From d09b82de682756213c96b396abb0c912bea32a2b Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 26 Aug 2020 17:50:57 +0200
Subject: [PATCH 1/4] unify bash remediations
---
.../accounts_maximum_age_login_defs/bash/fedora.sh | 11 -----------
.../accounts_maximum_age_login_defs/bash/shared.sh | 2 +-
2 files changed, 1 insertion(+), 12 deletions(-)
delete mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/fedora.sh
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/fedora.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/fedora.sh
deleted file mode 100644
index ef664f1a64..0000000000
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/fedora.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-# platform = multi_platform_fedora
-. /usr/share/scap-security-guide/remediation_functions
-declare var_accounts_maximum_age_login_defs
-populate var_accounts_maximum_age_login_defs
-
-grep -q ^PASS_MAX_DAYS /etc/login.defs && \
-sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs/g" /etc/login.defs
-if ! [ $? -eq 0 ]
-then
- echo -e "PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs" >> /etc/login.defs
-fi
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh
index 494e04abb9..9c61548d3a 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_fedora
. /usr/share/scap-security-guide/remediation_functions
populate var_accounts_maximum_age_login_defs
From 041017588bf29a3f84024ab2dd4928624dfbf82e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 26 Aug 2020 17:51:19 +0200
Subject: [PATCH 2/4] fix regex in oval check
---
.../accounts_maximum_age_login_defs/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml
index cd79ca81b5..27649723ac 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml
@@ -22,6 +22,6 @@
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of PASS_MAX_DAYS directive -->
- <ind:pattern operation="pattern match">.*\n[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n</ind:pattern>
+ <ind:pattern operation="pattern match">^(?:.*\n)*\s*[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
From 6120e191d15b5869e6f95bea8c0a6e9de4e3e6fc Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 26 Aug 2020 17:51:37 +0200
Subject: [PATCH 3/4] add tests
---
.../tests/commented_standard.fail.sh | 5 +++++
.../tests/commented_stig.fail.sh | 5 +++++
.../tests/correct_standard.pass.sh | 5 +++++
.../tests/correct_stig.pass.sh | 5 +++++
.../tests/incorrect_standard.fail.sh | 5 +++++
.../tests/incorrect_stig.fail.sh | 5 +++++
6 files changed, 30 insertions(+)
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_stig.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_stig.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_stig.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh
new file mode 100644
index 0000000000..84301cc031
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_standard
+
+rm -f /etc/login.defs
+echo '#PASS_MAX_DAYS 90' > /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_stig.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_stig.fail.sh
new file mode 100644
index 0000000000..8ab4879dda
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_stig.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+rm -f /etc/login.defs
+echo '#PASS_MAX_DAYS 60' > /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh
new file mode 100644
index 0000000000..989cf596d6
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_standard
+
+rm -f /etc/login.defs
+echo "PASS_MAX_DAYS 90" > /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_stig.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_stig.pass.sh
new file mode 100644
index 0000000000..172cc4841d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_stig.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+rm -f /etc/login.defs
+echo "PASS_MAX_DAYS 60" > /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh
new file mode 100644
index 0000000000..4556ef09d5
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_standard
+
+rm -f /etc/login.defs
+echo "PASS_MAX_DAYS 120" > /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_stig.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_stig.fail.sh
new file mode 100644
index 0000000000..d079467f2d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_stig.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+rm -f /etc/login.defs
+echo "PASS_MAX_DAYS 120" > /etc/login.defs
From c3dfc4148e2136ce74e1c59cd66ade7e540b51b3 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 1 Sep 2020 14:46:23 +0200
Subject: [PATCH 4/4] change platform of some tests to fedora
---
...mented_standard.fail.sh => commented_standard_fedora.fail.sh} | 1 +
...{correct_standard.pass.sh => correct_standard_fedora.pass.sh} | 1 +
...orrect_standard.fail.sh => incorrect_standard_fedora.fail.sh} | 1 +
3 files changed, 3 insertions(+)
rename linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/{commented_standard.fail.sh => commented_standard_fedora.fail.sh} (79%)
rename linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/{correct_standard.pass.sh => correct_standard_fedora.pass.sh} (79%)
rename linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/{incorrect_standard.fail.sh => incorrect_standard_fedora.fail.sh} (79%)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard_fedora.fail.sh
similarity index 79%
rename from linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh
rename to linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard_fedora.fail.sh
index 84301cc031..0add08ec19 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard_fedora.fail.sh
@@ -1,5 +1,6 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_standard
+# platform = multi_platform_fedora
rm -f /etc/login.defs
echo '#PASS_MAX_DAYS 90' > /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard_fedora.pass.sh
similarity index 79%
rename from linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh
rename to linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard_fedora.pass.sh
index 989cf596d6..7fd75139c8 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard_fedora.pass.sh
@@ -1,5 +1,6 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_standard
+# platform = multi_platform_fedora
rm -f /etc/login.defs
echo "PASS_MAX_DAYS 90" > /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard_fedora.fail.sh
similarity index 79%
rename from linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh
rename to linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard_fedora.fail.sh
index 4556ef09d5..b4f647c324 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard_fedora.fail.sh
@@ -1,5 +1,6 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_standard
+# platform = multi_platform_fedora
rm -f /etc/login.defs
echo "PASS_MAX_DAYS 120" > /etc/login.defs