Fix no_empty_passwords remediation for RHCOS 9#14602
Open
sebrandon1 wants to merge 1 commit intoComplianceAsCode:masterfrom
Open
Fix no_empty_passwords remediation for RHCOS 9#14602sebrandon1 wants to merge 1 commit intoComplianceAsCode:masterfrom
sebrandon1 wants to merge 1 commit intoComplianceAsCode:masterfrom
Conversation
|
Hi @sebrandon1. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
4 tasks
sebrandon1
added a commit
to sebrandon1/os
that referenced
this pull request
May 5, 2026
The RHCOS 9 base image ships pam_unix.so with 'nullok' on the auth and password lines, allowing authentication with empty passwords. No OCP node should ever permit empty password authentication. This removes 'nullok' from both /etc/pam.d/system-auth and /etc/pam.d/password-auth while preserving the native RHCOS 9 PAM stack (unlike the broken authselect-based remediation that rewrites PAM with RHEL 8 templates). Addresses compliance group H2 (HIGH severity, all profiles). Verified on OCP 4.22 (cnfdt16, RHCOS 9.8). Related: - ComplianceAsCode/content#14602 (upstream scanner fix) - https://sebrandon1.github.io/compliance-scripts/versions/4.22/groups/H2.html
sebrandon1
added a commit
to sebrandon1/os
that referenced
this pull request
May 5, 2026
The RHCOS 9 base image ships pam_unix.so with 'nullok' on the auth and password lines, allowing authentication with empty passwords. No OCP node should ever permit empty password authentication. This removes 'nullok' from both /etc/pam.d/system-auth and /etc/pam.d/password-auth while preserving the native RHCOS 9 PAM stack. Do NOT use authselect — it rewrites PAM with RHEL 8 templates that break RHCOS 9. Addresses compliance group H2 (HIGH severity, all profiles). Verified on OCP 4.22 (cnfdt16, RHCOS 9.8). Related: - ComplianceAsCode/content#14602 (upstream scanner fix) - https://sebrandon1.github.io/compliance-scripts/versions/4.22/groups/H2.html
sebrandon1
added a commit
to sebrandon1/os
that referenced
this pull request
May 5, 2026
RHCOS 9 ships pam_unix.so with 'nullok' on the auth and password lines in both system-auth and password-auth, allowing authentication with empty passwords. No OCP node should permit this. This removes 'nullok' from both files while preserving the native RHCOS 9 PAM stack. Do NOT use authselect for this — it rewrites PAM with RHEL 8 templates that break RHCOS 9. Flagged as HIGH severity across all compliance profiles (E8, CIS, Moderate, PCI-DSS). Verified on OCP 4.22 (RHCOS 9.8). Related upstream scanner fix: ComplianceAsCode/content#14602
sebrandon1
added a commit
to sebrandon1/os
that referenced
this pull request
May 5, 2026
Activate authselect with the 'without-nullok' feature to remove the nullok parameter from pam_unix.so in system-auth and password-auth. This prevents authentication with empty passwords on RHCOS nodes. Uses the supported RHEL mechanism (authselect) rather than replacing PAM files directly. The without-nullok feature was purpose-built for this use case by the authselect maintainer in 2018: authselect/authselect@e1fbbdc RHCOS nodes are managed infrastructure with no legitimate use case for empty password authentication. Flagged as HIGH severity across all compliance profiles (E8, CIS, Moderate, PCI-DSS). Related: - authselect issue: authselect/authselect#94 - Upstream scanner fix: ComplianceAsCode/content#14602
On RHCOS 9, /usr/bin/authselect exists but PAM files are not managed by authselect. Using authselect rewrites the PAM stack with RHEL 8 era templates (including pam_fprintd.so and a 2018 authselect header) that don't match the actual RHCOS 9 PAM configuration. After applying the authselect-based remediation, the compliance scan still reports FAIL because the OVAL check doesn't recognize the RHEL 8 PAM template as a valid remediated state. Fix: Add an rhcos-specific branch that uses direct sed (via bash_remove_pam_module_option) to surgically remove nullok from the existing PAM files, preserving the RHCOS 9 PAM stack. Verified on OCP 4.22 (RHCOS 9.8): no_empty_passwords flips from FAIL to PASS with the direct sed approach.
sebrandon1
force-pushed
the
fix-rhcos9-pam-nullok
branch
from
261e1b1 to
739052d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
On RHCOS 9, the
no_empty_passwordsbash remediation usesauthselectto removenullokfrom PAM files. Although/usr/bin/authselectexists on RHCOS 9, the PAM files are not managed by authselect. Running authselect rewrites the PAM stack with RHEL 8 era templates that includepam_fprintd.soand a 2018 authselect header — these don't match the actual RHCOS 9 PAM configuration.After applying the authselect-based remediation, the compliance scan still reports FAIL because the OVAL check doesn't recognize the RHEL 8 PAM template as a valid remediated state.
Fix
Add an
rhcos-specific branch in the Jinja template that uses directbash_remove_pam_module_option(sed-based) to surgically removenullokfrom the existing PAM files, preserving the native RHCOS 9 PAM stack.Verification
Tested on OCP 4.22 (RHCOS 9.8, 3 masters + 2 workers):
no_empty_passwords= FAIL (even after applying remediation)no_empty_passwords= PASSRoot Cause Detail
RHCOS 9
/etc/pam.d/system-authusespam_usertype.soandpam_sss.so— notpam_fprintd.soor the RHEL 8 authselect template. The authselect remediation replaces the entire file with content that doesn't match what the OVAL check expects on RHCOS 9.