Enable authselect

Docs > Datadog Security > OOTB Rules > Enable authselect

Classification:

compliance

Framework:

Control:

Description

Configure user authentication setup to use the authselect tool. If authselect profile is selected, the rule will enable the sssd profile.

Rationale

Authselect is a successor to authconfig. It is a tool to select system authentication and identity sources from a list of supported profiles instead of letting the administrator manually build the PAM stack.

That way, it avoids potential breakage of configuration, as it ships several tested profiles that are well tested and supported to solve different use-cases.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

var\_authselect\_profile='sssd'


authselect select "$var\_authselect\_profile"

if test "$?" -ne 0; then
 if rpm --quiet --verify pam; then
 authselect select --force "$var\_authselect\_profile"
 else
 echo "Files in the 'pam' package have been altered, so the authselect configuration won't be forced" >&2
 fi
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: XCCDF Value var\_authselect\_profile # promote to variable
 set\_fact:
 var\_authselect\_profile: !!str sssd
 tags:
 - always

- name: Enable authselect - Select authselect profile
 ansible.builtin.command:
 cmd: authselect select "{{ var\_authselect\_profile }}"
 register: result\_authselect\_select
 failed\_when: false
 tags:
 - CCE-88248-0
 - NIST-800-53-AC-3
 - configure\_strategy
 - enable\_authselect
 - low\_complexity
 - medium\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Enable authselect - Verify if PAM has been altered
 ansible.builtin.command:
 cmd: rpm -qV pam
 register: result\_altered\_authselect
 failed\_when: false
 when: result\_authselect\_select.rc != 0
 tags:
 - CCE-88248-0
 - NIST-800-53-AC-3
 - configure\_strategy
 - enable\_authselect
 - low\_complexity
 - medium\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Enable authselect - Informative message based on the authselect integrity
 check
 ansible.builtin.assert:
 that:
 - result\_altered\_authselect is skipped or result\_altered\_authselect.rc == 0
 fail\_msg:
 - Files in the 'pam' package have been altered, so the authselect configuration
 won't be forced.
 tags:
 - CCE-88248-0
 - NIST-800-53-AC-3
 - configure\_strategy
 - enable\_authselect
 - low\_complexity
 - medium\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Enable authselect - Force authselect profile select
 ansible.builtin.command:
 cmd: authselect select --force "{{ var\_authselect\_profile }}"
 when:
 - result\_authselect\_select.rc != 0
 - result\_altered\_authselect is skipped or result\_altered\_authselect.rc == 0
 tags:
 - CCE-88248-0
 - NIST-800-53-AC-3
 - configure\_strategy
 - enable\_authselect
 - low\_complexity
 - medium\_disruption
 - medium\_severity
 - no\_reboot\_needed

Warning

If the sudo authselect select command returns an error informing that the chosen profile cannot be selected, it is probably because PAM files have already been modified by the administrator. If this is the case, in order to not overwrite the desired changes made by the administrator, the current PAM settings should be investigated before forcing the selection of the chosen authselect profile.