-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update chronyd_or_ntpd_set_maxpoll to align with RHEL9 STIG #9507
Update chronyd_or_ntpd_set_maxpoll to align with RHEL9 STIG #9507
Conversation
f67c0ec
to
82158be
Compare
82158be
to
a7a001e
Compare
This datastream diff is auto generated by the check Click here to see the trimmed diffPlatform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_aide_installed'
--- xccdf_org.ssgproject.content_rule_package_aide_installed
+++ xccdf_org.ssgproject.content_rule_package_aide_installed
@@ -1 +1 @@
-cpe:/a:machine
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_aide_build_database'
--- xccdf_org.ssgproject.content_rule_aide_build_database
+++ xccdf_org.ssgproject.content_rule_aide_build_database
@@ -1 +1 @@
-cpe:/a:machine
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_aide_check_audit_tools'
--- xccdf_org.ssgproject.content_rule_aide_check_audit_tools
+++ xccdf_org.ssgproject.content_rule_aide_check_audit_tools
@@ -1 +1 @@
-cpe:/a:machine
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking'
--- xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
+++ xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
@@ -1 +1 @@
-cpe:/a:machine
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'
--- xccdf_org.ssgproject.content_rule_aide_scan_notification
+++ xccdf_org.ssgproject.content_rule_aide_scan_notification
@@ -1 +1 @@
-cpe:/a:machine
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_aide_use_fips_hashes'
--- xccdf_org.ssgproject.content_rule_aide_use_fips_hashes
+++ xccdf_org.ssgproject.content_rule_aide_use_fips_hashes
@@ -1 +1 @@
-cpe:/a:machine
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_aide_verify_acls'
--- xccdf_org.ssgproject.content_rule_aide_verify_acls
+++ xccdf_org.ssgproject.content_rule_aide_verify_acls
@@ -1 +1 @@
-cpe:/a:machine
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes'
--- xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
+++ xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
@@ -1 +1 @@
-cpe:/a:machine
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership'
--- xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership
+++ xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership
@@ -1 +1 @@
-cpe:/a:machine
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_audit_tools_ownership'
--- xccdf_org.ssgproject.content_rule_file_audit_tools_ownership
+++ xccdf_org.ssgproject.content_rule_file_audit_tools_ownership
@@ -1 +1 @@
-cpe:/a:machine
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_audit_tools_permissions'
--- xccdf_org.ssgproject.content_rule_file_audit_tools_permissions
+++ xccdf_org.ssgproject.content_rule_file_audit_tools_permissions
@@ -1 +1 @@
-cpe:/a:machine
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'
--- xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
+++ xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
@@ -1 +1 @@
-cpe:/a:machine
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_etc_system_fips_exists'
--- xccdf_org.ssgproject.content_rule_etc_system_fips_exists
+++ xccdf_org.ssgproject.content_rule_etc_system_fips_exists
@@ -1 +1 @@
-cpe:/a:machine
+
New datastream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_configure_crypto_policy'.
OCIL for rule 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy' differs.
--- ocil:ssg-configure_libreswan_crypto_policy_ocil:questionnaire:1
+++ ocil:ssg-configure_libreswan_crypto_policy_ocil:questionnaire:1
@@ -1,6 +1,19 @@
-To verify that Libreswan uses the system crypto policy, run the following command:
-$ grep include /etc/ipsec.conf
-The output should return something similar to:
-include /etc/crypto-policies/back-ends/libreswan.config
- Is it the case that Libreswan is installed and <tt>/etc/ipsec.conf</tt> does not contain <tt>include /etc/crypto-policies/back-ends/libreswan.config</tt>?
+Verify that the IPSec service uses the system crypto policy.
+
+If the ipsec service is not installed is not applicable.
+
+Check to see if the "IPsec" service is active with the following command:
+
+$ systemctl status ipsec
+
+ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
+Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
+Active: inactive (dead)
+
+If the "IPsec" service is active, check to see if it is using the system crypto policy with the following command:
+
+$ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf
+
+/etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config
+ Is it the case that the "IPsec" service is active and the ipsec configuration file does not contain does not contain <tt>include /etc/crypto-policies/back-ends/libreswan.config</tt>?
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_mcafeetp_installed'
--- xccdf_org.ssgproject.content_rule_package_mcafeetp_installed
+++ xccdf_org.ssgproject.content_rule_package_mcafeetp_installed
@@ -1 +1 @@
-cpe:/a:machine
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_agent_mfetpd_running'
--- xccdf_org.ssgproject.content_rule_agent_mfetpd_running
+++ xccdf_org.ssgproject.content_rule_agent_mfetpd_running
@@ -1 +1 @@
-cpe:/a:machine
+
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_boot' differs.
--- ocil:ssg-partition_for_boot_ocil:questionnaire:1
+++ ocil:ssg-partition_for_boot_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /boot
-is on its own partition or logical volume:
-$ mount | grep "on /boot"
-If /boot has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /boot with the following command:
- Is it the case that no line is returned?
+$ mountpoint /boot
+
+ Is it the case that "/boot is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_home' differs.
--- ocil:ssg-partition_for_home_ocil:questionnaire:1
+++ ocil:ssg-partition_for_home_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /home
-is on its own partition or logical volume:
-$ mount | grep "on /home"
-If /home has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /home with the following command:
- Is it the case that no line is returned?
+$ mountpoint /home
+
+ Is it the case that "/home is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_opt' differs.
--- ocil:ssg-partition_for_opt_ocil:questionnaire:1
+++ ocil:ssg-partition_for_opt_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /opt
-is on its own partition or logical volume:
-$ mount | grep "on /opt"
-If /opt has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /opt with the following command:
- Is it the case that no line is returned?
+$ mountpoint /opt
+
+ Is it the case that "/opt is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_srv' differs.
--- ocil:ssg-partition_for_srv_ocil:questionnaire:1
+++ ocil:ssg-partition_for_srv_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /srv
-is on its own partition or logical volume:
-$ mount | grep "on /srv"
-If /srv has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /srv with the following command:
- Is it the case that no line is returned?
+$ mountpoint /srv
+
+ Is it the case that "/srv is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_tmp' differs.
--- ocil:ssg-partition_for_tmp_ocil:questionnaire:1
+++ ocil:ssg-partition_for_tmp_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /tmp
-is on its own partition or logical volume:
-$ mount | grep "on /tmp"
-If /tmp has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /tmp with the following command:
- Is it the case that no line is returned?
+$ mountpoint /tmp
+
+ Is it the case that "/tmp is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_usr' differs.
--- ocil:ssg-partition_for_usr_ocil:questionnaire:1
+++ ocil:ssg-partition_for_usr_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /usr
-is on its own partition or logical volume:
-$ mount | grep "on /usr"
-If /usr has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /usr with the following command:
- Is it the case that no line is returned?
+$ mountpoint /usr
+
+ Is it the case that "/usr is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_var' differs.
--- ocil:ssg-partition_for_var_ocil:questionnaire:1
+++ ocil:ssg-partition_for_var_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /var
-is on its own partition or logical volume:
-$ mount | grep "on /var"
-If /var has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /var with the following command:
- Is it the case that no line is returned?
+$ mountpoint /var
+
+ Is it the case that "/var is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log' differs.
--- ocil:ssg-partition_for_var_log_ocil:questionnaire:1
+++ ocil:ssg-partition_for_var_log_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /var/log
-is on its own partition or logical volume:
-$ mount | grep "on /var/log"
-If /var/log has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /var/log with the following command:
- Is it the case that no line is returned?
+$ mountpoint /var/log
+
+ Is it the case that "/var/log is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log_audit' differs.
--- ocil:ssg-partition_for_var_log_audit_ocil:questionnaire:1
+++ ocil:ssg-partition_for_var_log_audit_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /var/log/audit
-is on its own partition or logical volume:
-$ mount | grep "on /var/log/audit"
-If /var/log/audit has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /var/log/audit with the following command:
- Is it the case that no line is returned?
+$ mountpoint /var/log/audit
+
+ Is it the case that "/var/log/audit is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp' differs.
--- ocil:ssg-partition_for_var_tmp_ocil:questionnaire:1
+++ ocil:ssg-partition_for_var_tmp_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /var/tmp
-is on its own partition or logical volume:
-$ mount | grep "on /var/tmp"
-If /var/tmp has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /var/tmp with the following command:
- Is it the case that no line is returned?
+$ mountpoint /var/tmp
+
+ Is it the case that "/var/tmp is not a mountpoint" is returned?
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_gdm_removed'
--- xccdf_org.ssgproject.content_rule_package_gdm_removed
+++ xccdf_org.ssgproject.content_rule_package_gdm_removed
@@ -1 +1 @@
-cpe:/a:gdm
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp'
--- xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp
+++ xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp
@@ -1 +1 @@
-cpe:/a:gdm
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked'
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked
@@ -1 +1 @@
-cpe:/a:gdm
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked'
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked
@@ -1 +1 @@
-cpe:/a:gdm
+
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudoers_default_includedir'.
--- xccdf_org.ssgproject.content_rule_sudoers_default_includedir
+++ xccdf_org.ssgproject.content_rule_sudoers_default_includedir
@@ -10,7 +10,8 @@
or that no drop-in file is included.
Either the /etc/sudoers should contain only one #includedir directive pointing to
/etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories;
-Or the /etc/sudoers should not contain any #include or #includedir directives.
+Or the /etc/sudoers should not contain any #include,
+@include, #includedir or @includedir directives.
Note that the '#' character doesn't denote a comment in the configuration file.
[reference]:
OVAL for rule 'xccdf_org.ssgproject.content_rule_sudoers_default_includedir' differs.
--- oval:ssg-sudoers_default_includedir:def:1
+++ oval:ssg-sudoers_default_includedir:def:1
@@ -5,4 +5,5 @@
criteria AND
criterion oval:ssg-test_sudoers_default_includedir:tst:1
criterion oval:ssg-test_sudoers_without_include:tst:1
+criterion oval:ssg-test_sudoers_without_includedir_new:tst:1
criterion oval:ssg-test_sudoersd_without_includes:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sudoers_default_includedir' differs.
--- ocil:ssg-sudoers_default_includedir_ocil:questionnaire:1
+++ ocil:ssg-sudoers_default_includedir_ocil:questionnaire:1
@@ -1,6 +1,6 @@
To determine whether sudo command includes configuration files from the appropriate directory,
run the following command:
-$ sudo grep -rP '^#include(dir)?' /etc/sudoers /etc/sudoers.d
+$ sudo grep -rP '^[#@]include(dir)?' /etc/sudoers /etc/sudoers.d
If only the line /etc/sudoers:#includedir /etc/sudoers.d is returned, then the drop-in include configuration is set correctly.
Any other line returned is a finding.
Is it the case that the /etc/sudoers doesn't include /etc/sudores.d or includes other directories??
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sudoers_default_includedir' differs.
--- xccdf_org.ssgproject.content_rule_sudoers_default_includedir
+++ xccdf_org.ssgproject.content_rule_sudoers_default_includedir
@@ -3,7 +3,7 @@
sudoers_config_dir="/etc/sudoers.d"
sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
if [ "$sudoers_includedir_count" -gt 1 ]; then
- sed -i "/#includedir.*/d" "$sudoers_config_file"
+ sed -i "/#includedir/d" "$sudoers_config_file"
echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
elif [ "$sudoers_includedir_count" -eq 0 ]; then
echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
@@ -13,8 +13,8 @@
fi
fi
-sed -i "/^#include\s\+.*/d" "$sudoers_config_file"
+sed -Ei "/^#include\s/d; /^@includedir\s/d" "$sudoers_config_file"
-if grep -Pr "^#include(dir)? .*" "$sudoers_config_dir" ; then
- sed -i "/^#include\(dir\)\?\s\+.*/d" "$sudoers_config_dir"/*
+if grep -Pr "^[#@]include(dir)?\s" "$sudoers_config_dir" ; then
+ sed -Ei "/^[#@]include(dir)?\s/d" "$sudoers_config_dir"/*
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sudoers_default_includedir' differs.
--- xccdf_org.ssgproject.content_rule_sudoers_default_includedir
+++ xccdf_org.ssgproject.content_rule_sudoers_default_includedir
@@ -55,7 +55,23 @@
lineinfile:
path: /etc/sudoers
create: false
- regexp: ^#include[\s]+.*$
+ regexp: ^[#@]include[\s]+.*$
+ state: absent
+ tags:
+ - CCE-86377-9
+ - DISA-STIG-RHEL-08-010379
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sudoers_default_includedir
+
+- name: Ensure sudoers doesn't have non-default includedir
+ lineinfile:
+ path: /etc/sudoers
+ create: false
+ regexp: ^@includedir[\s]+.*$
state: absent
tags:
- CCE-86377-9
@@ -71,7 +87,7 @@
find:
path: /etc/sudoers.d
patterns: '*'
- contains: ^#include(dir)?\s.*$
+ contains: ^[#@]include(dir)?\s.*$
register: sudoers_d_includes
tags:
- CCE-86377-9
@@ -87,7 +103,7 @@
files
lineinfile:
path: '{{ item.path }}'
- regexp: ^#include(dir)?\s.*$
+ regexp: ^[#@]include(dir)?\s.*$
state: absent
with_items: '{{ sudoers_d_includes.files }}'
tags:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudoers_validate_passwd'.
--- xccdf_org.ssgproject.content_rule_sudoers_validate_passwd
+++ xccdf_org.ssgproject.content_rule_sudoers_validate_passwd
@@ -6,7 +6,12 @@
The sudoers security policy requires that users authenticate themselves before they can use sudo.
When sudoers requires authentication, it validates the invoking user's credentials.
The expected output for:
-sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'
+ sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$'
+ Defaults !targetpw
+ Defaults !rootpw
+ Defaults !runaspw
+or if cvtsudoers not supported:
+ sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \;
/etc/sudoers:Defaults !targetpw
/etc/sudoers:Defaults !rootpw
/etc/sudoers:Defaults !runaspw
OCIL for rule 'xccdf_org.ssgproject.content_rule_sudoers_validate_passwd' differs.
--- ocil:ssg-sudoers_validate_passwd_ocil:questionnaire:1
+++ ocil:ssg-sudoers_validate_passwd_ocil:questionnaire:1
@@ -1,5 +1,7 @@
Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
- sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'
+ sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)'
+or if cvtsudoers not supported:
+ sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \;
If no results are returned, this is a finding.
If conflicting results are returned, this is a finding.
If "Defaults !targetpw" is not defined, this is a finding.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_authselect'.
--- xccdf_org.ssgproject.content_rule_enable_authselect
+++ xccdf_org.ssgproject.content_rule_enable_authselect
@@ -4,8 +4,14 @@
[description]:
Configure user authentication setup to use the authselect tool.
+If authselect profile is selected, the rule will enable the 'xccdf_org.ssgproject.content_value_var_authselect_profile' profile.
-If authselect profile is selected, the rule will enable the 'xccdf_org.ssgproject.content_value_var_authselect_profile' profile.
+[warning]:
+If the sudo authselect select command returns an error informing that the chosen
+profile cannot be selected, it is probably because PAM files have already been modified by
+the administrator. If this is the case, in order to not overwrite the desired changes made
+by the administrator, the current PAM settings should be investigated before forcing the
+selection of the chosen authselect profile.
[reference]:
BP28(R5)
@@ -63,11 +69,11 @@
[rationale]:
Authselect is a successor to authconfig.
-It is a tool to select system authentication and identity sources from a list of supported profiles
-instead of letting the administrator build the PAM stack with a tool.
+It is a tool to select system authentication and identity sources from a list of supported
+profiles instead of letting the administrator manually build the PAM stack.
-That way, it avoids potential breakage of configuration,
-as it ships several tested profiles that are well tested and supported and that each solve a use-case.
+That way, it avoids potential breakage of configuration, as it ships several tested profiles
+that are well tested and supported to solve different use-cases.
[ident]:
CCE-88248-0
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled'
--- xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
@@ -1 +1 @@
-cpe:/a:gdm
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text'
--- xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
@@ -1 +1 @@
-cpe:/a:gdm
+
OVAL for rule 'xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir' differs.
--- oval:ssg-account_password_selinux_faillock_dir:def:1
+++ oval:ssg-account_password_selinux_faillock_dir:def:1
@@ -1,2 +1,3 @@
-criteria AND
+criteria OR
criterion oval:ssg-test_account_password_selinux_faillock_dir:tst:1
+criterion oval:ssg-test_account_password_selinux_faillock_dir_not_set:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir
+++ xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir
@@ -4,17 +4,24 @@
#!/bin/bash
FAILLOCK_CONF_FILES="/etc/security/faillock.conf /etc/pam.d/system-auth /etc/pam.d/password-auth"
+faillock_dirs=$(grep -oP "^\s*(?:auth.*pam_faillock.so.*)?dir\s*=\s*(\S+)" $FAILLOCK_CONF_FILES \
+ | sed -r 's/.*=\s*(\S+)/\1/')
-for dir in $(grep -oP "^\s*(?:auth.*pam_faillock.so.*)?dir\s*=\s*(\S+)" $FAILLOCK_CONF_FILES \
- | sed -r 's/.*=\s*(\S+)/\1/'); do
- if ! semanage fcontext -a -t faillog_t "$dir(/.*)?"; then
- semanage fcontext -m -t faillog_t "$dir(/.*)?"
- fi
- if [ ! -e $dir ]; then
- mkdir -p $dir
- fi
- restorecon -R -v $dir
-done
+if [ -n "$faillock_dirs" ]; then
+ for dir in $faillock_dirs; do
+ if ! semanage fcontext -a -t faillog_t "$dir(/.*)?"; then
+ semanage fcontext -m -t faillog_t "$dir(/.*)?"
+ fi
+ if [ ! -e $dir ]; then
+ mkdir -p $dir
+ fi
+ restorecon -R -v $dir
+ done
+else
+echo "
+The pam_faillock.so dir option is not set in the system.
+If this is not expected, make sure pam_faillock.so is properly configured."
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
@@ -16,11 +16,11 @@
for pam_file in "${AUTH_FILES[@]}"
do
if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
- sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_deny.so.*/i auth required pam_faillock.so authfail' "$pam_file"
- sed -i --follow-symlinks '/^account.*required.*pam_unix.so.*/i account required pam_faillock.so' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file"
+ sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file"
fi
- sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock.so)/\1required \3/g' "$pam_file"
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
done
fi
AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
@@ -79,8 +79,8 @@
else
for pam_file in "${AUTH_FILES[@]}"
do
- if ! grep -qE '^\s*auth.*pam_faillock.so (preauth|authfail).*audit' "$pam_file"; then
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ audit/' "$pam_file"
+ if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*audit' "$pam_file"; then
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ audit/' "$pam_file"
fi
done
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
@@ -82,7 +82,7 @@
- name: Account Lockouts Must Be Logged - Check if pam_faillock.so is already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail)
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
@@ -93,7 +93,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
- insertbefore: ^auth.*sufficient.*pam_unix.so.*
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -106,7 +106,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
- insertbefore: ^auth.*required.*pam_deny.so.*
+ insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -119,7 +119,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
- insertbefore: ^account.*required.*pam_unix.so.*
+ insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -526,7 +526,7 @@
is already enabled in pam files
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail).*audit
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail).*audit
state: absent
check_mode: true
changed_when: false
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
@@ -44,7 +44,7 @@
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "$PAM_FILE_PATH"
else
- LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
+ LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "$PAM_FILE_PATH"
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
@@ -229,7 +229,7 @@
line is included in {{ pam_file_path }}'
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
- insertafter: ^password.*requisite.*pam_pwquality.so
+ insertafter: ^password.*requisite.*pam_pwquality\.so
line: password {{ var_password_pam_remember_control_flag.split(",")[0]
}} pam_pwhistory.so
register: result_pam_module_add
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
@@ -44,7 +44,7 @@
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "$PAM_FILE_PATH"
else
- LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
+ LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "$PAM_FILE_PATH"
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
@@ -229,7 +229,7 @@
is included in {{ pam_file_path }}'
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
- insertafter: ^password.*requisite.*pam_pwquality.so
+ insertafter: ^password.*requisite.*pam_pwquality\.so
line: password {{ var_password_pam_remember_control_flag.split(",")[0]
}} pam_pwhistory.so
register: result_pam_module_add
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
@@ -42,7 +42,7 @@
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
else
- LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
+ LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwhistory.so' "$PAM_FILE_PATH"
else
@@ -101,7 +101,7 @@
# The control is updated only if one single line matches.
sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
else
- LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
+ LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwhistory.so' "$PAM_FILE_PATH"
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
@@ -215,7 +215,7 @@
in {{ pam_file_path }}
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
- insertafter: ^password.*requisite.*pam_pwquality.so
+ insertafter: ^password.*requisite.*pam_pwquality\.so
line: password requisite pam_pwhistory.so
register: result_pam_module_add
when:
@@ -483,7 +483,7 @@
in {{ pam_file_path }}
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
- insertafter: ^password.*requisite.*pam_pwquality.so
+ insertafter: ^password.*requisite.*pam_pwquality\.so
line: password requisite pam_pwhistory.so
register: result_pam_module_add
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -21,11 +21,11 @@
for pam_file in "${AUTH_FILES[@]}"
do
if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
- sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_deny.so.*/i auth required pam_faillock.so authfail' "$pam_file"
- sed -i --follow-symlinks '/^account.*required.*pam_unix.so.*/i account required pam_faillock.so' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file"
+ sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file"
fi
- sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock.so)/\1required \3/g' "$pam_file"
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
done
fi
AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
@@ -86,12 +86,12 @@
else
for pam_file in "${AUTH_FILES[@]}"
do
- if ! grep -qE '^\s*auth.*pam_faillock.so (preauth|authfail).*deny' "$pam_file"; then
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
+ if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' "$pam_file"; then
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
else
- sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
- sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*authfail.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
fi
done
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -115,7 +115,7 @@
is already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail)
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
@@ -126,7 +126,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
- insertbefore: ^auth.*sufficient.*pam_unix.so.*
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -139,7 +139,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
- insertbefore: ^auth.*required.*pam_deny.so.*
+ insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -152,7 +152,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
- insertbefore: ^account.*required.*pam_unix.so.*
+ insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -599,7 +599,7 @@
deny parameter is already enabled in pam files
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail).*deny
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail).*deny
state: absent
check_mode: true
changed_when: false
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
@@ -18,11 +18,11 @@
for pam_file in "${AUTH_FILES[@]}"
do
if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
- sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_deny.so.*/i auth required pam_faillock.so authfail' "$pam_file"
- sed -i --follow-symlinks '/^account.*required.*pam_unix.so.*/i account required pam_faillock.so' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file"
+ sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file"
fi
- sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock.so)/\1required \3/g' "$pam_file"
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
done
fi
AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
@@ -81,9 +81,9 @@
else
for pam_file in "${AUTH_FILES[@]}"
do
- if ! grep -qE '^\s*auth.*pam_faillock.so (preauth|authfail).*even_deny_root' "$pam_file"; then
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ even_deny_root/' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*authfail.*/ s/$/ even_deny_root/' "$pam_file"
+ if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root' "$pam_file"; then
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ even_deny_root/' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ even_deny_root/' "$pam_file"
fi
done
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
@@ -110,7 +110,7 @@
is already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail)
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
@@ -121,7 +121,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
- insertbefore: ^auth.*sufficient.*pam_unix.so.*
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -134,7 +134,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
- insertbefore: ^auth.*required.*pam_deny.so.*
+ insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -147,7 +147,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
- insertbefore: ^account.*required.*pam_unix.so.*
+ insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -583,7 +583,7 @@
even_deny_root parameter is already enabled in pam files
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail).*even_deny_root
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root
state: absent
check_mode: true
changed_when: false
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
@@ -18,11 +18,11 @@
for pam_file in "${AUTH_FILES[@]}"
do
if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
- sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_deny.so.*/i auth required pam_faillock.so authfail' "$pam_file"
- sed -i --follow-symlinks '/^account.*required.*pam_unix.so.*/i account required pam_faillock.so' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file"
+ sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file"
fi
- sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock.so)/\1required \3/g' "$pam_file"
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
done
fi
@@ -84,12 +84,12 @@
else
for pam_file in "${AUTH_FILES[@]}"
do
- if ! grep -qE '^\s*auth.*pam_faillock.so (preauth|authfail).*dir' "$pam_file"; then
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ dir='"/var/log/faillock"'/' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*authfail.*/ s/$/ dir='"/var/log/faillock"'/' "$pam_file"
+ if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*dir' "$pam_file"; then
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ dir='"/var/log/faillock"'/' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ dir='"/var/log/faillock"'/' "$pam_file"
else
- sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"/var/log/faillock"'\3/' "$pam_file"
- sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*authfail.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"/var/log/faillock"'\3/' "$pam_file"
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"/var/log/faillock"'\3/' "$pam_file"
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"/var/log/faillock"'\3/' "$pam_file"
fi
done
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
@@ -100,7 +100,7 @@
- name: Lock Accounts Must Persist - Check if pam_faillock.so is already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail)
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
@@ -111,7 +111,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
- insertbefore: ^auth.*sufficient.*pam_unix.so.*
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -124,7 +124,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
- insertbefore: ^auth.*required.*pam_deny.so.*
+ insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -137,7 +137,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
- insertbefore: ^account.*required.*pam_unix.so.*
+ insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -555,7 +555,7 @@
enabled in pam files
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail).*dir
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail).*dir
state: absent
check_mode: true
changed_when: false
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
@@ -18,11 +18,11 @@
for pam_file in "${AUTH_FILES[@]}"
do
if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
- sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_deny.so.*/i auth required pam_faillock.so authfail' "$pam_file"
- sed -i --follow-symlinks '/^account.*required.*pam_unix.so.*/i account required pam_faillock.so' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file"
+ sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file"
fi
- sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock.so)/\1required \3/g' "$pam_file"
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
done
fi
AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
@@ -81,9 +81,9 @@
else
for pam_file in "${AUTH_FILES[@]}"
do
- if ! grep -qE '^\s*auth.*pam_faillock.so (preauth|authfail).*local_users_only' "$pam_file"; then
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ local_users_only/' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*authfail.*/ s/$/ local_users_only/' "$pam_file"
+ if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*local_users_only' "$pam_file"; then
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ local_users_only/' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ local_users_only/' "$pam_file"
fi
done
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
@@ -100,7 +100,7 @@
is already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail)
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
@@ -111,7 +111,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
- insertbefore: ^auth.*sufficient.*pam_unix.so.*
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -124,7 +124,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
- insertbefore: ^auth.*required.*pam_deny.so.*
+ insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -137,7 +137,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
- insertbefore: ^account.*required.*pam_unix.so.*
+ insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -559,7 +559,7 @@
local_users_only parameter is already enabled in pam files
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail).*local_users_only
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail).*local_users_only
state: absent
check_mode: true
changed_when: false
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
@@ -21,11 +21,11 @@
for pam_file in "${AUTH_FILES[@]}"
do
if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
- sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_deny.so.*/i auth required pam_faillock.so authfail' "$pam_file"
- sed -i --follow-symlinks '/^account.*required.*pam_unix.so.*/i account required pam_faillock.so' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file"
+ sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file"
fi
- sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock.so)/\1required \3/g' "$pam_file"
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
done
fi
AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
@@ -86,12 +86,12 @@
else
for pam_file in "${AUTH_FILES[@]}"
do
- if ! grep -qE '^\s*auth.*pam_faillock.so (preauth|authfail).*fail_interval' "$pam_file"; then
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*authfail.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
+ if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*fail_interval' "$pam_file"; then
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
else
- sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
- sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*authfail.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
fi
done
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
@@ -107,7 +107,7 @@
is already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail)
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
@@ -118,7 +118,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
- insertbefore: ^auth.*sufficient.*pam_unix.so.*
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -131,7 +131,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
- insertbefore: ^auth.*required.*pam_deny.so.*
+ insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -144,7 +144,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
- insertbefore: ^account.*required.*pam_unix.so.*
+ insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -579,7 +579,7 @@
fail_interval parameter is already enabled in pam files
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail).*fail_interval
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail).*fail_interval
state: absent
check_mode: true
changed_when: false
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
@@ -21,11 +21,11 @@
for pam_file in "${AUTH_FILES[@]}"
do
if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
- sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_deny.so.*/i auth required pam_faillock.so authfail' "$pam_file"
- sed -i --follow-symlinks '/^account.*required.*pam_unix.so.*/i account required pam_faillock.so' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file"
+ sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file"
fi
- sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock.so)/\1required \3/g' "$pam_file"
+ sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
done
fi
AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
@@ -86,12 +86,12 @@
else
for pam_file in "${AUTH_FILES[@]}"
do
- if ! grep -qE '^\s*auth.*pam_faillock.so (preauth|authfail).*unlock_time' "$pam_file"; then
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*authfail.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
+ if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*unlock_time' "$pam_file"; then
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
else
- sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
- sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*authfail.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
+ sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
fi
done
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
@@ -115,7 +115,7 @@
is already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail)
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
@@ -126,7 +126,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
- insertbefore: ^auth.*sufficient.*pam_unix.so.*
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -139,7 +139,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
- insertbefore: ^auth.*required.*pam_deny.so.*
+ insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -152,7 +152,7 @@
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
- insertbefore: ^account.*required.*pam_unix.so.*
+ insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
@@ -599,7 +599,7 @@
unlock_time parameter is already enabled in pam files
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail).*unlock_time
+ regexp: .*auth.*pam_faillock\.so (preauth|authfail).*unlock_time
state: absent
check_mode: true
changed_when: false
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_a
... The diff is trimmed here ... |
Code Climate has analyzed commit a7a001e and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 40.4% (0.0% change). View more on Code Climate. |
@dahaic: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
configured acceptable allowance (drift) may be inaccurate. | ||
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. | ||
Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. | ||
Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we care about the line lengths?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think so. We have this defined in the Style Guide. Unless there is a reasonable argument to create an exception.
No description provided.