Update rules related to pam_pwhistory module to consider pwhistory.conf file #9994
Commits on Dec 19, 2022
-
-
Refactored OVAL to consider pwhistory.conf
Relatively recent it was introduced the /etc/security/pwhistory.conf file in order to make the PAM pam_pwhistory.so module easier to be configured. Using this file also avoids the necessity to edit PAM files directly and consequently mitigate PAM errors. Therefore, its a good practice to use this file and more systems should be configured using this approach. Now the OVAL is capable to properly assess these cases. accounts_password_pam_pwhistory_remember_system_auth rule
Commits on Dec 20, 2022
-
Include Bash macros for pam_pwhistory.so
A new feature to configure this module was recently included in authselect. There is currently 3 scenarios where the module configuration differs. On systems with newer versions of authselect, the module should be enabled using authselect feature. On systems with older versions of authselect, the module should be enabled using custom profiles. On systems without authselect, the module is configured directly editing PAM files. Since the macros were created, they were also extended to use /etc/security/pwhistory.conf file whenever ossible.
-
Update Bash remediation to use new macros
accounts_password_pam_pwhistory_remember_system_auth rule
-
Update the test scenario scripts to cover new scenarios
The existing and relevant test scenarios were udpated to consider the /etc/security/pwhistory.conf file. It was included a test scenario for conflicting settings.
-
Include Ansible macros for pam_pwhistory.so
These macros were created in Ansible in aligment to the respective macros in Bash.
-
Update Ansible remediation to use new macros
accounts_password_pam_pwhistory_remember_system_auth rule
-
Refactored OVAL to consider pwhistory.conf
accounts_password_pam_pwhistory_remember_password_auth rule
-
Update Bash remediation to use new macros
accounts_password_pam_pwhistory_remember_password_auth rule
-
Update Ansible remediation to use new macros
accounts_password_pam_pwhistory_remember_password_auth rule
-
Update the test scenario scripts to cover new scenarios
accounts_password_pam_pwhistory_remember_password_auth rule
-
Refactored OVAL to consider pwhistory.conf
accounts_password_pam_unix_remember rule
-
Update Bash remediation to use new macros
accounts_password_pam_unix_remember rule
-
Update Ansible remediation to use new macros
accounts_password_pam_unix_remember rule
-
Update the test scenario scripts to cover new scenarios
accounts_password_pam_unix_remember rule
-
Update rule description in aligment to OVAL and remediation
accounts_password_pam_pwhistory_remember_password_auth accounts_password_pam_pwhistory_remember_system_auth
-
Update rule description in aligment to OVAL and remediation
accounts_password_pam_unix_remember
-
Improve conditional criteria in Ansible task
The first condition was prone to fatal errors, as there were chances of an object used in the criteria not being defined in some contexts.
Commits on Dec 22, 2022
-
Improve Bash macro name and description
The name "bash_validate_authselect_custom_profile" was not so intuitive about the variables defined there. On the other hand, the equivalent macro in Ansible was much clearer. In order to make it more readable, the macro was renamed to "bash_ensure_pam_variables_and_authselect_profile" and a more complete description was included. It is now more readble and more aligned to the equivalent in Ansible. In addition, a jinja comment was included when a macro is called to set or modify a variable.