Enable accounts_password_set_warn_age_existing rule for RHEL #10284
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The requirement for password expiration warning is valid only for accounts with a password defined. Accounts without a password should be ignored from the list and a filter was included for this. It was also included a test to cover cases where there is no user with a password defined in the system. Besides the improvements in tests, this commit also align the OVAL to the project Style Guide.
The test scenarios were updated to ignore users without a password defined. A new test was included to test environments without any user with password. Finally, it was ensured at least a user exists for some tests in order to avoid failures caused by different test environments.
The remediations are now only updating accounts with a defined password. The Ansible tasks names were also aligned to the project Style Guide.
The accounts_password_set_warn_age_existing rule is applicable for RHEL products and satisfies CIS requirements for RHEL7, RHEL8 and RHEL9. Rule and CIS control files for RHEL were updated.
marcusburghardt
added
RHEL
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
Code Climate has analyzed commit 2d3dca4 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 51.7% (0.0% change). View more on Code Climate. |
Mab879
approved these changes
Mar 3, 2023
Mab879
added
Update Rule
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
The
accounts_password_set_warn_age_existingrule is is applicable for RHEL products and satisfies CIS requirements for RHEL7, RHEL8 and RHEL9.This PR:
Rationale:
Better CIS coverage for RHEL