Fix Jinja condition in macro for pam_faillock #10009
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Recently the pam_faillock related macros were updated to include a specific case for Ubuntu. In newer systems these changes were fine, but in older systems, like RHEL7, the relevant code was not updated, causing the remediation to fail due to files not found. Instead of duplicating the existing conditional in two places, I move the testing logic to a single place where the relevant files are defined. This should make it simpler while fixing the issue.
marcusburghardt
added
bugfix
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
@@ -25,7 +25,9 @@
done
fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
regex="^\s*audit"
@@ -35,8 +37,7 @@
fi
for pam_file in "${AUTH_FILES[@]}"
do
- if [ -f $pam_file ]; then
- if [ -e "$pam_file" ] ; then
+ if [ -e "$pam_file" ] ; then
PAM_FILE_PATH="$pam_file"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
@@ -78,7 +79,6 @@
else
echo "$pam_file was not found" >&2
fi
- fi
done
else
for pam_file in "${AUTH_FILES[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
@@ -25,7 +25,9 @@
done
fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
regex="^\s*audit"
@@ -35,8 +37,7 @@
fi
for pam_file in "${AUTH_FILES[@]}"
do
- if [ -f $pam_file ]; then
- if [ -e "$pam_file" ] ; then
+ if [ -e "$pam_file" ] ; then
PAM_FILE_PATH="$pam_file"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
@@ -78,7 +79,6 @@
else
echo "$pam_file was not found" >&2
fi
- fi
done
else
for pam_file in "${AUTH_FILES[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -30,7 +30,9 @@
done
fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
regex="^\s*deny\s*="
@@ -42,8 +44,7 @@
fi
for pam_file in "${AUTH_FILES[@]}"
do
- if [ -f $pam_file ]; then
- if [ -e "$pam_file" ] ; then
+ if [ -e "$pam_file" ] ; then
PAM_FILE_PATH="$pam_file"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
@@ -85,7 +86,6 @@
else
echo "$pam_file was not found" >&2
fi
- fi
done
else
for pam_file in "${AUTH_FILES[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
@@ -27,7 +27,9 @@
done
fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
regex="^\s*even_deny_root"
@@ -37,8 +39,7 @@
fi
for pam_file in "${AUTH_FILES[@]}"
do
- if [ -f $pam_file ]; then
- if [ -e "$pam_file" ] ; then
+ if [ -e "$pam_file" ] ; then
PAM_FILE_PATH="$pam_file"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
@@ -80,7 +81,6 @@
else
echo "$pam_file was not found" >&2
fi
- fi
done
else
for pam_file in "${AUTH_FILES[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
@@ -30,7 +30,9 @@
done
fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
regex="^\s*dir\s*="
@@ -42,8 +44,7 @@
fi
for pam_file in "${AUTH_FILES[@]}"
do
- if [ -f $pam_file ]; then
- if [ -e "$pam_file" ] ; then
+ if [ -e "$pam_file" ] ; then
PAM_FILE_PATH="$pam_file"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
@@ -85,7 +86,6 @@
else
echo "$pam_file was not found" >&2
fi
- fi
done
else
for pam_file in "${AUTH_FILES[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
@@ -27,7 +27,9 @@
done
fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
regex="^\s*local_users_only"
@@ -37,8 +39,7 @@
fi
for pam_file in "${AUTH_FILES[@]}"
do
- if [ -f $pam_file ]; then
- if [ -e "$pam_file" ] ; then
+ if [ -e "$pam_file" ] ; then
PAM_FILE_PATH="$pam_file"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
@@ -80,7 +81,6 @@
else
echo "$pam_file was not found" >&2
fi
- fi
done
else
for pam_file in "${AUTH_FILES[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
@@ -30,7 +30,9 @@
done
fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
regex="^\s*fail_interval\s*="
@@ -42,8 +44,7 @@
fi
for pam_file in "${AUTH_FILES[@]}"
do
- if [ -f $pam_file ]; then
- if [ -e "$pam_file" ] ; then
+ if [ -e "$pam_file" ] ; then
PAM_FILE_PATH="$pam_file"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
@@ -85,7 +86,6 @@
else
echo "$pam_file was not found" >&2
fi
- fi
done
else
for pam_file in "${AUTH_FILES[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
@@ -30,7 +30,9 @@
done
fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
regex="^\s*unlock_time\s*="
@@ -42,8 +44,7 @@
fi
for pam_file in "${AUTH_FILES[@]}"
do
- if [ -f $pam_file ]; then
- if [ -e "$pam_file" ] ; then
+ if [ -e "$pam_file" ] ; then
PAM_FILE_PATH="$pam_file"
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
@@ -85,7 +86,6 @@
else
echo "$pam_file was not found" >&2
fi
- fi
done
else
for pam_file in "${AUTH_FILES[@]}" |
|
Code Climate has analyzed commit b674014 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 49.8% (0.0% change). View more on Code Climate. |
|
/retest |
jan-cerny
approved these changes
Jan 2, 2023
There was a problem hiding this comment.
Thank you for your changes, I have verified locally using Automatus that it fixed the problem for me
$ python3 tests/automatus.py rule --remediate-using bash --libvirt qemu:///system ssgts_rhel7 accounts_passwords_pam_faillock_deny
current master:
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-01-02-1114/test_suite.log
WARNING - Script authselect_modified_pam.fail.sh is not applicable on given platform
WARNING - Script conflicting_settings_authselect.fail.sh is not applicable on given platform
WARNING - Script pam_faillock_conflicting_settings.fail.sh is not applicable on given platform
WARNING - Script pam_faillock_expected_faillock_conf.pass.sh is not applicable on given platform
WARNING - Script pam_faillock_lenient_faillock_conf.fail.sh is not applicable on given platform
WARNING - Script pam_faillock_multiple_pam_unix_faillock_conf.fail.sh is not applicable on given platform
WARNING - Script pam_faillock_stricter_faillock_conf.pass.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
INFO - Script pam_faillock_disabled.fail.sh using profile (all) OK
ERROR - Bash remediation for rule xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny has exited with these errors:
Warning: Permanently added '192.168.122.160' (ED25519) to the list of known hosts.
+ echo 'Remediating rule 1/1: '\''xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'\'''
Remediating rule 1/1: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'
+ rpm --quiet -q pam
+ var_accounts_passwords_pam_faillock_deny=3
+ '[' -f /usr/bin/authselect ']'
+ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' /etc/pam.d/system-auth
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' /etc/pam.d/system-auth
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' /etc/pam.d/password-auth
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' /etc/pam.d/password-auth
+ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+ FAILLOCK_CONF=/etc/security/faillock.conf
+ '[' -f /etc/security/faillock.conf ']'
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' /etc/pam.d/system-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/system-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/system-auth
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' /etc/pam.d/password-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/password-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/password-auth
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' /etc/pam.d/common-auth
grep: /etc/pam.d/common-auth: No such file or directory
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny=3/' /etc/pam.d/common-auth
sed: can't read /etc/pam.d/common-auth: No such file or directory
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny=3/' /etc/pam.d/common-auth
sed: can't read /etc/pam.d/common-auth: No such file or directory
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'.
INFO - Script pam_faillock_expected_pam_files.pass.sh using profile (all) OK
INFO - Script pam_faillock_lenient_pam_files.fail.sh using profile (all) OK
ERROR - Bash remediation for rule xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny has exited with these errors:
Warning: Permanently added '192.168.122.160' (ED25519) to the list of known hosts.
+ echo 'Remediating rule 1/1: '\''xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'\'''
Remediating rule 1/1: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'
+ rpm --quiet -q pam
+ var_accounts_passwords_pam_faillock_deny=3
+ '[' -f /usr/bin/authselect ']'
+ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' /etc/pam.d/system-auth
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' /etc/pam.d/system-auth
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' /etc/pam.d/password-auth
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' /etc/pam.d/password-auth
+ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+ FAILLOCK_CONF=/etc/security/faillock.conf
+ '[' -f /etc/security/faillock.conf ']'
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' /etc/pam.d/system-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/system-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/system-auth
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' /etc/pam.d/password-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/password-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/password-auth
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' /etc/pam.d/common-auth
grep: /etc/pam.d/common-auth: No such file or directory
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny=3/' /etc/pam.d/common-auth
sed: can't read /etc/pam.d/common-auth: No such file or directory
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny=3/' /etc/pam.d/common-auth
sed: can't read /etc/pam.d/common-auth: No such file or directory
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'.
INFO - Script pam_faillock_multiple_pam_unix_pam_files.fail.sh using profile (all) OK
INFO - Script pam_faillock_not_required_pam_files.fail.sh using profile (all) OK
ERROR - Bash remediation for rule xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny has exited with these errors:
Warning: Permanently added '192.168.122.160' (ED25519) to the list of known hosts.
+ echo 'Remediating rule 1/1: '\''xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'\'''
Remediating rule 1/1: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'
+ rpm --quiet -q pam
+ var_accounts_passwords_pam_faillock_deny=3
+ '[' -f /usr/bin/authselect ']'
+ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' /etc/pam.d/system-auth
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' /etc/pam.d/system-auth
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' /etc/pam.d/password-auth
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' /etc/pam.d/password-auth
+ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
+ FAILLOCK_CONF=/etc/security/faillock.conf
+ '[' -f /etc/security/faillock.conf ']'
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' /etc/pam.d/system-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/system-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/system-auth
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' /etc/pam.d/password-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/password-auth
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\(deny=\)[0-9]\+\(.*\)/\1\23\3/' /etc/pam.d/password-auth
+ for pam_file in '"${AUTH_FILES[@]}"'
+ grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' /etc/pam.d/common-auth
grep: /etc/pam.d/common-auth: No such file or directory
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny=3/' /etc/pam.d/common-auth
sed: can't read /etc/pam.d/common-auth: No such file or directory
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny=3/' /etc/pam.d/common-auth
sed: can't read /etc/pam.d/common-auth: No such file or directory
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'.
this PR branch:
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-01-02-1124/test_suite.log
WARNING - Script authselect_modified_pam.fail.sh is not applicable on given platform
WARNING - Script conflicting_settings_authselect.fail.sh is not applicable on given platform
WARNING - Script pam_faillock_conflicting_settings.fail.sh is not applicable on given platform
WARNING - Script pam_faillock_expected_faillock_conf.pass.sh is not applicable on given platform
WARNING - Script pam_faillock_lenient_faillock_conf.fail.sh is not applicable on given platform
WARNING - Script pam_faillock_multiple_pam_unix_faillock_conf.fail.sh is not applicable on given platform
WARNING - Script pam_faillock_stricter_faillock_conf.pass.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
INFO - Script pam_faillock_disabled.fail.sh using profile (all) OK
INFO - Script pam_faillock_expected_pam_files.pass.sh using profile (all) OK
INFO - Script pam_faillock_lenient_pam_files.fail.sh using profile (all) OK
INFO - Script pam_faillock_multiple_pam_unix_pam_files.fail.sh using profile (all) OK
INFO - Script pam_faillock_not_required_pam_files.fail.sh using profile (all) OK
INFO - Script pam_faillock_stricter_pam_files.pass.sh using profile (all) OK
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Recently the
pam_faillockrelated macros were updated to include a specific case for Ubuntu.In newer systems these changes were fine, but in older systems, like RHEL7, the relevant code was not updated, causing the remediation to fail due to files not found.
Instead of duplicating the existing conditional in two places, I moved the testing logic to a single place where the relevant files are defined.
This should make it simpler while fixing the issue.
Rationale: