Update chronyd_or_ntpd_set_maxpoll to align with RHEL9 STIG

[dahaic]

No description provided.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff.
Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.

Click here to see the trimmed diff

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_aide_installed'
--- xccdf_org.ssgproject.content_rule_package_aide_installed
+++ xccdf_org.ssgproject.content_rule_package_aide_installed
@@ -1 +1 @@
-cpe:/a:machine
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_aide_build_database'
--- xccdf_org.ssgproject.content_rule_aide_build_database
+++ xccdf_org.ssgproject.content_rule_aide_build_database
@@ -1 +1 @@
-cpe:/a:machine
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_aide_check_audit_tools'
--- xccdf_org.ssgproject.content_rule_aide_check_audit_tools
+++ xccdf_org.ssgproject.content_rule_aide_check_audit_tools
@@ -1 +1 @@
-cpe:/a:machine
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking'
--- xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
+++ xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
@@ -1 +1 @@
-cpe:/a:machine
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'
--- xccdf_org.ssgproject.content_rule_aide_scan_notification
+++ xccdf_org.ssgproject.content_rule_aide_scan_notification
@@ -1 +1 @@
-cpe:/a:machine
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_aide_use_fips_hashes'
--- xccdf_org.ssgproject.content_rule_aide_use_fips_hashes
+++ xccdf_org.ssgproject.content_rule_aide_use_fips_hashes
@@ -1 +1 @@
-cpe:/a:machine
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_aide_verify_acls'
--- xccdf_org.ssgproject.content_rule_aide_verify_acls
+++ xccdf_org.ssgproject.content_rule_aide_verify_acls
@@ -1 +1 @@
-cpe:/a:machine
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes'
--- xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
+++ xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
@@ -1 +1 @@
-cpe:/a:machine
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership'
--- xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership
+++ xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership
@@ -1 +1 @@
-cpe:/a:machine
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_audit_tools_ownership'
--- xccdf_org.ssgproject.content_rule_file_audit_tools_ownership
+++ xccdf_org.ssgproject.content_rule_file_audit_tools_ownership
@@ -1 +1 @@
-cpe:/a:machine
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_audit_tools_permissions'
--- xccdf_org.ssgproject.content_rule_file_audit_tools_permissions
+++ xccdf_org.ssgproject.content_rule_file_audit_tools_permissions
@@ -1 +1 @@
-cpe:/a:machine
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'
--- xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
+++ xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
@@ -1 +1 @@
-cpe:/a:machine
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_etc_system_fips_exists'
--- xccdf_org.ssgproject.content_rule_etc_system_fips_exists
+++ xccdf_org.ssgproject.content_rule_etc_system_fips_exists
@@ -1 +1 @@
-cpe:/a:machine
+

New datastream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_configure_crypto_policy'.
OCIL for rule 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy' differs.
--- ocil:ssg-configure_libreswan_crypto_policy_ocil:questionnaire:1
+++ ocil:ssg-configure_libreswan_crypto_policy_ocil:questionnaire:1
@@ -1,6 +1,19 @@
-To verify that Libreswan uses the system crypto policy, run the following command:
-$ grep include /etc/ipsec.conf
-The output should return something similar to:
-include /etc/crypto-policies/back-ends/libreswan.config
- Is it the case that Libreswan is installed and <tt>/etc/ipsec.conf</tt> does not contain <tt>include /etc/crypto-policies/back-ends/libreswan.config</tt>?
+Verify that the IPSec service uses the system crypto policy.
+
+If the ipsec service is not installed is not applicable.
+
+Check to see if the "IPsec" service is active with the following command:
+
+$ systemctl status ipsec
+
+ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
+Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
+Active: inactive (dead)
+
+If the "IPsec" service is active, check to see if it is using the system crypto policy with the following command:
+
+$ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf
+
+/etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config
+ Is it the case that the "IPsec" service is active and the ipsec configuration file does not contain does not contain <tt>include /etc/crypto-policies/back-ends/libreswan.config</tt>?
 
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_mcafeetp_installed'
--- xccdf_org.ssgproject.content_rule_package_mcafeetp_installed
+++ xccdf_org.ssgproject.content_rule_package_mcafeetp_installed
@@ -1 +1 @@
-cpe:/a:machine
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_agent_mfetpd_running'
--- xccdf_org.ssgproject.content_rule_agent_mfetpd_running
+++ xccdf_org.ssgproject.content_rule_agent_mfetpd_running
@@ -1 +1 @@
-cpe:/a:machine
+

OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_boot' differs.
--- ocil:ssg-partition_for_boot_ocil:questionnaire:1
+++ ocil:ssg-partition_for_boot_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /boot
-is on its own partition or logical volume:
-$ mount | grep "on /boot"
-If /boot has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /boot with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /boot
+
+ Is it the case that "/boot is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_home' differs.
--- ocil:ssg-partition_for_home_ocil:questionnaire:1
+++ ocil:ssg-partition_for_home_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /home
-is on its own partition or logical volume:
-$ mount | grep "on /home"
-If /home has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /home with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /home
+
+ Is it the case that "/home is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_opt' differs.
--- ocil:ssg-partition_for_opt_ocil:questionnaire:1
+++ ocil:ssg-partition_for_opt_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /opt
-is on its own partition or logical volume:
-$ mount | grep "on /opt"
-If /opt has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /opt with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /opt
+
+ Is it the case that "/opt is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_srv' differs.
--- ocil:ssg-partition_for_srv_ocil:questionnaire:1
+++ ocil:ssg-partition_for_srv_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /srv
-is on its own partition or logical volume:
-$ mount | grep "on /srv"
-If /srv has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /srv with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /srv
+
+ Is it the case that "/srv is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_tmp' differs.
--- ocil:ssg-partition_for_tmp_ocil:questionnaire:1
+++ ocil:ssg-partition_for_tmp_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /tmp
-is on its own partition or logical volume:
-$ mount | grep "on /tmp"
-If /tmp has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /tmp with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /tmp
+
+ Is it the case that "/tmp is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_usr' differs.
--- ocil:ssg-partition_for_usr_ocil:questionnaire:1
+++ ocil:ssg-partition_for_usr_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /usr
-is on its own partition or logical volume:
-$ mount | grep "on /usr"
-If /usr has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /usr with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /usr
+
+ Is it the case that "/usr is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_var' differs.
--- ocil:ssg-partition_for_var_ocil:questionnaire:1
+++ ocil:ssg-partition_for_var_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /var
-is on its own partition or logical volume:
-$ mount | grep "on /var"
-If /var has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /var with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /var
+
+ Is it the case that "/var is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log' differs.
--- ocil:ssg-partition_for_var_log_ocil:questionnaire:1
+++ ocil:ssg-partition_for_var_log_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /var/log
-is on its own partition or logical volume:
-$ mount | grep "on /var/log"
-If /var/log has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /var/log with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /var/log
+
+ Is it the case that "/var/log is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log_audit' differs.
--- ocil:ssg-partition_for_var_log_audit_ocil:questionnaire:1
+++ ocil:ssg-partition_for_var_log_audit_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /var/log/audit
-is on its own partition or logical volume:
-$ mount | grep "on /var/log/audit"
-If /var/log/audit has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /var/log/audit with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /var/log/audit
+
+ Is it the case that "/var/log/audit is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp' differs.
--- ocil:ssg-partition_for_var_tmp_ocil:questionnaire:1
+++ ocil:ssg-partition_for_var_tmp_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /var/tmp
-is on its own partition or logical volume:
-$ mount | grep "on /var/tmp"
-If /var/tmp has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /var/tmp with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /var/tmp
+
+ Is it the case that "/var/tmp is not a mountpoint" is returned?
 
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_gdm_removed'
--- xccdf_org.ssgproject.content_rule_package_gdm_removed
+++ xccdf_org.ssgproject.content_rule_package_gdm_removed
@@ -1 +1 @@
-cpe:/a:gdm
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp'
--- xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp
+++ xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp
@@ -1 +1 @@
-cpe:/a:gdm
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked'
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked
@@ -1 +1 @@
-cpe:/a:gdm
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked'
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked
@@ -1 +1 @@
-cpe:/a:gdm
+

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudoers_default_includedir'.
--- xccdf_org.ssgproject.content_rule_sudoers_default_includedir
+++ xccdf_org.ssgproject.content_rule_sudoers_default_includedir
@@ -10,7 +10,8 @@
 or that no drop-in file is included.
 Either the /etc/sudoers should contain only one #includedir directive pointing to
 /etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories;
-Or the /etc/sudoers should not contain any #include or #includedir directives.
+Or the /etc/sudoers should not contain any #include,
+@include, #includedir or @includedir directives.
 Note that the '#' character doesn't denote a comment in the configuration file.
 
 [reference]:

OVAL for rule 'xccdf_org.ssgproject.content_rule_sudoers_default_includedir' differs.
--- oval:ssg-sudoers_default_includedir:def:1
+++ oval:ssg-sudoers_default_includedir:def:1
@@ -5,4 +5,5 @@
 criteria AND
 criterion oval:ssg-test_sudoers_default_includedir:tst:1
 criterion oval:ssg-test_sudoers_without_include:tst:1
+criterion oval:ssg-test_sudoers_without_includedir_new:tst:1
 criterion oval:ssg-test_sudoersd_without_includes:tst:1

OCIL for rule 'xccdf_org.ssgproject.content_rule_sudoers_default_includedir' differs.
--- ocil:ssg-sudoers_default_includedir_ocil:questionnaire:1
+++ ocil:ssg-sudoers_default_includedir_ocil:questionnaire:1
@@ -1,6 +1,6 @@
 To determine whether sudo command includes configuration files from the appropriate directory,
 run the following command:
-$ sudo grep -rP '^#include(dir)?' /etc/sudoers /etc/sudoers.d
+$ sudo grep -rP '^[#@]include(dir)?' /etc/sudoers /etc/sudoers.d
 If only the line /etc/sudoers:#includedir /etc/sudoers.d is returned, then the drop-in include configuration is set correctly.
 Any other line returned is a finding.
 Is it the case that the /etc/sudoers doesn't include /etc/sudores.d or includes other directories??

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sudoers_default_includedir' differs.
--- xccdf_org.ssgproject.content_rule_sudoers_default_includedir
+++ xccdf_org.ssgproject.content_rule_sudoers_default_includedir
@@ -3,7 +3,7 @@
 sudoers_config_dir="/etc/sudoers.d"
 sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
 if [ "$sudoers_includedir_count" -gt 1 ]; then
- sed -i "/#includedir.*/d" "$sudoers_config_file"
+ sed -i "/#includedir/d" "$sudoers_config_file"
 echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
 elif [ "$sudoers_includedir_count" -eq 0 ]; then
 echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
@@ -13,8 +13,8 @@
 fi
 fi
 
-sed -i "/^#include\s\+.*/d" "$sudoers_config_file"
+sed -Ei "/^#include\s/d; /^@includedir\s/d" "$sudoers_config_file"
 
-if grep -Pr "^#include(dir)? .*" "$sudoers_config_dir" ; then
- sed -i "/^#include\(dir\)\?\s\+.*/d" "$sudoers_config_dir"/*
+if grep -Pr "^[#@]include(dir)?\s" "$sudoers_config_dir" ; then
+ sed -Ei "/^[#@]include(dir)?\s/d" "$sudoers_config_dir"/*
 fi

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sudoers_default_includedir' differs.
--- xccdf_org.ssgproject.content_rule_sudoers_default_includedir
+++ xccdf_org.ssgproject.content_rule_sudoers_default_includedir
@@ -55,7 +55,23 @@
 lineinfile:
 path: /etc/sudoers
 create: false
- regexp: ^#include[\s]+.*$
+ regexp: ^[#@]include[\s]+.*$
+ state: absent
+ tags:
+ - CCE-86377-9
+ - DISA-STIG-RHEL-08-010379
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sudoers_default_includedir
+
+- name: Ensure sudoers doesn't have non-default includedir
+ lineinfile:
+ path: /etc/sudoers
+ create: false
+ regexp: ^@includedir[\s]+.*$
 state: absent
 tags:
 - CCE-86377-9
@@ -71,7 +87,7 @@
 find:
 path: /etc/sudoers.d
 patterns: '*'
- contains: ^#include(dir)?\s.*$
+ contains: ^[#@]include(dir)?\s.*$
 register: sudoers_d_includes
 tags:
 - CCE-86377-9
@@ -87,7 +103,7 @@
 files
 lineinfile:
 path: '{{ item.path }}'
- regexp: ^#include(dir)?\s.*$
+ regexp: ^[#@]include(dir)?\s.*$
 state: absent
 with_items: '{{ sudoers_d_includes.files }}'
 tags:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudoers_validate_passwd'.
--- xccdf_org.ssgproject.content_rule_sudoers_validate_passwd
+++ xccdf_org.ssgproject.content_rule_sudoers_validate_passwd
@@ -6,7 +6,12 @@
 The sudoers security policy requires that users authenticate themselves before they can use sudo.
 When sudoers requires authentication, it validates the invoking user's credentials.
 The expected output for:
-sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'
+ sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$' 
+ Defaults !targetpw
+ Defaults !rootpw
+ Defaults !runaspw 
+or if cvtsudoers not supported:
+ sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; 
 /etc/sudoers:Defaults !targetpw
 /etc/sudoers:Defaults !rootpw
 /etc/sudoers:Defaults !runaspw

OCIL for rule 'xccdf_org.ssgproject.content_rule_sudoers_validate_passwd' differs.
--- ocil:ssg-sudoers_validate_passwd_ocil:questionnaire:1
+++ ocil:ssg-sudoers_validate_passwd_ocil:questionnaire:1
@@ -1,5 +1,7 @@
 Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
- sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'
+ sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)' 
+or if cvtsudoers not supported:
+ sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; 
 If no results are returned, this is a finding.
 If conflicting results are returned, this is a finding.
 If "Defaults !targetpw" is not defined, this is a finding.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_authselect'.
--- xccdf_org.ssgproject.content_rule_enable_authselect
+++ xccdf_org.ssgproject.content_rule_enable_authselect
@@ -4,8 +4,14 @@
 
 [description]:
 Configure user authentication setup to use the authselect tool.
+If authselect profile is selected, the rule will enable the 'xccdf_org.ssgproject.content_value_var_authselect_profile' profile.
 
-If authselect profile is selected, the rule will enable the 'xccdf_org.ssgproject.content_value_var_authselect_profile' profile.
+[warning]:
+If the sudo authselect select command returns an error informing that the chosen
+profile cannot be selected, it is probably because PAM files have already been modified by
+the administrator. If this is the case, in order to not overwrite the desired changes made
+by the administrator, the current PAM settings should be investigated before forcing the
+selection of the chosen authselect profile.
 
 [reference]:
 BP28(R5)
@@ -63,11 +69,11 @@
 
 [rationale]:
 Authselect is a successor to authconfig.
-It is a tool to select system authentication and identity sources from a list of supported profiles
-instead of letting the administrator build the PAM stack with a tool.
+It is a tool to select system authentication and identity sources from a list of supported
+profiles instead of letting the administrator manually build the PAM stack.
 
-That way, it avoids potential breakage of configuration,
-as it ships several tested profiles that are well tested and supported and that each solve a use-case.
+That way, it avoids potential breakage of configuration, as it ships several tested profiles
+that are well tested and supported to solve different use-cases.
 
 [ident]:
 CCE-88248-0

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled'
--- xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
@@ -1 +1 @@
-cpe:/a:gdm
+

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text'
--- xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
@@ -1 +1 @@
-cpe:/a:gdm
+

OVAL for rule 'xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir' differs.
--- oval:ssg-account_password_selinux_faillock_dir:def:1
+++ oval:ssg-account_password_selinux_faillock_dir:def:1
@@ -1,2 +1,3 @@
-criteria AND
+criteria OR
 criterion oval:ssg-test_account_password_selinux_faillock_dir:tst:1
+criterion oval:ssg-test_account_password_selinux_faillock_dir_not_set:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir
+++ xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir
@@ -4,17 +4,24 @@
 #!/bin/bash
 
 FAILLOCK_CONF_FILES="/etc/security/faillock.conf /etc/pam.d/system-auth /etc/pam.d/password-auth"
+faillock_dirs=$(grep -oP "^\s*(?:auth.*pam_faillock.so.*)?dir\s*=\s*(\S+)" $FAILLOCK_CONF_FILES \
+ | sed -r 's/.*=\s*(\S+)/\1/')
 
-for dir in $(grep -oP "^\s*(?:auth.*pam_faillock.so.*)?dir\s*=\s*(\S+)" $FAILLOCK_CONF_FILES \
- | sed -r 's/.*=\s*(\S+)/\1/'); do
- if ! semanage fcontext -a -t faillog_t "$dir(/.*)?"; then
- semanage fcontext -m -t faillog_t "$dir(/.*)?"
- fi
- if [ ! -e $dir ]; then
- mkdir -p $dir
- fi
- restorecon -R -v $dir
-done
+if [ -n "$faillock_dirs" ]; then
+ for dir in $faillock_dirs; do
+ if ! semanage fcontext -a -t faillog_t "$dir(/.*)?"; then
+ semanage fcontext -m -t faillog_t "$dir(/.*)?"
+ fi
+ if [ ! -e $dir ]; then
+ mkdir -p $dir
+ fi
+ restorecon -R -v $dir
+ done
+else
+echo "
+The pam_faillock.so dir option is not set in the system.
+If this is not expected, make sure pam_faillock.so is properly configured."
+fi
 
 else
 >&2 echo 'Remediation is not applicable, nothing was done'

bash remediation for rule 'xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
@@ -16,11 +16,11 @@
 for pam_file in "${AUTH_FILES[@]}"
 do
 if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
- sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_deny.so.*/i auth required pam_faillock.so authfail' "$pam_file"
- sed -i --follow-symlinks '/^account.*required.*pam_unix.so.*/i account required pam_faillock.so' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file"
+ sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file"
 fi
- sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock.so)/\1required \3/g' "$pam_file"
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
 done
 fi
 AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
@@ -79,8 +79,8 @@
 else
 for pam_file in "${AUTH_FILES[@]}"
 do
- if ! grep -qE '^\s*auth.*pam_faillock.so (preauth|authfail).*audit' "$pam_file"; then
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ audit/' "$pam_file"
+ if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*audit' "$pam_file"; then
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ audit/' "$pam_file"
 fi
 done
 fi

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
@@ -82,7 +82,7 @@
 - name: Account Lockouts Must Be Logged - Check if pam_faillock.so is already enabled
 ansible.builtin.lineinfile:
 path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail)
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail)
 state: absent
 check_mode: true
 changed_when: false
@@ -93,7 +93,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: auth required pam_faillock.so preauth
- insertbefore: ^auth.*sufficient.*pam_unix.so.*
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -106,7 +106,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: auth required pam_faillock.so authfail
- insertbefore: ^auth.*required.*pam_deny.so.*
+ insertbefore: ^auth.*required.*pam_deny\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -119,7 +119,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: account required pam_faillock.so
- insertbefore: ^account.*required.*pam_unix.so.*
+ insertbefore: ^account.*required.*pam_unix\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -526,7 +526,7 @@
 is already enabled in pam files
 ansible.builtin.lineinfile:
 path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail).*audit
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail).*audit
 state: absent
 check_mode: true
 changed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
@@ -44,7 +44,7 @@
 # The control is updated only if one single line matches.
 sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "$PAM_FILE_PATH"
 else
- LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
+ LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
 if [ ! -z $LAST_MATCH_LINE ]; then
 sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "$PAM_FILE_PATH"
 else

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
@@ -229,7 +229,7 @@
 line is included in {{ pam_file_path }}'
 ansible.builtin.lineinfile:
 dest: '{{ pam_file_path }}'
- insertafter: ^password.*requisite.*pam_pwquality.so
+ insertafter: ^password.*requisite.*pam_pwquality\.so
 line: password {{ var_password_pam_remember_control_flag.split(",")[0]
 }} pam_pwhistory.so
 register: result_pam_module_add

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
@@ -44,7 +44,7 @@
 # The control is updated only if one single line matches.
 sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "$PAM_FILE_PATH"
 else
- LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
+ LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
 if [ ! -z $LAST_MATCH_LINE ]; then
 sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "$PAM_FILE_PATH"
 else

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
@@ -229,7 +229,7 @@
 is included in {{ pam_file_path }}'
 ansible.builtin.lineinfile:
 dest: '{{ pam_file_path }}'
- insertafter: ^password.*requisite.*pam_pwquality.so
+ insertafter: ^password.*requisite.*pam_pwquality\.so
 line: password {{ var_password_pam_remember_control_flag.split(",")[0]
 }} pam_pwhistory.so
 register: result_pam_module_add

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
@@ -42,7 +42,7 @@
 # The control is updated only if one single line matches.
 sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
 else
- LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
+ LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
 if [ ! -z $LAST_MATCH_LINE ]; then
 sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwhistory.so' "$PAM_FILE_PATH"
 else
@@ -101,7 +101,7 @@
 # The control is updated only if one single line matches.
 sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
 else
- LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
+ LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
 if [ ! -z $LAST_MATCH_LINE ]; then
 sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwhistory.so' "$PAM_FILE_PATH"
 else

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
@@ -215,7 +215,7 @@
 in {{ pam_file_path }}
 ansible.builtin.lineinfile:
 dest: '{{ pam_file_path }}'
- insertafter: ^password.*requisite.*pam_pwquality.so
+ insertafter: ^password.*requisite.*pam_pwquality\.so
 line: password requisite pam_pwhistory.so
 register: result_pam_module_add
 when:
@@ -483,7 +483,7 @@
 in {{ pam_file_path }}
 ansible.builtin.lineinfile:
 dest: '{{ pam_file_path }}'
- insertafter: ^password.*requisite.*pam_pwquality.so
+ insertafter: ^password.*requisite.*pam_pwquality\.so
 line: password requisite pam_pwhistory.so
 register: result_pam_module_add
 when:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -21,11 +21,11 @@
 for pam_file in "${AUTH_FILES[@]}"
 do
 if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
- sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_deny.so.*/i auth required pam_faillock.so authfail' "$pam_file"
- sed -i --follow-symlinks '/^account.*required.*pam_unix.so.*/i account required pam_faillock.so' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file"
+ sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file"
 fi
- sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock.so)/\1required \3/g' "$pam_file"
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
 done
 fi
 AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
@@ -86,12 +86,12 @@
 else
 for pam_file in "${AUTH_FILES[@]}"
 do
- if ! grep -qE '^\s*auth.*pam_faillock.so (preauth|authfail).*deny' "$pam_file"; then
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
+ if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' "$pam_file"; then
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
 else
- sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
- sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*authfail.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
 fi
 done
 fi

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -115,7 +115,7 @@
 is already enabled
 ansible.builtin.lineinfile:
 path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail)
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail)
 state: absent
 check_mode: true
 changed_when: false
@@ -126,7 +126,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: auth required pam_faillock.so preauth
- insertbefore: ^auth.*sufficient.*pam_unix.so.*
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -139,7 +139,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: auth required pam_faillock.so authfail
- insertbefore: ^auth.*required.*pam_deny.so.*
+ insertbefore: ^auth.*required.*pam_deny\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -152,7 +152,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: account required pam_faillock.so
- insertbefore: ^account.*required.*pam_unix.so.*
+ insertbefore: ^account.*required.*pam_unix\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -599,7 +599,7 @@
 deny parameter is already enabled in pam files
 ansible.builtin.lineinfile:
 path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail).*deny
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail).*deny
 state: absent
 check_mode: true
 changed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
@@ -18,11 +18,11 @@
 for pam_file in "${AUTH_FILES[@]}"
 do
 if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
- sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_deny.so.*/i auth required pam_faillock.so authfail' "$pam_file"
- sed -i --follow-symlinks '/^account.*required.*pam_unix.so.*/i account required pam_faillock.so' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file"
+ sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file"
 fi
- sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock.so)/\1required \3/g' "$pam_file"
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
 done
 fi
 AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
@@ -81,9 +81,9 @@
 else
 for pam_file in "${AUTH_FILES[@]}"
 do
- if ! grep -qE '^\s*auth.*pam_faillock.so (preauth|authfail).*even_deny_root' "$pam_file"; then
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ even_deny_root/' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*authfail.*/ s/$/ even_deny_root/' "$pam_file"
+ if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root' "$pam_file"; then
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ even_deny_root/' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ even_deny_root/' "$pam_file"
 fi
 done
 fi

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
@@ -110,7 +110,7 @@
 is already enabled
 ansible.builtin.lineinfile:
 path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail)
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail)
 state: absent
 check_mode: true
 changed_when: false
@@ -121,7 +121,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: auth required pam_faillock.so preauth
- insertbefore: ^auth.*sufficient.*pam_unix.so.*
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -134,7 +134,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: auth required pam_faillock.so authfail
- insertbefore: ^auth.*required.*pam_deny.so.*
+ insertbefore: ^auth.*required.*pam_deny\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -147,7 +147,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: account required pam_faillock.so
- insertbefore: ^account.*required.*pam_unix.so.*
+ insertbefore: ^account.*required.*pam_unix\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -583,7 +583,7 @@
 even_deny_root parameter is already enabled in pam files
 ansible.builtin.lineinfile:
 path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail).*even_deny_root
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root
 state: absent
 check_mode: true
 changed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
@@ -18,11 +18,11 @@
 for pam_file in "${AUTH_FILES[@]}"
 do
 if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
- sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_deny.so.*/i auth required pam_faillock.so authfail' "$pam_file"
- sed -i --follow-symlinks '/^account.*required.*pam_unix.so.*/i account required pam_faillock.so' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file"
+ sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file"
 fi
- sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock.so)/\1required \3/g' "$pam_file"
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
 done
 fi
 
@@ -84,12 +84,12 @@
 else
 for pam_file in "${AUTH_FILES[@]}"
 do
- if ! grep -qE '^\s*auth.*pam_faillock.so (preauth|authfail).*dir' "$pam_file"; then
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ dir='"/var/log/faillock"'/' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*authfail.*/ s/$/ dir='"/var/log/faillock"'/' "$pam_file"
+ if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*dir' "$pam_file"; then
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ dir='"/var/log/faillock"'/' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ dir='"/var/log/faillock"'/' "$pam_file"
 else
- sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"/var/log/faillock"'\3/' "$pam_file"
- sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*authfail.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"/var/log/faillock"'\3/' "$pam_file"
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"/var/log/faillock"'\3/' "$pam_file"
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"/var/log/faillock"'\3/' "$pam_file"
 fi
 done
 fi

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
@@ -100,7 +100,7 @@
 - name: Lock Accounts Must Persist - Check if pam_faillock.so is already enabled
 ansible.builtin.lineinfile:
 path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail)
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail)
 state: absent
 check_mode: true
 changed_when: false
@@ -111,7 +111,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: auth required pam_faillock.so preauth
- insertbefore: ^auth.*sufficient.*pam_unix.so.*
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -124,7 +124,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: auth required pam_faillock.so authfail
- insertbefore: ^auth.*required.*pam_deny.so.*
+ insertbefore: ^auth.*required.*pam_deny\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -137,7 +137,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: account required pam_faillock.so
- insertbefore: ^account.*required.*pam_unix.so.*
+ insertbefore: ^account.*required.*pam_unix\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -555,7 +555,7 @@
 enabled in pam files
 ansible.builtin.lineinfile:
 path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail).*dir
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail).*dir
 state: absent
 check_mode: true
 changed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
@@ -18,11 +18,11 @@
 for pam_file in "${AUTH_FILES[@]}"
 do
 if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
- sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_deny.so.*/i auth required pam_faillock.so authfail' "$pam_file"
- sed -i --follow-symlinks '/^account.*required.*pam_unix.so.*/i account required pam_faillock.so' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file"
+ sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file"
 fi
- sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock.so)/\1required \3/g' "$pam_file"
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
 done
 fi
 AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
@@ -81,9 +81,9 @@
 else
 for pam_file in "${AUTH_FILES[@]}"
 do
- if ! grep -qE '^\s*auth.*pam_faillock.so (preauth|authfail).*local_users_only' "$pam_file"; then
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ local_users_only/' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*authfail.*/ s/$/ local_users_only/' "$pam_file"
+ if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*local_users_only' "$pam_file"; then
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ local_users_only/' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ local_users_only/' "$pam_file"
 fi
 done
 fi

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
@@ -100,7 +100,7 @@
 is already enabled
 ansible.builtin.lineinfile:
 path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail)
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail)
 state: absent
 check_mode: true
 changed_when: false
@@ -111,7 +111,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: auth required pam_faillock.so preauth
- insertbefore: ^auth.*sufficient.*pam_unix.so.*
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -124,7 +124,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: auth required pam_faillock.so authfail
- insertbefore: ^auth.*required.*pam_deny.so.*
+ insertbefore: ^auth.*required.*pam_deny\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -137,7 +137,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: account required pam_faillock.so
- insertbefore: ^account.*required.*pam_unix.so.*
+ insertbefore: ^account.*required.*pam_unix\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -559,7 +559,7 @@
 local_users_only parameter is already enabled in pam files
 ansible.builtin.lineinfile:
 path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail).*local_users_only
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail).*local_users_only
 state: absent
 check_mode: true
 changed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
@@ -21,11 +21,11 @@
 for pam_file in "${AUTH_FILES[@]}"
 do
 if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
- sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_deny.so.*/i auth required pam_faillock.so authfail' "$pam_file"
- sed -i --follow-symlinks '/^account.*required.*pam_unix.so.*/i account required pam_faillock.so' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file"
+ sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file"
 fi
- sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock.so)/\1required \3/g' "$pam_file"
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
 done
 fi
 AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
@@ -86,12 +86,12 @@
 else
 for pam_file in "${AUTH_FILES[@]}"
 do
- if ! grep -qE '^\s*auth.*pam_faillock.so (preauth|authfail).*fail_interval' "$pam_file"; then
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*authfail.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
+ if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*fail_interval' "$pam_file"; then
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
 else
- sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
- sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*authfail.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
 fi
 done
 fi

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
@@ -107,7 +107,7 @@
 is already enabled
 ansible.builtin.lineinfile:
 path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail)
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail)
 state: absent
 check_mode: true
 changed_when: false
@@ -118,7 +118,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: auth required pam_faillock.so preauth
- insertbefore: ^auth.*sufficient.*pam_unix.so.*
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -131,7 +131,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: auth required pam_faillock.so authfail
- insertbefore: ^auth.*required.*pam_deny.so.*
+ insertbefore: ^auth.*required.*pam_deny\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -144,7 +144,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: account required pam_faillock.so
- insertbefore: ^account.*required.*pam_unix.so.*
+ insertbefore: ^account.*required.*pam_unix\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -579,7 +579,7 @@
 fail_interval parameter is already enabled in pam files
 ansible.builtin.lineinfile:
 path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail).*fail_interval
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail).*fail_interval
 state: absent
 check_mode: true
 changed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
@@ -21,11 +21,11 @@
 for pam_file in "${AUTH_FILES[@]}"
 do
 if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
- sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_deny.so.*/i auth required pam_faillock.so authfail' "$pam_file"
- sed -i --follow-symlinks '/^account.*required.*pam_unix.so.*/i account required pam_faillock.so' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file"
+ sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file"
 fi
- sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock.so)/\1required \3/g' "$pam_file"
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
 done
 fi
 AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
@@ -86,12 +86,12 @@
 else
 for pam_file in "${AUTH_FILES[@]}"
 do
- if ! grep -qE '^\s*auth.*pam_faillock.so (preauth|authfail).*unlock_time' "$pam_file"; then
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*authfail.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
+ if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*unlock_time' "$pam_file"; then
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
 else
- sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
- sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*authfail.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
 fi
 done
 fi

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
@@ -115,7 +115,7 @@
 is already enabled
 ansible.builtin.lineinfile:
 path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail)
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail)
 state: absent
 check_mode: true
 changed_when: false
@@ -126,7 +126,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: auth required pam_faillock.so preauth
- insertbefore: ^auth.*sufficient.*pam_unix.so.*
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -139,7 +139,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: auth required pam_faillock.so authfail
- insertbefore: ^auth.*required.*pam_deny.so.*
+ insertbefore: ^auth.*required.*pam_deny\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -152,7 +152,7 @@
 ansible.builtin.lineinfile:
 path: '{{ item }}'
 line: account required pam_faillock.so
- insertbefore: ^account.*required.*pam_unix.so.*
+ insertbefore: ^account.*required.*pam_unix\.so.*
 state: present
 loop:
 - /etc/pam.d/system-auth
@@ -599,7 +599,7 @@
 unlock_time parameter is already enabled in pam files
 ansible.builtin.lineinfile:
 path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail).*unlock_time
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail).*unlock_time
 state: absent
 check_mode: true
 changed_when: false

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_a

... The diff is trimmed here ...

[codeclimate]

Code Climate has analyzed commit a7a001e and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 40.4% (0.0% change).

View more on Code Climate.

[openshift-ci]

@dahaic: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-rhcos4-high	a7a001e	link	true	/test e2e-aws-rhcos4-high
ci/prow/e2e-aws-rhcos4-moderate	a7a001e	link	true	/test e2e-aws-rhcos4-moderate

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[Mab879]

Thanks!

[yuumasato]

Shouldn't we care about the line lengths?

[marcusburghardt]

I think so. We have this defined in the Style Guide. Unless there is a reasonable argument to create an exception.