-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update rules related to pam_pwhistory module to consider pwhistory.conf file #9994
Update rules related to pam_pwhistory module to consider pwhistory.conf file #9994
Commits on Dec 19, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 32e6a11 - Browse repository at this point
Copy the full SHA 32e6a11View commit details -
Refactored OVAL to consider pwhistory.conf
Relatively recent it was introduced the /etc/security/pwhistory.conf file in order to make the PAM pam_pwhistory.so module easier to be configured. Using this file also avoids the necessity to edit PAM files directly and consequently mitigate PAM errors. Therefore, its a good practice to use this file and more systems should be configured using this approach. Now the OVAL is capable to properly assess these cases. accounts_password_pam_pwhistory_remember_system_auth rule
Configuration menu - View commit details
-
Copy full SHA for 993c940 - Browse repository at this point
Copy the full SHA 993c940View commit details
Commits on Dec 20, 2022
-
Include Bash macros for pam_pwhistory.so
A new feature to configure this module was recently included in authselect. There is currently 3 scenarios where the module configuration differs. On systems with newer versions of authselect, the module should be enabled using authselect feature. On systems with older versions of authselect, the module should be enabled using custom profiles. On systems without authselect, the module is configured directly editing PAM files. Since the macros were created, they were also extended to use /etc/security/pwhistory.conf file whenever ossible.
Configuration menu - View commit details
-
Copy full SHA for cb7f639 - Browse repository at this point
Copy the full SHA cb7f639View commit details -
Update Bash remediation to use new macros
accounts_password_pam_pwhistory_remember_system_auth rule
Configuration menu - View commit details
-
Copy full SHA for 87ac584 - Browse repository at this point
Copy the full SHA 87ac584View commit details -
Update the test scenario scripts to cover new scenarios
The existing and relevant test scenarios were udpated to consider the /etc/security/pwhistory.conf file. It was included a test scenario for conflicting settings.
Configuration menu - View commit details
-
Copy full SHA for d94f5b6 - Browse repository at this point
Copy the full SHA d94f5b6View commit details -
Include Ansible macros for pam_pwhistory.so
These macros were created in Ansible in aligment to the respective macros in Bash.
Configuration menu - View commit details
-
Copy full SHA for b3a928e - Browse repository at this point
Copy the full SHA b3a928eView commit details -
Update Ansible remediation to use new macros
accounts_password_pam_pwhistory_remember_system_auth rule
Configuration menu - View commit details
-
Copy full SHA for c9589c7 - Browse repository at this point
Copy the full SHA c9589c7View commit details -
Refactored OVAL to consider pwhistory.conf
accounts_password_pam_pwhistory_remember_password_auth rule
Configuration menu - View commit details
-
Copy full SHA for 8e64545 - Browse repository at this point
Copy the full SHA 8e64545View commit details -
Update Bash remediation to use new macros
accounts_password_pam_pwhistory_remember_password_auth rule
Configuration menu - View commit details
-
Copy full SHA for 2be04d1 - Browse repository at this point
Copy the full SHA 2be04d1View commit details -
Update Ansible remediation to use new macros
accounts_password_pam_pwhistory_remember_password_auth rule
Configuration menu - View commit details
-
Copy full SHA for 5df3810 - Browse repository at this point
Copy the full SHA 5df3810View commit details -
Update the test scenario scripts to cover new scenarios
accounts_password_pam_pwhistory_remember_password_auth rule
Configuration menu - View commit details
-
Copy full SHA for 8963741 - Browse repository at this point
Copy the full SHA 8963741View commit details -
Refactored OVAL to consider pwhistory.conf
accounts_password_pam_unix_remember rule
Configuration menu - View commit details
-
Copy full SHA for 3cc0383 - Browse repository at this point
Copy the full SHA 3cc0383View commit details -
Update Bash remediation to use new macros
accounts_password_pam_unix_remember rule
Configuration menu - View commit details
-
Copy full SHA for 770f38d - Browse repository at this point
Copy the full SHA 770f38dView commit details -
Update Ansible remediation to use new macros
accounts_password_pam_unix_remember rule
Configuration menu - View commit details
-
Copy full SHA for c26495f - Browse repository at this point
Copy the full SHA c26495fView commit details -
Update the test scenario scripts to cover new scenarios
accounts_password_pam_unix_remember rule
Configuration menu - View commit details
-
Copy full SHA for 66e2ab7 - Browse repository at this point
Copy the full SHA 66e2ab7View commit details -
Update rule description in aligment to OVAL and remediation
accounts_password_pam_pwhistory_remember_password_auth accounts_password_pam_pwhistory_remember_system_auth
Configuration menu - View commit details
-
Copy full SHA for 32842dd - Browse repository at this point
Copy the full SHA 32842ddView commit details -
Update rule description in aligment to OVAL and remediation
accounts_password_pam_unix_remember
Configuration menu - View commit details
-
Copy full SHA for 0a182a5 - Browse repository at this point
Copy the full SHA 0a182a5View commit details -
Improve conditional criteria in Ansible task
The first condition was prone to fatal errors, as there were chances of an object used in the criteria not being defined in some contexts.
Configuration menu - View commit details
-
Copy full SHA for 2c5b9e1 - Browse repository at this point
Copy the full SHA 2c5b9e1View commit details
Commits on Dec 22, 2022
-
Improve Bash macro name and description
The name "bash_validate_authselect_custom_profile" was not so intuitive about the variables defined there. On the other hand, the equivalent macro in Ansible was much clearer. In order to make it more readable, the macro was renamed to "bash_ensure_pam_variables_and_authselect_profile" and a more complete description was included. It is now more readble and more aligned to the equivalent in Ansible. In addition, a jinja comment was included when a macro is called to set or modify a variable.
Configuration menu - View commit details
-
Copy full SHA for ed55009 - Browse repository at this point
Copy the full SHA ed55009View commit details