Update Ubuntu STIG-20-010072 and fix faillock rules #11355
Conversation
Rules affected: - accounts_passwords_pam_faillock_unlock_time - accounts_passwords_pam_faillock_deny - accounts_passwords_pam_faillock_interval
The ubuntu OVAL was incorrectly checking for the condition: - unlock_time not present in pam.d/common-auth OR - unlock_time present in /etc/security/faillock.conf This means that the OVAL passed when unlock_time was not present in either of them. The fix is analogous to the implementation in shared.xml, where the OVAL checks for presence of unlock_time in either one of pam.d/common-auth or faillock.conf, but not both. The fix results in passing test ubuntu_empty_faillock_conf.fail.sh
Abstract out the parameter name and regex into Jinja variables to make the OVAL more generic. Reason is that an almost identical OVAL is used in several rules, with the main difference being the parameter name and regex. The change allows for better comparibility/transferability across those rules, although ideally they should be using a single template.
Analogous to changes in rule faillock_unlock_time
|
Hi @mpurg. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
dodys
added
Ubuntu
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent
@@ -28,6 +28,7 @@
fi
+
AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then |
| @@ -1,3 +1,4 @@ | |||
| # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle | |||
There was a problem hiding this comment.
I think we don't need to add this here, since you added to the tests and you source this file from the tests.
There was a problem hiding this comment.
Nice catch, don't know how that got there :)
| @@ -1,3 +1,4 @@ | |||
| # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle | |||
There was a problem hiding this comment.
same as the other, I think you won't need to add platform here.
|
Code Climate has analyzed commit dc98f2b and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 58.5%. View more on Code Climate. |
Description:
accounts_passwords_pam_faillock_...accounts_passwords_pam_faillock_...to use jinja parameters for parameter name, regex, etc.pam_faillockinstead ofpam_tally2Rationale: