rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   07cb6b9170e45760d99dfefd856889fc6517fd5b
  2.   SOURCES
  3.   scap-security-guide-0.1.61-update_accounts_password_template-PR_8164.patch
Blob Blame History Raw 
diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
index 65bc439225e..fef4679be39 100644
--- a/docs/templates/template_reference.md
+++ b/docs/templates/template_reference.md
@@ -2,17 +2,20 @@
 
 #### accounts_password
 -   Checks if PAM enforces password quality requirements. Checks the
-    configuration in `/etc/pam.d/system-auth` (for RHEL 6 systems) or
-    `/etc/security/pwquality.conf` (on other systems).
+    configuration in `/etc/security/pwquality.conf`.
 
 -   Parameters:
 
-    -   **variable** - PAM `pam_cracklib` (on RHEL 6) or `pam_pwquality`
-        (on other systems) module name, eg. `ucredit`, `ocredit`
+    -   **variable** - PAM `pam_pwquality` password quality
+        requirement, eg. `ucredit`, `ocredit`
 
     -   **operation** - OVAL operation, eg. `less than or equal`
 
--   Languages: OVAL
+    -   **zero_comparison_operation** - (optional) OVAL operation, eg. `greater than`.
+        When set, it will test if the **variable** value matches the OVAL operation
+        when compared to zero.
+
+-   Languages: Ansible, Bash, OVAL
 
 #### auditd_lineinfile
 -   Checks configuration options of the Audit Daemon in
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
index 912c783650a..9a829ac5119 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
@@ -47,7 +47,7 @@ ocil_clause: 'that is not the case'
 ocil: |-
     To check the value for maximum consecutive repeating characters, run the following command:
     <pre>$ grep maxclassrepeat /etc/security/pwquality.conf</pre>
-    For DoD systems, the output should show <tt>maxclassrepeat</tt>=4.
+    For DoD systems, the output should show <tt>maxclassrepeat</tt>=4 or less but greater than zero.
 
 platform: pam
 
@@ -56,3 +56,4 @@ template:
     vars:
         variable: maxclassrepeat
         operation: less than or equal
+        zero_comparison_operation: greater than
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh
new file mode 100644
index 00000000000..5d91559d4a2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
+	sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 4/' /etc/security/pwquality.conf
+else
+	echo "maxclassrepeat = 4" >> /etc/security/pwquality.conf
+fi
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh
new file mode 100644
index 00000000000..4bd8070eb7e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
+	sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 2/' /etc/security/pwquality.conf
+else
+	echo "maxclassrepeat = 2" >> /etc/security/pwquality.conf
+fi
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh
new file mode 100644
index 00000000000..61538a4945f
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
+	sed -i 's/.*maxclassrepeat.*/maxclassrepeat = -1/' /etc/security/pwquality.conf
+else
+	echo "maxclassrepeat = -1" >> /etc/security/pwquality.conf
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh
new file mode 100644
index 00000000000..2218250ec7b
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
+	sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 5/' /etc/security/pwquality.conf
+else
+	echo "maxclassrepeat = 5" >> /etc/security/pwquality.conf
+fi
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh
new file mode 100644
index 00000000000..780873c6a86
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
+	sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 0/' /etc/security/pwquality.conf
+else
+	echo "maxclassrepeat = 0" >> /etc/security/pwquality.conf
+fi
+
diff --git a/shared/templates/accounts_password/oval.template b/shared/templates/accounts_password/oval.template
index 332a2800317..b995db11ea4 100644
--- a/shared/templates/accounts_password/oval.template
+++ b/shared/templates/accounts_password/oval.template
@@ -7,11 +7,14 @@
     </criteria>
   </definition>
 
-  <ind:textfilecontent54_test check="all"
+  <ind:textfilecontent54_test check="all" state_operator="AND"
   comment="check the configuration of /etc/security/pwquality.conf"
   id="test_password_pam_pwquality_{{{ VARIABLE }}}" version="3">
     <ind:object object_ref="obj_password_pam_pwquality_{{{ VARIABLE }}}" />
     <ind:state state_ref="state_password_pam_{{{ VARIABLE }}}" />
+  {{%- if ZERO_COMPARISON_OPERATION %}}
+    <ind:state state_ref="state_password_pam_{{{ VARIABLE }}}_zero_comparison" />
+  {{%- endif %}}
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_password_pam_pwquality_{{{ VARIABLE }}}" version="3">
@@ -24,5 +27,11 @@
     <ind:subexpression datatype="int" operation="{{{ OPERATION }}}" var_ref="var_password_pam_{{{ VARIABLE }}}" />
   </ind:textfilecontent54_state>
 
+  {{%- if ZERO_COMPARISON_OPERATION %}}
+  <ind:textfilecontent54_state id="state_password_pam_{{{ VARIABLE }}}_zero_comparison" version="1">
+    <ind:subexpression datatype="int" operation="{{{ ZERO_COMPARISON_OPERATION }}}" >0</ind:subexpression>
+  </ind:textfilecontent54_state>
+  {{%- endif %}}
+
   <external_variable comment="External variable for pam_{{{ VARIABLE }}}" datatype="int" id="var_password_pam_{{{ VARIABLE }}}" version="3" />
 </def-group>
diff --git a/shared/templates/accounts_password/template.py b/shared/templates/accounts_password/template.py
index 65c25ec7991..ab849d1fa72 100644
--- a/shared/templates/accounts_password/template.py
+++ b/shared/templates/accounts_password/template.py
@@ -1,4 +1,7 @@
+from ssg.utils import parse_template_boolean_value
+
 def preprocess(data, lang):
     if lang == "oval":
         data["sign"] = "-?" if data["variable"].endswith("credit") else ""
+    data["zero_comparison_operation"] = data.get("zero_comparison_operation", None)
     return data

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation