(imported topic written by lynchmv)
As the subject points out, RHEL-06-000030 may return a false positive as a system being compliant when it is not. From what I’ve gathered, the check is as follows:
grep nullok /etc/pam.d/system-auth /etc/pam.d/system-auth-ac
Then, I’m guessing the check validates that the exit code isn’t 0 (zero). If it is not zero, the check assumes that
nullok
was not found in either file. However, you can break this check if the file doesn’t exist. Here is how a check looks if it finds
nullok
on any line:
[root@dtutest ~]# grep nullok /etc/pam.d/system-auth /etc/pam.d/system-auth-ac
/etc/pam.d/system-auth:auth sufficient pam_unix.so nullok try_first_pass
/etc/pam.d/system-auth:password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=13
/etc/pam.d/system-auth-ac:auth sufficient pam_unix.so nullok try_first_pass
/etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=13
[root@dtutest ~]# echo $?
0
[root@dtutest ~]#
As you can see, the exit code is zero because grep successfully found
nullok
on a line (more than one acutally in this example). Now, to show what happens when nullok doesn’t exist on any lines:
[root@dtutest ~]# grep nullok /etc/pam.d/system-auth /etc/pam.d/system-auth-ac
[root@dtutest ~]# echo $?
1
[root@dtutest ~]#
We get a non-zero exit code, so this means that we didn’t find
nullok
, which means this box is compliant. However, if either of the files does not exist, we also get a non-zero exit code, which fools the system into thinking this box is compliant.
[root@ledteglab1 ~]# grep nullok /etc/pam.d/system-auth-ac /etc/pam.d/system-auth
grep: /etc/pam.d/system-auth-ac: No such file or directory
/etc/pam.d/system-auth:auth sufficient pam_unix.so nullok try_first_pass
/etc/pam.d/system-auth:password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=13
[root@ledteglab1 ~]# echo $?
2
[root@ledteglab1 ~]#
Oops, /etc/pam.d/system-auth-ac doesn’t exist, so grep exits with a non-zero code…perhaps the check should see if grep exits with a code of 1 and any other exit code would mean the system is possibly not compliant.