-
Notifications
You must be signed in to change notification settings - Fork 710
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #11458 from Xeicker/update_ol8_faillock_rules
Add automation to enable faillock rules
- Loading branch information
Showing
13 changed files
with
235 additions
and
1 deletion.
There are no files selected for viewing
7 changes: 7 additions & 0 deletions
7
...king_out_password_attempts/account_password_pam_faillock_password_auth/ansible/shared.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| # platform = multi_platform_all | ||
| # reboot = false | ||
| # strategy = enable | ||
| # complexity = low | ||
| # disruption = low | ||
|
|
||
| {{{ ansible_pam_faillock_enable() }}} |
7 changes: 7 additions & 0 deletions
7
.../locking_out_password_attempts/account_password_pam_faillock_password_auth/bash/shared.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| # platform = multi_platform_all | ||
| # reboot = false | ||
| # strategy = enable | ||
| # complexity = low | ||
| # disruption = low | ||
|
|
||
| {{{ bash_pam_faillock_enable() }}} |
79 changes: 79 additions & 0 deletions
79
...locking_out_password_attempts/account_password_pam_faillock_password_auth/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| <def-group> | ||
| <definition class="compliance" id="{{{ rule_id }}}" version="1"> | ||
| {{{ oval_metadata( | ||
| "Configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.") | ||
| }}} | ||
| <criteria operator="AND"> | ||
| <!-- pam_unix.so is a control module present in all realistic scenarios and also used | ||
| as reference for the correct position of pam_faillock.so in auth section. If the | ||
| system is properly configured, it must appear only once in auth section. --> | ||
| <criterion test_ref="test_pam_faillock_password_auth_pam_unix_auth" | ||
| comment="pam_unix.so appears only once in auth section of password-auth"/> | ||
| <criterion | ||
| test_ref="test_pam_faillock_password_auth_pam_faillock_auth" | ||
| comment="pam_faillock.so is defined in auth section of password-auth"/> | ||
| <criterion | ||
| test_ref="test_pam_faillock_password_auth_pam_faillock_account" | ||
| comment="pam_faillock.so is defined in account section of password-auth"/> | ||
| </criteria> | ||
| </definition> | ||
|
|
||
| <constant_variable id="var_pam_faillock_password_auth_pam_faillock_auth_regex" | ||
| datatype="string" version="1" | ||
| comment="regex to identify pam_faillock.so entries in auth section of pam files"> | ||
| <value>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</value> | ||
| </constant_variable> | ||
| <constant_variable id="var_pam_faillock_password_auth_pam_faillock_account_regex" | ||
| datatype="string" version="1" | ||
| comment="regex to identify pam_faillock.so entry in account section of pam files"> | ||
| <value>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</value> | ||
| </constant_variable> | ||
|
|
||
| <!-- Check occurrences of pam_unix.so in auth section in password-auth --> | ||
| <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1" | ||
| id="test_pam_faillock_password_auth_pam_unix_auth" | ||
| comment="No more than one pam_unix.so is expected in auth section of password-auth"> | ||
| <ind:object object_ref="obj_pam_faillock_password_auth_pam_unix_auth"/> | ||
| </ind:textfilecontent54_test> | ||
|
|
||
| <ind:textfilecontent54_object version="1" | ||
| id="obj_pam_faillock_password_auth_pam_unix_auth" | ||
| comment="Get all occurrences of pam_unix.so in auth section of password-auth"> | ||
| <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath> | ||
| <ind:pattern operation="pattern match">^[\s]*auth\N+pam_unix\.so</ind:pattern> | ||
| <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
|
|
||
| <!-- Check common definition of pam_faillock.so in password-auth --> | ||
| <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1" | ||
| id="test_pam_faillock_password_auth_pam_faillock_auth" | ||
| comment="One and only one occurrence is expected in auth section of password-auth"> | ||
| <ind:object | ||
| object_ref="obj_pam_faillock_password_auth_pam_faillock_auth"/> | ||
| </ind:textfilecontent54_test> | ||
|
|
||
| <ind:textfilecontent54_object version="1" | ||
| id="obj_pam_faillock_password_auth_pam_faillock_auth" | ||
| comment="Check common definition of pam_faillock.so in auth section of password-auth"> | ||
| <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath> | ||
| <ind:pattern operation="pattern match" | ||
| var_ref="var_pam_faillock_password_auth_pam_faillock_auth_regex"/> | ||
| <ind:instance datatype="int" operation="equals">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
|
|
||
| <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1" | ||
| id="test_pam_faillock_password_auth_pam_faillock_account" | ||
| comment="One and only one occurrence is expected in auth section of password-auth"> | ||
| <ind:object | ||
| object_ref="obj_pam_faillock_password_auth_pam_faillock_account"/> | ||
| </ind:textfilecontent54_test> | ||
|
|
||
| <ind:textfilecontent54_object version="1" | ||
| id="obj_pam_faillock_password_auth_pam_faillock_account" | ||
| comment="Check common definition of pam_faillock.so in account section of password-auth"> | ||
| <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath> | ||
| <ind:pattern operation="pattern match" | ||
| var_ref="var_pam_faillock_password_auth_pam_faillock_account_regex"/> | ||
| <ind:instance datatype="int" operation="equals">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
| </def-group> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 changes: 10 additions & 0 deletions
10
...password_attempts/account_password_pam_faillock_password_auth/tests/correct_value.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| #!/bin/bash | ||
| # packages = authselect,pam | ||
| # platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 | ||
|
|
||
| authselect create-profile test_profile -b sssd | ||
| authselect select "custom/test_profile" --force | ||
|
|
||
| authselect enable-feature with-faillock | ||
|
|
||
| authselect apply-changes |
10 changes: 10 additions & 0 deletions
10
..._out_password_attempts/account_password_pam_faillock_password_auth/tests/no_value.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| #!/bin/bash | ||
| # packages = authselect,pam | ||
| # platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 | ||
|
|
||
| authselect create-profile test_profile -b sssd | ||
| authselect select "custom/test_profile" --force | ||
|
|
||
| authselect disable-feature with-faillock | ||
|
|
||
| authselect apply-changes |
7 changes: 7 additions & 0 deletions
7
...ocking_out_password_attempts/account_password_pam_faillock_system_auth/ansible/shared.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| # platform = multi_platform_all | ||
| # reboot = false | ||
| # strategy = enable | ||
| # complexity = low | ||
| # disruption = low | ||
|
|
||
| {{{ ansible_pam_faillock_enable() }}} |
7 changes: 7 additions & 0 deletions
7
...am/locking_out_password_attempts/account_password_pam_faillock_system_auth/bash/shared.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| # platform = multi_platform_all | ||
| # reboot = false | ||
| # strategy = enable | ||
| # complexity = low | ||
| # disruption = low | ||
|
|
||
| {{{ bash_pam_faillock_enable() }}} |
79 changes: 79 additions & 0 deletions
79
...m/locking_out_password_attempts/account_password_pam_faillock_system_auth/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| <def-group> | ||
| <definition class="compliance" id="{{{ rule_id }}}" version="1"> | ||
| {{{ oval_metadata( | ||
| "Configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.") | ||
| }}} | ||
| <criteria operator="AND"> | ||
| <!-- pam_unix.so is a control module present in all realistic scenarios and also used | ||
| as reference for the correct position of pam_faillock.so in auth section. If the | ||
| system is properly configured, it must appear only once in auth section. --> | ||
| <criterion test_ref="test_pam_faillock_system_auth_pam_unix_auth" | ||
| comment="pam_unix.so appears only once in auth section of system-auth"/> | ||
| <criterion | ||
| test_ref="test_pam_faillock_system_auth_pam_faillock_auth" | ||
| comment="pam_faillock.so is defined in auth section of system-auth"/> | ||
| <criterion | ||
| test_ref="test_pam_faillock_system_auth_pam_faillock_account" | ||
| comment="pam_faillock.so is defined in account section of system-auth"/> | ||
| </criteria> | ||
| </definition> | ||
|
|
||
