|
 |
ff1465 |
commit 11140ac5d67f256a7d3c8fdac9eca73c007dabb8
|
|
|
ff1465 |
Author: Watson Sato <wsato@redhat.com>
|
|
|
ff1465 |
Date: Mon Feb 28 11:04:30 2022 +0100
|
|
|
ff1465 |
|
|
|
ff1465 |
Manual edited patch scap-security-guide-0.1.61-update_accounts_password_template-PR_8164.patch.
|
|
|
ff1465 |
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
|
|
|
ff1465 |
index 1d53a71..2e47e16 100644
|
|
|
ff1465 |
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
|
|
|
ff1465 |
@@ -46,7 +46,7 @@ ocil_clause: 'that is not the case'
|
|
|
ff1465 |
ocil: |-
|
|
|
ff1465 |
To check the value for maximum consecutive repeating characters, run the following command:
|
|
|
ff1465 |
$ grep maxclassrepeat /etc/security/pwquality.conf
|
|
|
ff1465 |
- For DoD systems, the output should show <tt>maxclassrepeat</tt>=4.
|
|
|
ff1465 |
+ For DoD systems, the output should show <tt>maxclassrepeat</tt>=4 or less but greater than zero.
|
|
|
ff1465 |
|
|
|
ff1465 |
platform: pam
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -55,3 +55,4 @@ template:
|
|
|
ff1465 |
vars:
|
|
|
ff1465 |
variable: maxclassrepeat
|
|
|
ff1465 |
operation: less than or equal
|
|
|
ff1465 |
+ zero_comparison_operation: greater than
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 0000000..5d91559
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,8 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
|
|
|
ff1465 |
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 4/' /etc/security/pwquality.conf
|
|
|
ff1465 |
+else
|
|
|
ff1465 |
+ echo "maxclassrepeat = 4" >> /etc/security/pwquality.conf
|
|
|
ff1465 |
+fi
|
|
|
ff1465 |
+
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 0000000..4bd8070
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,8 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
|
|
|
ff1465 |
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 2/' /etc/security/pwquality.conf
|
|
|
ff1465 |
+else
|
|
|
ff1465 |
+ echo "maxclassrepeat = 2" >> /etc/security/pwquality.conf
|
|
|
ff1465 |
+fi
|
|
|
ff1465 |
+
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 0000000..61538a4
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh
|
|
|
ff1465 |
@@ -0,0 +1,7 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
|
|
|
ff1465 |
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = -1/' /etc/security/pwquality.conf
|
|
|
ff1465 |
+else
|
|
|
ff1465 |
+ echo "maxclassrepeat = -1" >> /etc/security/pwquality.conf
|
|
|
ff1465 |
+fi
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 0000000..2218250
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh
|
|
|
ff1465 |
@@ -0,0 +1,8 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
|
|
|
ff1465 |
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 5/' /etc/security/pwquality.conf
|
|
|
ff1465 |
+else
|
|
|
ff1465 |
+ echo "maxclassrepeat = 5" >> /etc/security/pwquality.conf
|
|
|
ff1465 |
+fi
|
|
|
ff1465 |
+
|
|
|
ff1465 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 0000000..780873c
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh
|
|
|
ff1465 |
@@ -0,0 +1,8 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
|
|
|
ff1465 |
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 0/' /etc/security/pwquality.conf
|
|
|
ff1465 |
+else
|
|
|
ff1465 |
+ echo "maxclassrepeat = 0" >> /etc/security/pwquality.conf
|
|
|
ff1465 |
+fi
|
|
|
ff1465 |
+
|
|
|
ff1465 |
diff --git a/shared/templates/accounts_password/oval.template b/shared/templates/accounts_password/oval.template
|
|
|
ff1465 |
index 332a280..b995db1 100644
|
|
|
ff1465 |
--- a/shared/templates/accounts_password/oval.template
|
|
|
ff1465 |
+++ b/shared/templates/accounts_password/oval.template
|
|
|
ff1465 |
@@ -7,11 +7,14 @@
|
|
|
ff1465 |
</criteria>
|
|
|
ff1465 |
</definition>
|
|
|
ff1465 |
|
|
|
ff1465 |
-
|
|
|
ff1465 |
+
|
|
|
ff1465 |
comment="check the configuration of /etc/security/pwquality.conf"
|
|
|
ff1465 |
id="test_password_pam_pwquality_{{{ VARIABLE }}}" version="3">
|
|
|
ff1465 |
<ind:object object_ref="obj_password_pam_pwquality_{{{ VARIABLE }}}" />
|
|
|
ff1465 |
<ind:state state_ref="state_password_pam_{{{ VARIABLE }}}" />
|
|
|
ff1465 |
+ {{%- if ZERO_COMPARISON_OPERATION %}}
|
|
|
ff1465 |
+ <ind:state state_ref="state_password_pam_{{{ VARIABLE }}}_zero_comparison" />
|
|
|
ff1465 |
+ {{%- endif %}}
|
|
|
ff1465 |
</ind:textfilecontent54_test>
|
|
|
ff1465 |
|
|
|
ff1465 |
<ind:textfilecontent54_object id="obj_password_pam_pwquality_{{{ VARIABLE }}}" version="3">
|
|
|
ff1465 |
@@ -24,5 +27,11 @@
|
|
|
ff1465 |
<ind:subexpression datatype="int" operation="{{{ OPERATION }}}" var_ref="var_password_pam_{{{ VARIABLE }}}" />
|
|
|
ff1465 |
</ind:textfilecontent54_state>
|
|
|
ff1465 |
|
|
|
ff1465 |
+ {{%- if ZERO_COMPARISON_OPERATION %}}
|
|
|
ff1465 |
+ <ind:textfilecontent54_state id="state_password_pam_{{{ VARIABLE }}}_zero_comparison" version="1">
|
|
|
ff1465 |
+ <ind:subexpression datatype="int" operation="{{{ ZERO_COMPARISON_OPERATION }}}" >0</ind:subexpression>
|
|
|
ff1465 |
+ </ind:textfilecontent54_state>
|
|
|
ff1465 |
+ {{%- endif %}}
|
|
|
ff1465 |
+
|
|
|
ff1465 |
<external_variable comment="External variable for pam_{{{ VARIABLE }}}" datatype="int" id="var_password_pam_{{{ VARIABLE }}}" version="3" />
|
|
|
ff1465 |
</def-group>
|
|
|
ff1465 |
diff --git a/shared/templates/accounts_password/template.py b/shared/templates/accounts_password/template.py
|
|
|
ff1465 |
index 65c25ec..ab849d1 100644
|
|
|
ff1465 |
--- a/shared/templates/accounts_password/template.py
|
|
|
ff1465 |
+++ b/shared/templates/accounts_password/template.py
|
|
|
ff1465 |
@@ -1,4 +1,7 @@
|
|
|
ff1465 |
+from ssg.utils import parse_template_boolean_value
|
|
|
ff1465 |
+
|
|
|
ff1465 |
def preprocess(data, lang):
|
|
|
ff1465 |
if lang == "oval":
|
|
|
ff1465 |
data["sign"] = "-?" if data["variable"].endswith("credit") else ""
|
|
|
ff1465 |
+ data["zero_comparison_operation"] = data.get("zero_comparison_operation", None)
|
|
|
ff1465 |
return data
|