BUG: SV-238229, SV-238232, SV-238233 do not check the correct module policy

[pbarrette]

The /etc/pam_pkcs11/pam_pkcs11.conf file can have different configurations for each pkcs11 module.

The STIG expects the user to check the module in use by checking the value of use_pkcs11_module.

Then, the user is expected to look at that module's configuration for the determination of the cert_policy settings.

If your pam_pkcs11.conf file contains the following, the control will fail:

use_pkcs11_module = opensc;
pkcs11_module opensc {
  cert_policy = ca,signature,ocsp_on,crl_auto;
}
pkcs11_module default {
  cert_policy = none;
}

An example for the correction of SV-238229.rb file might say:

  tag 'host'

  pkmod = command('grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |cut -d \'=\' -f2|cut -d \';\' -f1|xargs').stdout.strip
  awkcmd = "awk '/pkcs11_module #{pkmod} {/,/}/\' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy"

  if virtualization.system.eql?('docker')
    impact 0.0
    describe 'Control not applicable to a container' do
      skip 'Control not applicable to a container'
    end
  elsif input('pki_disabled')
    impact 0.0
    describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do
      skip 'This system is not using PKI for authentication so the controls is Not Applicable.'
    end
  else
    config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?
    if config_file_exists
      describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do
        its('use_pkcs11_module') { should_not be_nil }
        describe command(awkcmd) do
          its('stdout') { should include 'ca' }
        end
      end
    else
      describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do
        subject { config_file_exists }
        it { should be true }
      end
    end
  end

Note the variables pkmod and awkmod and the describe command below the parse_config_file.