| <constant_variable id="var_pam_faillock_system_auth_pam_faillock_auth_regex" | ||
| datatype="string" version="1" | ||
| comment="regex to identify pam_faillock.so entries in auth section of pam files"> | ||
| <value>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</value> | ||
| </constant_variable> | ||
| <constant_variable id="var_pam_faillock_system_auth_pam_faillock_account_regex" | ||
| datatype="string" version="1" | ||
| comment="regex to identify pam_faillock.so entry in account section of pam files"> | ||
| <value>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</value> | ||
| </constant_variable> | ||
|
|
||
| <!-- Check occurrences of pam_unix.so in auth section in system-auth --> | ||
| <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1" | ||
| id="test_pam_faillock_system_auth_pam_unix_auth" | ||
| comment="No more than one pam_unix.so is expected in auth section of system-auth"> | ||
| <ind:object object_ref="obj_pam_faillock_system_auth_pam_unix_auth"/> | ||
| </ind:textfilecontent54_test> | ||
|
|
||
| <ind:textfilecontent54_object version="1" | ||
| id="obj_pam_faillock_system_auth_pam_unix_auth" | ||
| comment="Get all occurrences of pam_unix.so in auth section of system-auth"> | ||
| <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath> | ||
| <ind:pattern operation="pattern match">^[\s]*auth\N+pam_unix\.so</ind:pattern> | ||
| <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
|
|
||
| <!-- Check common definition of pam_faillock.so in system-auth --> | ||
| <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1" | ||
| id="test_pam_faillock_system_auth_pam_faillock_auth" | ||
| comment="One and only one occurrence is expected in auth section of system-auth"> | ||
| <ind:object | ||
| object_ref="obj_pam_faillock_system_auth_pam_faillock_auth"/> | ||
| </ind:textfilecontent54_test> | ||
|
|
||
| <ind:textfilecontent54_object version="1" | ||
| id="obj_pam_faillock_system_auth_pam_faillock_auth" | ||
| comment="Check common definition of pam_faillock.so in auth section of system-auth"> | ||
| <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath> | ||
| <ind:pattern operation="pattern match" | ||
| var_ref="var_pam_faillock_system_auth_pam_faillock_auth_regex"/> | ||
| <ind:instance datatype="int" operation="equals">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
|
|
||
| <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1" | ||
| id="test_pam_faillock_system_auth_pam_faillock_account" | ||
| comment="One and only one occurrence is expected in auth section of system-auth"> | ||
| <ind:object | ||
| object_ref="obj_pam_faillock_system_auth_pam_faillock_account"/> | ||
| </ind:textfilecontent54_test> | ||
|
|
||
| <ind:textfilecontent54_object version="1" | ||
| id="obj_pam_faillock_system_auth_pam_faillock_account" | ||
| comment="Check common definition of pam_faillock.so in account section of system-auth"> | ||
| <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath> | ||
| <ind:pattern operation="pattern match" | ||
| var_ref="var_pam_faillock_system_auth_pam_faillock_account_regex"/> | ||
| <ind:instance datatype="int" operation="equals">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
| </def-group> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 changes: 10 additions & 0 deletions
10
...t_password_attempts/account_password_pam_faillock_system_auth/tests/correct_value.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| #!/bin/bash | ||
| # packages = authselect,pam | ||
| # platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 | ||
|
|
||
| authselect create-profile test_profile -b sssd | ||
| authselect select "custom/test_profile" --force | ||
|
|
||
| authselect enable-feature with-faillock | ||
|
|
||
| authselect apply-changes |
10 changes: 10 additions & 0 deletions
10
...ng_out_password_attempts/account_password_pam_faillock_system_auth/tests/no_value.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| #!/bin/bash | ||
| # packages = authselect,pam | ||
| # platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 | ||
|
|
||
| authselect create-profile test_profile -b sssd | ||
| authselect select "custom/test_profile" --force | ||
|
|
||
| authselect disable-feature with-faillock | ||
|
|
||
| authselect apply-changes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters