From d09b82de682756213c96b396abb0c912bea32a2b Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Wed, 26 Aug 2020 17:50:57 +0200

Subject: [PATCH 1/4] unify bash remediations

---

 .../accounts_maximum_age_login_defs/bash/fedora.sh    | 11 -----------

 .../accounts_maximum_age_login_defs/bash/shared.sh    |  2 +-

 2 files changed, 1 insertion(+), 12 deletions(-)

 delete mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/fedora.sh

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/fedora.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/fedora.sh

deleted file mode 100644

index ef664f1a64..0000000000

--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/fedora.sh

+++ /dev/null

@@ -1,11 +0,0 @@

-# platform = multi_platform_fedora

-. /usr/share/scap-security-guide/remediation_functions

-declare var_accounts_maximum_age_login_defs

-populate var_accounts_maximum_age_login_defs

-

-grep -q ^PASS_MAX_DAYS /etc/login.defs && \

-sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs/g" /etc/login.defs

-if ! [ $? -eq 0 ]

-then

-  echo -e "PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs" >> /etc/login.defs

-fi

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh

index 494e04abb9..9c61548d3a 100644

--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh

+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh

@@ -1,4 +1,4 @@

-# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_ol,multi_platform_rhv

+# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_fedora

 . /usr/share/scap-security-guide/remediation_functions

 populate var_accounts_maximum_age_login_defs

From 041017588bf29a3f84024ab2dd4928624dfbf82e Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Wed, 26 Aug 2020 17:51:19 +0200

Subject: [PATCH 2/4] fix regex in oval check

---

 .../accounts_maximum_age_login_defs/oval/shared.xml             | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml

index cd79ca81b5..27649723ac 100644

--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml

+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml

@@ -22,6 +22,6 @@

     <ind:filepath>/etc/login.defs</ind:filepath>

-    <ind:pattern operation="pattern match">.*\n[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n</ind:pattern>

+    <ind:pattern operation="pattern match">^(?:.*\n)*\s*[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n</ind:pattern>

     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

   </ind:textfilecontent54_object>

From 6120e191d15b5869e6f95bea8c0a6e9de4e3e6fc Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Wed, 26 Aug 2020 17:51:37 +0200

Subject: [PATCH 3/4] add tests

---

 .../tests/commented_standard.fail.sh                         | 5 +++++

 .../tests/commented_stig.fail.sh                             | 5 +++++

 .../tests/correct_standard.pass.sh                           | 5 +++++

 .../tests/correct_stig.pass.sh                               | 5 +++++

 .../tests/incorrect_standard.fail.sh                         | 5 +++++

 .../tests/incorrect_stig.fail.sh                             | 5 +++++

 6 files changed, 30 insertions(+)

 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh

 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_stig.fail.sh

 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh

 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_stig.pass.sh

 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh

 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_stig.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh

new file mode 100644

index 0000000000..84301cc031

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh

@@ -0,0 +1,5 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_standard

+

+rm -f /etc/login.defs

+echo '#PASS_MAX_DAYS 90' > /etc/login.defs

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_stig.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_stig.fail.sh

new file mode 100644

index 0000000000..8ab4879dda

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_stig.fail.sh

@@ -0,0 +1,5 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+rm -f /etc/login.defs

+echo '#PASS_MAX_DAYS 60' > /etc/login.defs

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh

new file mode 100644

index 0000000000..989cf596d6

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh

@@ -0,0 +1,5 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_standard

+

+rm -f /etc/login.defs

+echo "PASS_MAX_DAYS    90" > /etc/login.defs

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_stig.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_stig.pass.sh

new file mode 100644

index 0000000000..172cc4841d

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_stig.pass.sh

@@ -0,0 +1,5 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+rm -f /etc/login.defs

+echo "PASS_MAX_DAYS        60" > /etc/login.defs

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh

new file mode 100644

index 0000000000..4556ef09d5

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh

@@ -0,0 +1,5 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_standard

+

+rm -f /etc/login.defs

+echo "PASS_MAX_DAYS 120" > /etc/login.defs

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_stig.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_stig.fail.sh

new file mode 100644

index 0000000000..d079467f2d

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_stig.fail.sh

@@ -0,0 +1,5 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+rm -f /etc/login.defs

+echo "PASS_MAX_DAYS 120" > /etc/login.defs

From c3dfc4148e2136ce74e1c59cd66ade7e540b51b3 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Tue, 1 Sep 2020 14:46:23 +0200

Subject: [PATCH 4/4] change platform of some tests to fedora

---

 ...mented_standard.fail.sh => commented_standard_fedora.fail.sh} | 1 +

 ...{correct_standard.pass.sh => correct_standard_fedora.pass.sh} | 1 +

 ...orrect_standard.fail.sh => incorrect_standard_fedora.fail.sh} | 1 +

 3 files changed, 3 insertions(+)

 rename linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/{commented_standard.fail.sh => commented_standard_fedora.fail.sh} (79%)

 rename linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/{correct_standard.pass.sh => correct_standard_fedora.pass.sh} (79%)

 rename linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/{incorrect_standard.fail.sh => incorrect_standard_fedora.fail.sh} (79%)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard_fedora.fail.sh

similarity index 79%

rename from linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh

rename to linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard_fedora.fail.sh

index 84301cc031..0add08ec19 100644

--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh

+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard_fedora.fail.sh

@@ -1,5 +1,6 @@

 #!/bin/bash

 # profiles = xccdf_org.ssgproject.content_profile_standard

+# platform = multi_platform_fedora

 rm -f /etc/login.defs

 echo '#PASS_MAX_DAYS 90' > /etc/login.defs

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard_fedora.pass.sh

similarity index 79%

rename from linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh

rename to linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard_fedora.pass.sh

index 989cf596d6..7fd75139c8 100644

--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh

+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard_fedora.pass.sh

@@ -1,5 +1,6 @@

 #!/bin/bash

 # profiles = xccdf_org.ssgproject.content_profile_standard

+# platform = multi_platform_fedora

 rm -f /etc/login.defs

 echo "PASS_MAX_DAYS    90" > /etc/login.defs

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard_fedora.fail.sh

similarity index 79%

rename from linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh

rename to linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard_fedora.fail.sh

index 4556ef09d5..b4f647c324 100644

--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh

+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard_fedora.fail.sh

@@ -1,5 +1,6 @@

 #!/bin/bash

 # profiles = xccdf_org.ssgproject.content_profile_standard

+# platform = multi_platform_fedora

 rm -f /etc/login.defs

 echo "PASS_MAX_DAYS 120" > /etc/login.defs