ComplianceAsCode · dodys · Dec 10, 2024 · Nov 29, 2024 · Nov 29, 2024
diff --git a/...t_password_attempts/account_passwords_pam_faillock_audit/tests/expected_pam_files.pass.sh b/...t_password_attempts/account_passwords_pam_faillock_audit/tests/expected_pam_files.pass.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # packages = authselect,pam
+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
 
 source common.sh
 

diff --git a/...ut_password_attempts/account_passwords_pam_faillock_audit/tests/missing_parameter.fail.sh b/...ut_password_attempts/account_passwords_pam_faillock_audit/tests/missing_parameter.fail.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
 # packages = authselect,pam
+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
 
 source common.sh
diff --git a/...s-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/oval/ubuntu.xml b/...s-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/oval/ubuntu.xml
@@ -57,7 +57,7 @@
   <constant_variable id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_auth_regex"
                 datatype="string" version="1"
                 comment="regex to identify pam_faillock.so entries in auth section of pam files">
-      <value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc</value>
+      <value>^\s*auth\s+(requisite|required)\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail</value>
   </constant_variable>
 
   <constant_variable id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_account_regex"

diff --git a/...word_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_commented_values.fail.sh b/...word_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_commented_values.fail.sh
@@ -3,7 +3,4 @@
 
 source ubuntu_common.sh
 
-sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth
-sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account
-
 echo "#audit" > /etc/security/faillock.conf
diff --git a/...ocking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_common.sh b/...ocking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_common.sh
@@ -1,50 +1,24 @@
 #!/bin/bash
 
-# Create passing pam.d files based on defaults from a clean installation of Ubuntu 22.04 LTS
-# Extra comments and whitespaces were added to test for edge cases
-
-cat >/etc/pam.d/common-auth <<EOF
- ## Leading and trailing whitespaces should be ok
- auth required  pam_faillock.so     preauth 
-# here are the per-package modules (the "Primary" block)
-auth    [success=2 default=ignore]      pam_unix.so nullok
-## Several lines of comments should not
-## break faillock remediation logic
-## Nor should commented pam_unix
-#auth    [success=2 default=ignore]      pam_unix.so nullok
-
-auth    [success=1 default=ignore]      pam_sss.so use_first_pass
-
- ## Some more user comments
- auth [default=die]  pam_faillock.so authfail 
- ## and some more
- auth sufficient     pam_faillock.so authsucc 
-
-# here's the fallback if no module succeeds
-auth    requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-auth    required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-auth    optional                        pam_cap.so 
-# end of pam-auth-update config
+cat << EOF > /usr/share/pam-configs/faillock
+Name: Enable pam_faillock to deny access
+Default: yes
+Priority: 0
+Auth-Type: Primary
+Auth:
+    [default=die]                   pam_faillock.so authfail
 EOF
 
-
-cat >/etc/pam.d/common-account <<EOF
-# here are the per-package modules (the "Primary" block)
-account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
-# here's the fallback if no module succeeds
-account requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-account required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-account sufficient                      pam_localuser.so 
-account [default=bad success=ok user_unknown=ignore]    pam_sss.so 
-# end of pam-auth-update config
-
-  account required  pam_faillock.so 
+cat << EOF > /usr/share/pam-configs/faillock_notify
+Name: Notify of failed login attempts and reset count upon success
+Default: yes
+Priority: 1024
+Auth-Type: Primary
+Auth:
+    requisite                       pam_faillock.so preauth
+Account-Type: Primary
+Account:
+    required                        pam_faillock.so
 EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/...password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_correct_pamd.pass.sh b/...password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_correct_pamd.pass.sh
@@ -1,7 +1,25 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 
-source ubuntu_common.sh
+cat << EOF > /usr/share/pam-configs/faillock
+Name: Enable pam_faillock to deny access
+Default: yes
+Priority: 0
+Auth-Type: Primary
+Auth:
+    [default=die]                   pam_faillock.so authfail audit
+EOF
 
-sed -i 's/\(.*pam_faillock.so.*\)/\1 audit/g' /etc/pam.d/common-auth
+cat << EOF > /usr/share/pam-configs/faillock_notify
+Name: Notify of failed login attempts and reset count upon success
+Default: yes
+Priority: 1024
+Auth-Type: Primary
+Auth:
+    requisite                       pam_faillock.so preauth audit
+Account-Type: Primary
+Account:
+    required                        pam_faillock.so
+EOF
 
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/...password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_missing_pamd.fail.sh b/...password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_missing_pamd.fail.sh
@@ -1,9 +1,4 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 
-source ubuntu_common.sh
-
-sed -i '/pam_faillock\.so/d' /etc/pam.d/common-auth
-sed -i '/pam_faillock\.so/d' /etc/pam.d/common-account
-
 echo "audit" > /etc/security/faillock.conf
diff --git a/...ord_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_multiple_pam_unix.fail.sh b/...ord_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_multiple_pam_unix.fail.sh
@@ -8,4 +8,4 @@
 
 source ubuntu_common.sh
 
-echo "auth        sufficient       pam_unix.so" >> /etc/pam.d/common-auth
+sed -i '/# end of pam-auth-update config/i\auth        sufficient       pam_unix.so' /etc/pam.d/common-auth
diff --git a/...sword_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_commented_values.fail.sh b/...sword_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_commented_values.fail.sh
@@ -1,9 +1,7 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
+# variables = var_accounts_passwords_pam_faillock_deny=10
 
 source ubuntu_common.sh
 
-sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth
-sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account
-
 echo "#deny=1" > /etc/security/faillock.conf
diff --git a/...locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_common.sh b/...locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_common.sh
@@ -1,50 +1,24 @@
 #!/bin/bash
 
-# Create passing pam.d files based on defaults from a clean installation of Ubuntu 22.04 LTS
-# Extra comments and whitespaces were added to test for edge cases
-
-cat >/etc/pam.d/common-auth <<EOF
- ## Leading and trailing whitespaces should be ok
- auth required  pam_faillock.so     preauth 
-# here are the per-package modules (the "Primary" block)
-auth    [success=2 default=ignore]      pam_unix.so nullok
-## Several lines of comments should not
-## break faillock remediation logic
-## Nor should commented pam_unix
-#auth    [success=2 default=ignore]      pam_unix.so nullok
-
-auth    [success=1 default=ignore]      pam_sss.so use_first_pass
-
- ## Some more user comments
- auth [default=die]  pam_faillock.so authfail 
- ## and some more
- auth sufficient     pam_faillock.so authsucc 
-
-# here's the fallback if no module succeeds
-auth    requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-auth    required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-auth    optional                        pam_cap.so 
-# end of pam-auth-update config
+cat << EOF > /usr/share/pam-configs/faillock
+Name: Enable pam_faillock to deny access
+Default: yes
+Priority: 0
+Auth-Type: Primary
+Auth:
+    [default=die]                   pam_faillock.so authfail
 EOF
 
-
-cat >/etc/pam.d/common-account <<EOF
-# here are the per-package modules (the "Primary" block)
-account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
-# here's the fallback if no module succeeds
-account requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-account required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-account sufficient                      pam_localuser.so 
-account [default=bad success=ok user_unknown=ignore]    pam_sss.so 
-# end of pam-auth-update config
-
-  account required  pam_faillock.so 
+cat << EOF > /usr/share/pam-configs/faillock_notify
+Name: Notify of failed login attempts and reset count upon success
+Default: yes
+Priority: 1024
+Auth-Type: Primary
+Auth:
+    requisite                       pam_faillock.so preauth
+Account-Type: Primary
+Account:
+    required                        pam_faillock.so
 EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/...g_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct.pass.sh b/...g_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct.pass.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
+# variables = var_accounts_passwords_pam_faillock_deny=10
 
 source ubuntu_common.sh
 

diff --git a/..._password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct_pamd.pass.sh b/..._password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct_pamd.pass.sh
@@ -1,7 +1,26 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
+# variables = var_accounts_passwords_pam_faillock_deny=10
 
-source ubuntu_common.sh
+cat << EOF > /usr/share/pam-configs/faillock
+Name: Enable pam_faillock to deny access
+Default: yes
+Priority: 0
+Auth-Type: Primary
+Auth:
+    [default=die]                   pam_faillock.so authfail deny=1
+EOF
 
-sed -i 's/\(.*pam_faillock.so.*\)/\1 deny=1/g' /etc/pam.d/common-auth
+cat << EOF > /usr/share/pam-configs/faillock_notify
+Name: Notify of failed login attempts and reset count upon success
+Default: yes
+Priority: 1024
+Auth-Type: Primary
+Auth:
+    requisite                       pam_faillock.so preauth deny=1
+Account-Type: Primary
+Account:
+    required                        pam_faillock.so
+EOF
 
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/...rd_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_empty_faillock_conf.fail.sh b/...rd_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_empty_faillock_conf.fail.sh
diff --git a/..._password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_missing_pamd.fail.sh b/..._password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_missing_pamd.fail.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
-
-source ubuntu_common.sh
-
-sed -i '/pam_faillock\.so/d' /etc/pam.d/common-auth
-sed -i '/pam_faillock\.so/d' /etc/pam.d/common-account
+# variables = var_accounts_passwords_pam_faillock_deny=10
 
 echo "deny=1" > /etc/security/faillock.conf
diff --git a/...word_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_multiple_pam_unix.fail.sh b/...word_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_multiple_pam_unix.fail.sh
diff --git a/...t_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_wrong_value.fail.sh b/...t_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_wrong_value.fail.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
+# variables = var_accounts_passwords_pam_faillock_deny=10
 
 source ubuntu_common.sh
 

diff --git a/...ut_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_pam_files.pass.sh b/...ut_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_pam_files.pass.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # packages = authselect,pam
+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
 
 source common.sh
 

diff --git a/...ssword_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_authfail.fail.sh b/...ssword_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_authfail.fail.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # packages = authselect,pam
+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
 
 source common.sh
 

diff --git a/...assword_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_preauth.fail.sh b/...assword_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_preauth.fail.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # packages = authselect,pam
+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
 
 source common.sh
 

diff --git a/...g_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_pam_files.fail.sh b/...g_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_pam_files.fail.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # packages = authselect,pam
+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
 
 source common.sh
 

diff --git a/...d_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_commented_values.fail.sh b/...d_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_commented_values.fail.sh
@@ -1,9 +1,7 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
+# variables = var_accounts_passwords_pam_faillock_fail_interval=800
 
 source ubuntu_common.sh
 
-sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth
-sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account
-
 echo "#fail_interval=900" > /etc/security/faillock.conf
Original file line number	Diff line number	Diff line change
Expand Up		@@ -8,4 +8,4 @@

		source ubuntu_common.sh

		echo "auth sufficient pam_unix.so" >> /etc/pam.d/common-auth
		sed -i '/# end of pam-auth-update config/i\auth sufficient pam_unix.so' /etc/pam.d/common-auth