# Copyright:: 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"). # You may not use this file except in compliance with the License. A copy of the License is located at # # http://aws.amazon.com/apache2.0/ # # or in the "LICENSE.txt" file accompanying this file. # This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied. # See the License for the specific language governing permissions and limitations under the License. control 'tag:install_system_authentication_packages_installed' do title 'Check that system authentication packages are installed correctly' packages = %w(sssd sssd-tools sssd-ldap) if os_properties.redhat8? packages.append("authselect") packages.append("oddjob-mkhomedir") end packages.each do |pkg| describe package(pkg) do it { should be_installed } end end unless os_properties.redhat_on_docker? end control 'tag:config_system_authentication_services_enabled' do title 'Check that system authentication services are enabled and running' only_if { !os_properties.on_docker? } only_if { node['cluster']["directory_service"]["enabled"] != 'false' } only_if { node['cluster']['node_type'] != 'ComputeFleet' || node['cluster']['directory_service']['disabled_on_compute_nodes'] != 'true' } services = %w(sssd) if os_properties.redhat8? services.append("oddjobd") end services.each do |service| describe service(service) do it { should be_installed } it { should be_enabled } end end end control 'tag:config_system_authentication_configured' do title 'Check that system authentication is configured correctly' only_if { !os_properties.on_docker? } only_if { node['cluster']["directory_service"]["enabled"] != 'false' } only_if { node['cluster']['node_type'] != 'ComputeFleet' || node['cluster']['directory_service']['disabled_on_compute_nodes'] != 'true' } describe 'Check NSS and PAM to use SSSD for system authentication and identity information' if os_properties.redhat8? describe bash("authselect current") do its('exit_status') { should eq 0 } its('stdout') { should match /Profile ID: sssd/ } its('stdout') { should match /with-mkhomedir/ } end unless os_properties.redhat_on_docker? elsif os_properties.centos7? || os_properties.alinux2? describe bash("authconfig --test") do its('exit_status') { should eq 0 } its('stdout') { should match /nss_sss is enabled by default/ } its('stdout') { should match /pam_sss is enabled by default/ } its('stdout') { should match /pam_mkhomedir or pam_oddjob_mkhomedir is enabled/ } end end end