accounts_passwords_pam_faildelay_delay: depend on pam #10304
Conversation
accounts_passwords_pam_faildelay_delay is dependent on pam being installed, so it should express that with "platform: package[pam]" as other rules (such as accounts_password_pam_unix_remember) already do. Signed-off-by: Craig Andrews <candrews@integralblue.com>
|
Hi @candrews. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: sle12 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
/ok-to-test |
openshift-ci
bot
added
ok-to-test
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faildelay_delay' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faildelay_delay
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faildelay_delay
@@ -1,3 +1,5 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q pam; then
var_password_pam_delay=''
@@ -35,3 +37,7 @@
else
echo "/etc/pam.d/common-auth doesn't exist" >&2
fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faildelay_delay' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faildelay_delay
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faildelay_delay
@@ -1,3 +1,17 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-83176-8
+ - DISA-STIG-SLES-12-010370
+ - NIST-800-53-CM-6(b)
+ - NIST-800-53-CM-6.1(iv)
+ - accounts_passwords_pam_faildelay_delay
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
- name: XCCDF Value var_password_pam_delay # promote to variable
set_fact:
var_password_pam_delay: !!str
@@ -7,6 +21,7 @@
- name: Set control_flag fact
set_fact:
control_flag: required
+ when: '"pam" in ansible_facts.packages'
tags:
- CCE-83176-8
- DISA-STIG-SLES-12-010370
@@ -24,6 +39,7 @@
set -o pipefail
grep -E '^\s*auth\s+\S+\s+pam_faildelay.so' /etc/pam.d/common-auth || true
register: check_pam_module_result
+ when: '"pam" in ansible_facts.packages'
tags:
- CCE-83176-8
- DISA-STIG-SLES-12-010370
@@ -41,7 +57,9 @@
path: /etc/pam.d/common-auth
line: auth required pam_faildelay.so
state: present
- when: '"pam_faildelay.so" not in check_pam_module_result.stdout'
+ when:
+ - '"pam" in ansible_facts.packages'
+ - '"pam_faildelay.so" not in check_pam_module_result.stdout'
tags:
- CCE-83176-8
- DISA-STIG-SLES-12-010370
@@ -60,7 +78,9 @@
regexp: ^(\s*auth\s+)\S+(\s+pam_faildelay.so\s+.*)
line: \g<1>required\g<2>
backrefs: true
- when: control_flag|length
+ when:
+ - '"pam" in ansible_facts.packages'
+ - control_flag|length
tags:
- CCE-83176-8
- DISA-STIG-SLES-12-010370
@@ -80,6 +100,7 @@
regexp: ^(\s*auth\s+required\s+pam_faildelay.so(?:\s+\S+)*\s+delay=)(?:\S+)((\s+\S+)*\s*\\*\s*)$
line: \g<1>{{ var_password_pam_delay }}\g<2>
backrefs: true
+ when: '"pam" in ansible_facts.packages'
tags:
- CCE-83176-8
- DISA-STIG-SLES-12-010370
@@ -97,6 +118,7 @@
set -o pipefail
grep -E '^\s*auth\s+required\s+pam_faildelay.so.*\s+delay(=|\s|\s*$)' /etc/pam.d/common-auth || true
register: check_pam_module_argument_result
+ when: '"pam" in ansible_facts.packages'
tags:
- CCE-83176-8
- DISA-STIG-SLES-12-010370
@@ -115,7 +137,9 @@
regexp: ^(\s*auth\s+required\s+pam_faildelay.so)((\s+\S+)*\s*(\\)*$)
line: \g<1> delay={{ var_password_pam_delay }}\g<2>
backrefs: true
- when: '"delay" not in check_pam_module_argument_result.stdout'
+ when:
+ - '"pam" in ansible_facts.packages'
+ - '"delay" not in check_pam_module_argument_result.stdout'
tags:
- CCE-83176-8
- DISA-STIG-SLES-12-010370
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faildelay_delay'
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faildelay_delay
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faildelay_delay
@@ -1 +1 @@
-
+cpe:/a:pam: |
|
Code Climate has analyzed commit 71b8aa1 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 51.7% (0.0% change). View more on Code Climate. |
|
@candrews: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Description:
accounts_passwords_pam_faildelay_delay: depend on pam
Rationale:
accounts_passwords_pam_faildelay_delay is dependent on pam being installed, so it should express that with "platform: package[pam]" as other rules (such as accounts_password_pam_unix_remember) already do.
Review Hints:
With this change applied,
oscap-podman ubuntu:20.04 xccdf eval --report report.html --profile xccdf_org.ssgproject.content_profile_stig /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xmlshould yield a report indicating that the "Enforce Delay After Failed Logon Attempts" rule is "Not Applicable"