SLES-15-010250 add rule, remediation and tests.

[teacup-on-rockingchair]

Description:

• Set PAM's Common Authentication Hashing Algorithm

Rationale:

• Add oval checks for common pam authentication to be based on sha512 and pam_unix.so module to be required
• Add ansible and bash remediation, bash one based on the ensure_pam_module_options macro
• Add 3 basic tests to create valid and two options of invalid configuration in the common-auth

[openshift-ci-robot]

Hi @teacup-on-rockingchair. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openscap-ci]

Changes identified:
Rules:
 set_password_hashing_algorithm_commonauth
Profiles:
 stig on sle15

Show details

Rule set_password_hashing_algorithm_commonauth:
 Bash remediation is newly added.
Profile stig on sle15:
 Rule set_password_hashing_algorithm_commonauth added to stig profile.

Recommended tests to execute:
 build_product sle15
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using bash --datastream build/ssg-sle15-ds.xml set_password_hashing_algorithm_commonauth
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-sle15-ds.xml stig

[vojtapolasek]

/ok-to-test

[teacup-on-rockingchair]

/retest

[vojtapolasek]

Thank you for this rule. Please see review comments.
Just a note, you do not need to supply Ansible remediation and OVAL check in this case, because you use template. That is the goal of templates - no need to write remediations or checks if they have many thing in common. As you can see, the pam_options template provides oval and ansible:
https://github.com/ComplianceAsCode/content/tree/master/shared/templates/pam_options
However, if you want to supply Bash remediation, you can, because the template does not provide it.
You can read more about templates here:
https://complianceascode.readthedocs.io/en/latest/manual/developer/06_contributing_with_content.html#templating

[vojtapolasek]

CCIs are product independent

Suggested change

	disa@sle15: CCI-000803
	disa: CCI-000803

[teacup-on-rockingchair]

Thanks 🙇, should be ok in edeb2c5

[vojtapolasek]

I suppose you want to check auth section, not password section.

Suggested change

	type: password
	type: auth

[teacup-on-rockingchair]

Thanks 🙇, should be ok in edeb2c5

[vojtapolasek]

Hello, thanks for fixes. Please could you remove the oval and ansible remediation, is it is supplied by the template?

[vojtapolasek]

Just that one more reference change and the PR is good to merge. Thank you.

[openshift-ci]

@teacup-on-rockingchair: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-aws-ocp4-e8	5cdb94e	link	/test e2e-aws-ocp4-e8

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.