_SO="auth.*required.*pam_env.so"
+sed -i --follow-symlinks '/auth.*required.*pam_env.so/ a auth        required                                     pam_faildelay.so delay=2000000' /etc/pam.d/system-auth
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_without_authconfig.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_without_authconfig.fail.sh
new file mode 100644
index 0000000000..83f4a81f08
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_without_authconfig.fail.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+# packages = pcsc-lite pam_pkcs11 esc
+
+systemctl enable pcscd.socket
+systemctl start pcscd.socket
+
+cat << EOF > "/etc/pam.d/system-auth"
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so try_first_pass nullok
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+
+password    requisite     pam_pwquality.so try_first_pass local_users_only retry
+=3 authtok_type=
+password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 s
+hadow
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
+use_uid
+session     required      pam_unix.so
+EOF
+
+cat << EOF > "/etc/pam.d/smartcard-auth"
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth        required      pam_env.so
+auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     required      pam_permit.so
+
+password    optional      pam_pkcs11.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
+use_uid
+session     required      pam_unix.so
+EOF
-- 
2.37.2