From 2e618f9239de966ec167f7b43ae854650a3421ad Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Apr 2019 18:05:15 +0200
Subject: [PATCH 1/3] Introduce CPE shadow-utils

- Add inventory OVAL check for shadow-utils package installed
- Add shadow-utils CPE to RHEL7 dictionary
---
 rhel7/cpe/rhel7-cpe-dictionary.xml            |  5 ++++
 ...installed_env_has_shadow-utils_package.xml | 24 +++++++++++++++++++
 2 files changed, 29 insertions(+)
 create mode 100644 shared/checks/oval/installed_env_has_shadow-utils_package.xml

diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
index 23541378f8..44fe06f103 100644
--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
@@ -47,4 +47,9 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_is_a_machine</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:shadow-utils">
+            <title xml:lang="en-us">Package shadow-utils is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_shadow-utils_package</check>
+      </cpe-item>
 </cpe-list>
diff --git a/shared/checks/oval/installed_env_has_shadow-utils_package.xml b/shared/checks/oval/installed_env_has_shadow-utils_package.xml
new file mode 100644
index 0000000000..12dd5bd565
--- /dev/null
+++ b/shared/checks/oval/installed_env_has_shadow-utils_package.xml
@@ -0,0 +1,24 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_env_has_shadow-utils_package" version="1">
+    <metadata>
+      <title>Package shadow-utils is installed</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <description>Checks if package shadow-utils is installed.</description>
+      <reference ref_id="cpe:/a:shadow-utils" source="CPE" />
+    </metadata>
+    <criteria>
+      <criterion comment="Package shadow-utils is installed" test_ref="test_env_has_shadow-utils_installed" />
+    </criteria>
+  </definition>
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package shadow-utils installed" id="test_env_has_shadow-utils_installed" version="1">
+    <linux:object object_ref="obj_env_has_shadow-utils_installed" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_object id="obj_env_has_shadow-utils_installed" version="1">
+    <linux:name>shadow-utils</linux:name>
+  </linux:rpminfo_object>
+
+</def-group>

From 06650f96e4e880c90a23eaf565e70d37a175aa47 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Apr 2019 18:10:33 +0200
Subject: [PATCH 2/3] Rules are applicable when shadow-utils installed

If package shadow-utils is not installed, the rule will result in
notapplicable.
---
 .../account_disable_post_pw_expiration.rule                     | 2 ++
 .../accounts_maximum_age_login_defs.rule                        | 2 ++
 .../accounts_minimum_age_login_defs.rule                        | 2 ++
 .../accounts_password_minlen_login_defs.rule                    | 2 ++
 .../accounts_password_warn_age_login_defs.rule                  | 2 ++
 .../accounts-session/accounts_logon_fail_delay.rule             | 2 ++
 6 files changed, 12 insertions(+)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule
index 9d19274f1c..d8b29b6436 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule
@@ -62,3 +62,5 @@ ocil: |-
     to an appropriate integer as shown in the example below:
     <pre>$ grep "INACTIVE" /etc/default/useradd
     INACTIVE=<sub idref="var_account_disable_post_pw_expiration" /></pre>
+
+platform: shadow-utils
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule
index 90dc1b4f2b..de322bc787 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule
@@ -55,3 +55,5 @@ ocil: |-
     <pre>$ grep PASS_MAX_DAYS /etc/login.defs</pre>
     The DoD and FISMA requirement is 60.
     A value of 180 days is sufficient for many environments.
+
+platform: shadow-utils
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule
index 88706c8b3e..dd7030cd0a 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule
@@ -49,3 +49,5 @@ ocil_clause: 'it is not equal to or greater than the required value'
 ocil: |-
     To check the minimum password age, run the command:
     <pre>$ grep PASS_MIN_DAYS /etc/login.defs</pre>
+
+platform: shadow-utils
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule
index 814fda94b9..d38ee253fb 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule
@@ -51,3 +51,5 @@ ocil: |-
     To check the minimum password length, run the command:
     <pre>$ grep PASS_MIN_LEN /etc/login.defs</pre>
     The DoD requirement is <tt>15</tt>.
+
+platform: shadow-utils
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule
index d8947ad9fd..85b5cd762f 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule
@@ -40,3 +40,5 @@ ocil: |-
     To check the password warning age, run the command:
     <pre>$ grep PASS_WARN_AGE /etc/login.defs</pre>
     The DoD requirement is 7.
+
+platform: shadow-utils
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule
index 171051e138..33fc873e97 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule
@@ -37,3 +37,5 @@ ocil: |-
     All output must show the value of <tt>FAIL_DELAY</tt> set as shown in the below:
     <pre>$ sudo grep -i "FAIL_DELAY" /etc/login.defs
     fail_delay <sub idref="var_accounts_fail_delay" /></pre>
+
+platform: shadow-utils

From 63ab7328a57c185734037a124eab2ab8ac740e82 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Apr 2019 18:14:58 +0200
Subject: [PATCH 3/3] Map shadow-utils platform to CPE name

---
 ssg/constants.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ssg/constants.py b/ssg/constants.py
index b80382be3d..f96fd51790 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -375,7 +375,8 @@
 
 XCCDF_PLATFORM_TO_CPE = {
     "machine": "cpe:/a:machine",
-    "container": "cpe:/a:container"
+    "container": "cpe:/a:container",
+    "shadow-utils": "cpe:/a:shadow-utils",
 }
 
 # Application constants