wsato / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.30-rhbz#1344581.patch

c7 c7-alt c7-beta c8 c8-beta c8s
  1.   f04235cd7394f6e40142788e24397ae7a2470e80
  2.   SOURCES
  3.   scap-security-guide-0.1.30-rhbz#1344581.patch
Blob History Raw
f04235 
From 2276972999ecb8c54ddea8ad40bdc15a7ea86a3a Mon Sep 17 00:00:00 2001
f04235 
From: Jan Lieskovsky <jlieskov@redhat.com>
f04235 
Date: Fri, 1 Jul 2016 15:02:12 +0200
f04235 
Subject: [PATCH] [BugFix] Enhance the OVAL checks for: *
f04235 
 accounts_passwords_pam_faillock_deny_root *
f04235 
 accounts_passwords_pam_faillock_deny
f04235
f04235 
rules to work properly also in case sssd package is installed
f04235 
and sssd daemon is running
f04235
f04235 
Fixes downstream: https://bugzilla.redhat.com/show_bug.cgi?id=1344581
f04235 
---
f04235 
 RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml | 8 ++++----
f04235 
 shared/oval/accounts_passwords_pam_faillock_deny.xml            | 8 ++++----
f04235 
 2 files changed, 8 insertions(+), 8 deletions(-)
f04235
f04235 
diff --git a/RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml b/RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml
f04235 
index 50f2e5a..7b60d22 100644
f04235 
--- a/RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml
f04235 
+++ b/RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml
f04235 
@@ -34,7 +34,7 @@
f04235 
     <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
f04235
f04235 
          pam_unix.so module in auth section -->
f04235 
-    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
f04235 
+    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
f04235
f04235 
     <ind:instance datatype="int" operation="equals">1</ind:instance>
f04235 
   </ind:textfilecontent54_object>
f04235 
@@ -51,7 +51,7 @@
f04235 
     <ind:behaviors singleline="true" />
f04235 
     <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
f04235
f04235 
-    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n]</ind:pattern>
f04235 
+    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]+(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n]</ind:pattern>
f04235
f04235 
     <ind:instance datatype="int" operation="equals">1</ind:instance>
f04235 
   </ind:textfilecontent54_object>
f04235 
@@ -69,7 +69,7 @@
f04235 
     <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
f04235
f04235 
          pam_unix.so module in auth section -->
f04235 
-    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
f04235 
+    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
f04235
f04235 
     <ind:instance datatype="int" operation="equals">1</ind:instance>
f04235 
   </ind:textfilecontent54_object>
f04235 
@@ -86,7 +86,7 @@
f04235 
     <ind:behaviors singleline="true" />
f04235 
     <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
f04235
f04235 
-    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n]</ind:pattern>
f04235 
+    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]+(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n]</ind:pattern>
f04235
f04235 
     <ind:instance datatype="int" operation="equals">1</ind:instance>
f04235 
   </ind:textfilecontent54_object>
f04235 
diff --git a/shared/oval/accounts_passwords_pam_faillock_deny.xml b/shared/oval/accounts_passwords_pam_faillock_deny.xml
f04235 
index 96b5043..0923dc9 100644
f04235 
--- a/shared/oval/accounts_passwords_pam_faillock_deny.xml
f04235 
+++ b/shared/oval/accounts_passwords_pam_faillock_deny.xml
f04235 
@@ -51,7 +51,7 @@
f04235 
     <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
f04235
f04235 
          pam_unix.so module in auth section -->
f04235 
-    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
f04235 
+    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
f04235
f04235 
     <ind:instance datatype="int" operation="equals">1</ind:instance>
f04235 
   </ind:textfilecontent54_object>
f04235 
@@ -69,7 +69,7 @@
f04235 
     <ind:behaviors singleline="true" />
f04235 
     <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
f04235
f04235 
-    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)[^\n]*[\n]</ind:pattern>
f04235 
+    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]+(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)[^\n]*[\n]</ind:pattern>
f04235
f04235 
     <ind:instance datatype="int" operation="equals">1</ind:instance>
f04235 
   </ind:textfilecontent54_object>
f04235 
@@ -106,7 +106,7 @@
f04235 
     <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
f04235
f04235 
          pam_unix.so module in auth section -->
f04235 
-    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
f04235 
+    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
f04235
f04235 
     <ind:instance datatype="int" operation="equals">1</ind:instance>
f04235 
   </ind:textfilecontent54_object>
f04235 
@@ -124,7 +124,7 @@
f04235 
     <ind:behaviors singleline="true" />
f04235 
     <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
f04235
f04235 
-    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)[^\n]*[\n]</ind:pattern>
f04235 
+    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]+(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)[^\n]*[\n]</ind:pattern>
f04235
f04235 
     <ind:instance datatype="int" operation="equals">1</ind:instance>
f04235 
   </ind:textfilecontent54_object>

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation