-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Jinja condition in macro for pam_faillock #10009
Fix Jinja condition in macro for pam_faillock #10009
Conversation
Recently the pam_faillock related macros were updated to include a specific case for Ubuntu. In newer systems these changes were fine, but in older systems, like RHEL7, the relevant code was not updated, causing the remediation to fail due to files not found. Instead of duplicating the existing conditional in two places, I move the testing logic to a single place where the relevant files are defined. This should make it simpler while fixing the issue.
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
@@ -25,7 +25,9 @@
done
fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
regex="^\s*audit"
@@ -35,8 +37,7 @@
fi
for pam_file in "${AUTH_FILES[@]}"
do
- if [ -f $pam_file ]; then
- if [ -e "$pam_file" ] ; then
+ if [ -e "$pam_file" ] ; then
PAM_FILE_PATH="$pam_file"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
@@ -78,7 +79,6 @@
else
echo "$pam_file was not found" >&2
fi
- fi
done
else
for pam_file in "${AUTH_FILES[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
@@ -25,7 +25,9 @@
done
fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
regex="^\s*audit"
@@ -35,8 +37,7 @@
fi
for pam_file in "${AUTH_FILES[@]}"
do
- if [ -f $pam_file ]; then
- if [ -e "$pam_file" ] ; then
+ if [ -e "$pam_file" ] ; then
PAM_FILE_PATH="$pam_file"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
@@ -78,7 +79,6 @@
else
echo "$pam_file was not found" >&2
fi
- fi
done
else
for pam_file in "${AUTH_FILES[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -30,7 +30,9 @@
done
fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
regex="^\s*deny\s*="
@@ -42,8 +44,7 @@
fi
for pam_file in "${AUTH_FILES[@]}"
do
- if [ -f $pam_file ]; then
- if [ -e "$pam_file" ] ; then
+ if [ -e "$pam_file" ] ; then
PAM_FILE_PATH="$pam_file"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
@@ -85,7 +86,6 @@
else
echo "$pam_file was not found" >&2
fi
- fi
done
else
for pam_file in "${AUTH_FILES[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
@@ -27,7 +27,9 @@
done
fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
regex="^\s*even_deny_root"
@@ -37,8 +39,7 @@
fi
for pam_file in "${AUTH_FILES[@]}"
do
- if [ -f $pam_file ]; then
- if [ -e "$pam_file" ] ; then
+ if [ -e "$pam_file" ] ; then
PAM_FILE_PATH="$pam_file"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
@@ -80,7 +81,6 @@
else
echo "$pam_file was not found" >&2
fi
- fi
done
else
for pam_file in "${AUTH_FILES[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
@@ -30,7 +30,9 @@
done
fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
regex="^\s*dir\s*="
@@ -42,8 +44,7 @@
fi
for pam_file in "${AUTH_FILES[@]}"
do
- if [ -f $pam_file ]; then
- if [ -e "$pam_file" ] ; then
+ if [ -e "$pam_file" ] ; then
PAM_FILE_PATH="$pam_file"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
@@ -85,7 +86,6 @@
else
echo "$pam_file was not found" >&2
fi
- fi
done
else
for pam_file in "${AUTH_FILES[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
@@ -27,7 +27,9 @@
done
fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
regex="^\s*local_users_only"
@@ -37,8 +39,7 @@
fi
for pam_file in "${AUTH_FILES[@]}"
do
- if [ -f $pam_file ]; then
- if [ -e "$pam_file" ] ; then
+ if [ -e "$pam_file" ] ; then
PAM_FILE_PATH="$pam_file"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
@@ -80,7 +81,6 @@
else
echo "$pam_file was not found" >&2
fi
- fi
done
else
for pam_file in "${AUTH_FILES[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
@@ -30,7 +30,9 @@
done
fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
regex="^\s*fail_interval\s*="
@@ -42,8 +44,7 @@
fi
for pam_file in "${AUTH_FILES[@]}"
do
- if [ -f $pam_file ]; then
- if [ -e "$pam_file" ] ; then
+ if [ -e "$pam_file" ] ; then
PAM_FILE_PATH="$pam_file"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
@@ -85,7 +86,6 @@
else
echo "$pam_file was not found" >&2
fi
- fi
done
else
for pam_file in "${AUTH_FILES[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
@@ -30,7 +30,9 @@
done
fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
regex="^\s*unlock_time\s*="
@@ -42,8 +44,7 @@
fi
for pam_file in "${AUTH_FILES[@]}"
do
- if [ -f $pam_file ]; then
- if [ -e "$pam_file" ] ; then
+ if [ -e "$pam_file" ] ; then
PAM_FILE_PATH="$pam_file"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
@@ -85,7 +86,6 @@
else
echo "$pam_file was not found" >&2
fi
- fi
done
else
for pam_file in "${AUTH_FILES[@]}" |
Code Climate has analyzed commit b674014 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 49.8% (0.0% change). View more on Code Climate. |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your changes, I have verified locally using Automatus that it fixed the problem for me
$ python3 tests/automatus.py rule --remediate-using bash --libvirt qemu:///system ssgts_rhel7 accounts_passwords_pam_faillock_deny
current master:
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-01-02-1114/test_suite.log
WARNING - Script authselect_modified_pam.fail.sh is not applicable on given platform
WARNING - Script conflicting_settings_authselect.fail.sh is not applicable on given platform
WARNING - Script pam_faillock_conflicting_settings.fail.sh is not applicable on given platform
WARNING - Script pam_faillock_expected_faillock_conf.pass.sh is not applicable on given platform
WARNING - Script pam_faillock_lenient_faillock_conf.fail.sh is not applicable on given platform
WARNING - Script pam_faillock_multiple_pam_unix_faillock_conf.fail.sh is not applicable on given platform
WARNING - Script pam_faillock_stricter_faillock_conf.pass.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
INFO - Script pam_faillock_disabled.fail.sh using profile (all) OK
ERROR - Bash remediation for rule xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny has exited with these errors:
Warning: Permanently added '192.168.122.160' (ED25519) to the list of known hosts.
+ echo 'Remediating rule 1/1: '\''xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'\'''
Remediating rule 1/1: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'
+ rpm --quiet -q pam
+ var_accounts_passwords_pam_faillock_deny=3
+ '[' -f /usr/bin/authselect ']'
+ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' /etc/pam.d/system-auth
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' /etc/pam.d/system-auth
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' /etc/pam.d/password-auth
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' /etc/pam.d/password-auth
+ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+ FAILLOCK_CONF=/etc/security/faillock.conf
+ '[' -f /etc/security/faillock.conf ']'
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' /etc/pam.d/system-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/system-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/system-auth
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' /etc/pam.d/password-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/password-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/password-auth
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' /etc/pam.d/common-auth
grep: /etc/pam.d/common-auth: No such file or directory
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny=3/' /etc/pam.d/common-auth
sed: can't read /etc/pam.d/common-auth: No such file or directory
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny=3/' /etc/pam.d/common-auth
sed: can't read /etc/pam.d/common-auth: No such file or directory
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'.
INFO - Script pam_faillock_expected_pam_files.pass.sh using profile (all) OK
INFO - Script pam_faillock_lenient_pam_files.fail.sh using profile (all) OK
ERROR - Bash remediation for rule xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny has exited with these errors:
Warning: Permanently added '192.168.122.160' (ED25519) to the list of known hosts.
+ echo 'Remediating rule 1/1: '\''xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'\'''
Remediating rule 1/1: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'
+ rpm --quiet -q pam
+ var_accounts_passwords_pam_faillock_deny=3
+ '[' -f /usr/bin/authselect ']'
+ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' /etc/pam.d/system-auth
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' /etc/pam.d/system-auth
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' /etc/pam.d/password-auth
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' /etc/pam.d/password-auth
+ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+ FAILLOCK_CONF=/etc/security/faillock.conf
+ '[' -f /etc/security/faillock.conf ']'
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' /etc/pam.d/system-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/system-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/system-auth
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' /etc/pam.d/password-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/password-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/password-auth
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' /etc/pam.d/common-auth
grep: /etc/pam.d/common-auth: No such file or directory
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny=3/' /etc/pam.d/common-auth
sed: can't read /etc/pam.d/common-auth: No such file or directory
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny=3/' /etc/pam.d/common-auth
sed: can't read /etc/pam.d/common-auth: No such file or directory
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'.
INFO - Script pam_faillock_multiple_pam_unix_pam_files.fail.sh using profile (all) OK
INFO - Script pam_faillock_not_required_pam_files.fail.sh using profile (all) OK
ERROR - Bash remediation for rule xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny has exited with these errors:
Warning: Permanently added '192.168.122.160' (ED25519) to the list of known hosts.
+ echo 'Remediating rule 1/1: '\''xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'\'''
Remediating rule 1/1: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'
+ rpm --quiet -q pam
+ var_accounts_passwords_pam_faillock_deny=3
+ '[' -f /usr/bin/authselect ']'
+ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' /etc/pam.d/system-auth
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' /etc/pam.d/system-auth
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' /etc/pam.d/password-auth
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' /etc/pam.d/password-auth
+ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+ FAILLOCK_CONF=/etc/security/faillock.conf
+ '[' -f /etc/security/faillock.conf ']'
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' /etc/pam.d/system-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/system-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/system-auth
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' /etc/pam.d/password-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/password-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/password-auth
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' /etc/pam.d/common-auth
grep: /etc/pam.d/common-auth: No such file or directory
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny=3/' /etc/pam.d/common-auth
sed: can't read /etc/pam.d/common-auth: No such file or directory
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny=3/' /etc/pam.d/common-auth
sed: can't read /etc/pam.d/common-auth: No such file or directory
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'.
this PR branch:
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-01-02-1124/test_suite.log
WARNING - Script authselect_modified_pam.fail.sh is not applicable on given platform
WARNING - Script conflicting_settings_authselect.fail.sh is not applicable on given platform
WARNING - Script pam_faillock_conflicting_settings.fail.sh is not applicable on given platform
WARNING - Script pam_faillock_expected_faillock_conf.pass.sh is not applicable on given platform
WARNING - Script pam_faillock_lenient_faillock_conf.fail.sh is not applicable on given platform
WARNING - Script pam_faillock_multiple_pam_unix_faillock_conf.fail.sh is not applicable on given platform
WARNING - Script pam_faillock_stricter_faillock_conf.pass.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
INFO - Script pam_faillock_disabled.fail.sh using profile (all) OK
INFO - Script pam_faillock_expected_pam_files.pass.sh using profile (all) OK
INFO - Script pam_faillock_lenient_pam_files.fail.sh using profile (all) OK
INFO - Script pam_faillock_multiple_pam_unix_pam_files.fail.sh using profile (all) OK
INFO - Script pam_faillock_not_required_pam_files.fail.sh using profile (all) OK
INFO - Script pam_faillock_stricter_pam_files.pass.sh using profile (all) OK
Description:
Recently the
pam_faillock
related macros were updated to include a specific case for Ubuntu.In newer systems these changes were fine, but in older systems, like RHEL7, the relevant code was not updated, causing the remediation to fail due to files not found.
Instead of duplicating the existing conditional in two places, I moved the testing logic to a single place where the relevant files are defined.
This should make it simpler while fixing the issue.
Rationale: