Fix rule ubtu 20 010072 #11074
Closed
Fix rule ubtu 20 010072 #11074
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit will properly fix STIG by ensuring that the pam_faillock arguments are properly set in /etc/pam.d/common-auth and within /etc/security/faillok.conf.
This commit will fix oval checks for accounts-pam which includes regex modularization, and proper line remediations for /etc/pam.d/common-auth along with /etc/security/faillock.conf.
This commit will simplify conditional logic to use pam_path jinja assigned variable.
openshift-ci
bot
added
do-not-merge/work-in-progress
|
Hi @dexterle. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
feedback: |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
@@ -99,6 +99,16 @@
when:
- result_pam_faillock_is_enabled.found == 0
+ - name: Account Lockouts Must Be Logged - Enable pam_faillock.so authsucc editing
+ PAM files
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ line: auth sufficient pam_faillock.so authsucc
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
+ state: present
+ when:
+ - not result_authselect_present.stat.exists
+
- name: Account Lockouts Must Be Logged - Enable pam_faillock.so authfail editing
PAM files
ansible.builtin.lineinfile:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
@@ -106,6 +106,16 @@
when:
- result_pam_faillock_is_enabled.found == 0
+ - name: Account Lockouts Must Be Logged - Enable pam_faillock.so authsucc editing
+ PAM files
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ line: auth sufficient pam_faillock.so authsucc
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
+ state: present
+ when:
+ - not result_authselect_present.stat.exists
+
- name: Account Lockouts Must Be Logged - Enable pam_faillock.so authfail editing
PAM files
ansible.builtin.lineinfile:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -137,6 +137,16 @@
when:
- result_pam_faillock_is_enabled.found == 0
+ - name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so authsucc
+ editing PAM files
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ line: auth sufficient pam_faillock.so authsucc
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
+ state: present
+ when:
+ - not result_authselect_present.stat.exists
+
- name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so authfail
editing PAM files
ansible.builtin.lineinfile:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
@@ -130,6 +130,16 @@
- result_pam_faillock_is_enabled.found == 0
- name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so
+ authsucc editing PAM files
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ line: auth sufficient pam_faillock.so authsucc
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
+ state: present
+ when:
+ - not result_authselect_present.stat.exists
+
+ - name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so
authfail editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
@@ -125,6 +125,16 @@
when:
- result_pam_faillock_is_enabled.found == 0
+ - name: Lock Accounts Must Persist - Enable pam_faillock.so authsucc editing PAM
+ files
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ line: auth sufficient pam_faillock.so authsucc
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
+ state: present
+ when:
+ - not result_authselect_present.stat.exists
+
- name: Lock Accounts Must Persist - Enable pam_faillock.so authfail editing PAM
files
ansible.builtin.lineinfile:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
@@ -119,6 +119,16 @@
when:
- result_pam_faillock_is_enabled.found == 0
+ - name: Enforce pam_faillock for Local Accounts Only - Enable pam_faillock.so authsucc
+ editing PAM files
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ line: auth sufficient pam_faillock.so authsucc
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
+ state: present
+ when:
+ - not result_authselect_present.stat.exists
+
- name: Enforce pam_faillock for Local Accounts Only - Enable pam_faillock.so authfail
editing PAM files
ansible.builtin.lineinfile:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
@@ -130,6 +130,16 @@
- result_pam_faillock_is_enabled.found == 0
- name: Set Interval For Counting Failed Password Attempts - Enable pam_faillock.so
+ authsucc editing PAM files
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ line: auth sufficient pam_faillock.so authsucc
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
+ state: present
+ when:
+ - not result_authselect_present.stat.exists
+
+ - name: Set Interval For Counting Failed Password Attempts - Enable pam_faillock.so
authfail editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent
@@ -124,6 +124,16 @@
- result_pam_faillock_is_enabled.found == 0
- name: Do Not Show System Messages When Unsuccessful Logon Attempts Occur - Enable
+ pam_faillock.so authsucc editing PAM files
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ line: auth sufficient pam_faillock.so authsucc
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
+ state: present
+ when:
+ - not result_authselect_present.stat.exists
+
+ - name: Do Not Show System Messages When Unsuccessful Logon Attempts Occur - Enable
pam_faillock.so authfail editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
@@ -139,6 +139,16 @@
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
+
+ - name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so authsucc
+ editing PAM files
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ line: auth sufficient pam_faillock.so authsucc
+ insertbefore: ^auth.*sufficient.*pam_unix\.so.*
+ state: present
+ when:
+ - not result_authselect_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so authfail
editing PAM files |
|
Code Climate has analyzed commit fa50612 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.8% (0.0% change). View more on Code Climate. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
dodys
added
ok-to-test
|
/packit retest-failed |
|
/test |
|
@dodys: The
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest |
dodys
requested changes
Sep 13, 2023
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
closing this in favor of #11355 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
Review Hints:
Build the product:
To test these changes with Ansible:
To test changes with bash, run the remediation section:
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_auditCheckout Manual STIG OVAL definitions, and use software like DISA STIG Viewer to view definitions.
This STIG can be tested with the latest Ubuntu 2004 Benchmark SCAP. For reference, please review the latest artifacts: https://public.cyber.mil/stigs/downloads/