- ^/etc/security/pwhistory.conf$
+ comment="Collect the pam_pwhistory.so remember parameter from {{{ pwhistory_path }}}">
+ ^{{{ pwhistory_path }}}$
1
@@ -107,7 +107,7 @@
+ comment="Check remember parameter is present and correct in {{{ pwhistory_path }}}">
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
index 3ae6287ad01..66984f52c9b 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
@@ -21,7 +21,7 @@ description: |-
Otherwise, it should be enabled using an authselect custom profile.
- Newer systems also have the /etc/security/pwhistory.conf file for setting
+ Newer systems also have the {{{ pwhistory_path }}} file for setting
pam_pwhistory module options. This file should be used whenever available.
Otherwise, the pam_pwhistory module options can be set in PAM files.
@@ -56,7 +56,7 @@ references:
ocil_clause: |-
the pam_pwhistory.so module is not used, the "remember" module option is not set in
- /etc/pam.d/password-auth or in /etc/security/pwhistory.conf, or is set in both files, or is set
+ /etc/pam.d/password-auth or in {{{ pwhistory_path }}}, or is set in both files, or is set
with a value less than "{{{ xccdf_value("var_password_pam_remember") }}}"
ocil: |-
@@ -70,9 +70,9 @@ ocil: |-
password {{{ xccdf_value("var_password_pam_remember_control_flag") }}} pam_pwhistory.so use_authtok remember={{{ xccdf_value("var_password_pam_remember") }}}
{{% if product not in ["ol7"] %}}
- Verify the "/etc/security/pwhistory.conf" file using the following command:
+ Verify the "{{{ pwhistory_path }}}" file using the following command:
- $ grep remember /etc/security/pwhistory.conf
+ $ grep remember {{{ pwhistory_path }}}
remember = {{{ xccdf_value("var_password_pam_remember") }}}
The pam_pwhistory.so "remember" option must be configured only in one file.
@@ -89,7 +89,7 @@ fixtext: |-
First ensure the pam_pwhistory.so module is enabled in the password section of "/etc/pam.d/password-auth":
password {{{ xccdf_value("var_password_pam_remember_control_flag") }}} pam_pwhistory.so use_authtok
- If the "/etc/security/pwhistory.conf" is present in the system, use it to set the "remember" option:
+ If the "{{{ pwhistory_path }}}" is present in the system, use it to set the "remember" option:
remember = {{{ xccdf_value("var_password_pam_remember") }}}
Otherwise, include the "remember" option in "/etc/pam.d/password-auth" file:
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_conflict_settings.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_conflict_settings.fail.sh
index bef6bbceaba..7043569d6f9 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_conflict_settings.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_conflict_settings.fail.sh
@@ -15,5 +15,5 @@ else
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_conf.pass.sh
index 111ed3df65a..56704e726ff 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_conf.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_conf.pass.sh
@@ -16,5 +16,5 @@ else
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_pam.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_pam.pass.sh
index cc133d939f8..342645f6b37 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_pam.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_pam.pass.sh
@@ -15,4 +15,4 @@ else
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_argument.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_argument.fail.sh
index f8e69778936..d66d7a7473c 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_argument.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_argument.fail.sh
@@ -18,4 +18,4 @@ else
fi
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_line.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_line.fail.sh
index 5565977e731..2a454902344 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_line.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_line.fail.sh
@@ -14,4 +14,4 @@ else
sed -i --follow-symlinks '/.*pam_pwhistory\.so/d' $CUSTOM_PASSWORD_AUTH
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_modified_pam.fail.sh
index e5af75fdc28..9889ef55b22 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_modified_pam.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_modified_pam.fail.sh
@@ -11,4 +11,4 @@ if ! $(grep -q "^[^#].*pam_pwhistory\.so.*remember=" $SYSTEM_AUTH_FILE); then
else
sed -i --follow-symlinks "s/\(.*pam_pwhistory\.so.*remember=\)[[:digit:]]\+\s\(.*\)/\1/g" $SYSTEM_AUTH_FILE
fi
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_conf.fail.sh
index f1664398547..fb2d6070ce3 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_conf.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_conf.fail.sh
@@ -16,5 +16,5 @@ else
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_pam.fail.sh
index debcc53ca32..12b4a2a3c28 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_pam.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_pam.fail.sh
@@ -15,4 +15,4 @@ else
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/oval/shared.xml
index 016cf9f79c0..1619f38205e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/oval/shared.xml
@@ -26,16 +26,16 @@
comment="Check the remember parameter in password section of system-auth file"/>
+ comment="Check the pam_pwhistory.so remember parameter is absent in {{{ pwhistory_path }}}"/>
+ comment="Check the pam_pwhistory.so remember parameter is only in {{{ pwhistory_path }}} file">
+ comment="Check the remember parameter in {{{ pwhistory_path }}}"/>
@@ -82,15 +82,15 @@
+ comment="Check the absence of remember parameter in {{{ pwhistory_path }}}">
- ^/etc/security/pwhistory.conf$
+ comment="Collect the pam_pwhistory.so remember parameter from {{{ pwhistory_path }}}">
+ ^{{{ pwhistory_path }}}$
1
@@ -107,7 +107,7 @@
+ comment="Check remember parameter is present and correct in {{{ pwhistory_path }}}">
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml
index 16c64db12fe..87c649b4c5d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml
@@ -21,7 +21,7 @@ description: |-
Otherwise, it should be enabled using an authselect custom profile.
- Newer systems also have the /etc/security/pwhistory.conf file for setting
+ Newer systems also have the {{{ pwhistory_path }}} file for setting
pam_pwhistory module options. This file should be used whenever available.
Otherwise, the pam_pwhistory module options can be set in PAM files.
@@ -56,7 +56,7 @@ references:
ocil_clause: |-
the pam_pwhistory.so module is not used, the "remember" module option is not set in
- /etc/pam.d/system-auth or in /etc/security/pwhistory.conf, or is set in both files, or is set
+ /etc/pam.d/system-auth or in {{{ pwhistory_path }}}, or is set in both files, or is set
with a value less than "{{{ xccdf_value("var_password_pam_remember") }}}"
ocil: |-
@@ -70,9 +70,9 @@ ocil: |-
password {{{ xccdf_value("var_password_pam_remember_control_flag") }}} pam_pwhistory.so use_authtok remember={{{ xccdf_value("var_password_pam_remember") }}}
{{% if product not in ["ol7"] %}}
- Verify the "/etc/security/pwhistory.conf" file using the following command:
+ Verify the "{{{ pwhistory_path }}}" file using the following command:
- $ grep remember /etc/security/pwhistory.conf
+ $ grep remember {{{ pwhistory_path }}}
remember = {{{ xccdf_value("var_password_pam_remember") }}}
The pam_pwhistory.so "remember" option must be configured only in one file.
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_conflict_settings.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_conflict_settings.fail.sh
index dd32200e4a5..77c3e66c250 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_conflict_settings.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_conflict_settings.fail.sh
@@ -15,5 +15,5 @@ else
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_conf.pass.sh
index c4e304ec12b..bf29fb164aa 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_conf.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_conf.pass.sh
@@ -16,5 +16,5 @@ else
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_pam.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_pam.pass.sh
index 52e4f15c796..e69f1c4d292 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_pam.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_correct_value_pam.pass.sh
@@ -15,4 +15,4 @@ else
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_argument.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_argument.fail.sh
index 1296b6744c3..c0f60c858e3 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_argument.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_argument.fail.sh
@@ -18,4 +18,4 @@ else
fi
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_line.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_line.fail.sh
index dfcaa146c29..3d47e6fe64c 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_line.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_missing_line.fail.sh
@@ -14,4 +14,4 @@ else
sed -i --follow-symlinks '/.*pam_pwhistory\.so/d' $CUSTOM_SYSTEM_AUTH
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_modified_pam.fail.sh
index 5f4aa82512d..1ef57353ec0 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_modified_pam.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_modified_pam.fail.sh
@@ -11,4 +11,4 @@ if ! $(grep -q "^[^#].*pam_pwhistory\.so.*remember=" $SYSTEM_AUTH_FILE); then
else
sed -i --follow-symlinks "s/\(.*pam_pwhistory\.so.*remember=\)[[:digit:]]\+\s\(.*\)/\1/g" $SYSTEM_AUTH_FILE
fi
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_conf.fail.sh
index 694398e7bba..a74b5971e1f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_conf.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_conf.fail.sh
@@ -16,5 +16,5 @@ else
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_pam.fail.sh
index d9040a4958e..fd286eb82c2 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_pam.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/authselect_wrong_value_pam.fail.sh
@@ -15,4 +15,4 @@ else
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
index 2ac8e16e6e9..6ee0fd3e84e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
@@ -33,16 +33,16 @@
comment="Check the remember parameter in password section of PAM file"/>
+ comment="Check the pam_pwhistory.so remember parameter is absent in {{{ pwhistory_path }}}"/>
+ comment="Check the pam_pwhistory.so remember parameter is only in {{{ pwhistory_path }}} file">
+ comment="Check the remember parameter in {{{ pwhistory_path }}}"/>
@@ -95,15 +95,15 @@
+ comment="Check the absence of remember parameter in {{{ pwhistory_path }}}">
- ^/etc/security/pwhistory.conf$
+ comment="Collect the pam_pwhistory.so remember parameter from {{{ pwhistory_path }}}">
+ ^{{{ pwhistory_path }}}$
1
@@ -120,7 +120,7 @@
+ comment="Check remember parameter is present and correct in {{{ pwhistory_path }}}">
@@ -141,7 +141,7 @@
+ comment="The regex is to collect the pam_pwhistory.so remember parameter in {{{ pwhistory_path }}}">
^\s*remember\s*=\s*([0-9]+)
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
index e6935603e8c..8072111368f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
@@ -49,8 +49,8 @@ ocil: |-
{{% if product not in ["ol7"] %}}
In newer systems, the pam_pwhistory PAM module options can also be set in
- "/etc/security/pwhistory.conf" file. Use the following command to verify:
- $ grep remember /etc/security/pwhistory.conf
+ "{{{ pwhistory_path }}}" file. Use the following command to verify:
+ $ grep remember {{{ pwhistory_path }}}
remember = {{{ xccdf_value("var_password_pam_remember") }}}
The pam_pwhistory remember option must be configured only in one file.
@@ -70,7 +70,7 @@ fixtext: |-
{{% if product not in ["ol7"] %}}
- If the pam_pwhistory.so module is used and the /etc/security/pwhistory.conf
+ If the pam_pwhistory.so module is used and the {{{ pwhistory_path }}}
file is present in the system, use it to set the "remember" option:
remember = {{{ xccdf_value("var_password_pam_remember") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_conflict_settings.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_conflict_settings.fail.sh
index a18fa3d6c60..1b1101fee23 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_conflict_settings.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_conflict_settings.fail.sh
@@ -15,5 +15,5 @@ else
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_conf.pass.sh
index bc6d5ab7fc9..f5c903fbf8d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_conf.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_conf.pass.sh
@@ -16,5 +16,5 @@ else
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_pam.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_pam.pass.sh
index dd12efbc196..09ca27caa15 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_pam.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_correct_value_pam.pass.sh
@@ -15,4 +15,4 @@ else
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_argument.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_argument.fail.sh
index 8ca16e11af3..6b2411c6c6d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_argument.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_argument.fail.sh
@@ -18,4 +18,4 @@ else
fi
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_line.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_line.fail.sh
index bc3c429f194..87cdb9ae574 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_line.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_missing_line.fail.sh
@@ -14,4 +14,4 @@ else
sed -i --follow-symlinks '/.*pam_pwhistory\.so/d' $CUSTOM_SYSTEM_AUTH
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_modified_pam.fail.sh
index 02d30f17a88..eec156bd0e1 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_modified_pam.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_modified_pam.fail.sh
@@ -11,4 +11,4 @@ if ! $(grep -q "^[^#].*pam_pwhistory\.so.*remember=" $SYSTEM_AUTH_FILE); then
else
sed -i --follow-symlinks "s/\(.*pam_pwhistory\.so.*remember=\)[[:digit:]]\+\s\(.*\)/\1/g" $SYSTEM_AUTH_FILE
fi
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_correct.pass.sh
index 7f621502941..c3b84b4e368 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_correct.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_correct.pass.sh
@@ -17,4 +17,4 @@ else
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_wrong.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_wrong.fail.sh
index dc53f50b06a..14bb4cc48ce 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_wrong.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_pam_unix_legacy_wrong.fail.sh
@@ -19,4 +19,4 @@ else
sed -i --follow-symlinks "s/^(.*pam_unix\.so.*)(remember=[0-9]+)(.*)$/\1remember=$remember_cnt\3/" $CUSTOM_SYSTEM_AUTH
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_conf.fail.sh
index e25a158f75b..7b20136d5de 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_conf.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_conf.fail.sh
@@ -16,5 +16,5 @@ else
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_pam.fail.sh
index 253d50de10d..2b004972d24 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_pam.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/authselect_wrong_value_pam.fail.sh
@@ -15,4 +15,4 @@ else
fi
authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/policy/stig/shared.yml
index c76a07e6862..9cbe6341b8c 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/policy/stig/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/policy/stig/shared.yml
@@ -20,15 +20,15 @@ checktext: |-
Check the value for "dcredit" with the following command:
- $ sudo grep dcredit /etc/security/pwquality.conf /etc/security/pwquality.conf/*.conf
+ $ sudo grep dcredit {{{ pwquality_path }}} /etc/security/pwquality.conf/*.conf
- /etc/security/pwquality.conf:dcredit = -1
+ {{{ pwquality_path }}}:dcredit = -1
If the value of "dcredit" is a positive number or is commented out, this is a finding.
fixtext: |-
Configure {{{ full_name }}} to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option.
- Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+ Add the following line to "{{{ pwquality_path }}}" (or modify the line to have the required value):
dcredit = -1
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
index a8feb66b362..3be880008d9 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
@@ -8,7 +8,7 @@ description: |-
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each digit. Modify the dcredit setting in
- /etc/security/pwquality.conf to require the use of a digit in passwords.
+ {{{ pwquality_path }}} to require the use of a digit in passwords.
rationale: |-
Use of a complex password helps to increase the time and resources required
@@ -52,14 +52,14 @@ ocil: |-
Check the value for "dcredit" with the following command:
- $ sudo grep dcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+ $ sudo grep dcredit {{{ pwquality_path }}} /etc/security/pwquality.conf.d/*.conf
- /etc/security/pwquality.conf:dcredit = {{{ xccdf_value('var_password_pam_dcredit') }}}
+ {{{ pwquality_path }}}:dcredit = {{{ xccdf_value('var_password_pam_dcredit') }}}
fixtext: |-
Configure {{{ full_name }}} to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option.
- Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+ Add the following line to "{{{ pwquality_path }}}" (or modify the line to have the required value):
dcredit = {{{ xccdf_value('var_password_pam_dcredit') }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/policy/stig/shared.yml
index 94947d485fe..e213697a61e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/policy/stig/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/policy/stig/shared.yml
@@ -11,15 +11,15 @@ vuldiscussion: |-
checktext: |-
Verify {{{ full_name }}} prevents the use of dictionary words for passwords with the following command:
- $ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf
+ $ sudo grep dictcheck {{{ pwquality_path }}} /etc/pwquality.conf.d/*.conf
- /etc/security/pwquality.conf:dictcheck=1
+ {{{ pwquality_path }}}:dictcheck=1
If "dictcheck" does not have a value other than "0", or is commented out, this is a finding.
fixtext: |-
Configure {{{ full_name }}} to prevent the use of dictionary words for passwords.
- Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter:
+ Add or update the following line in the "{{{ pwquality_path }}}" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter:
dictcheck=1
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
index f3eef6a7ff0..859cfc1816c 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
@@ -35,9 +35,9 @@ ocil_clause: '"dictcheck" does not have a value other than "0", or is commented
ocil: |-
Verify {{{ full_name }}} prevents the use of dictionary words for passwords with the following command:
- $ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf
+ $ sudo grep dictcheck {{{ pwquality_path }}} /etc/pwquality.conf.d/*.conf
- /etc/security/pwquality.conf:dictcheck=1
+ {{{ pwquality_path }}}:dictcheck=1
platform: package[libpwquality]
@@ -50,7 +50,7 @@ template:
fixtext: |-
Configure {{{ full_name }}} to prevent the use of dictionary words for passwords.
- Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter:
+ Add or update the following line in the "{{{ pwquality_path }}}" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter:
dictcheck=1
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/policy/stig/shared.yml
index 08c5f07c3cb..82c64fef8bc 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/policy/stig/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/policy/stig/shared.yml
@@ -17,9 +17,9 @@ vuldiscussion: |-
Note that passwords which are changed on compromised systems will still be compromised, however.
checktext: |-
- Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command:
+ Verify the value of the "difok" option in "{{{ pwquality_path }}}" with the following command:
- $ sudo grep difok /etc/security/pwquality.conf
+ $ sudo grep difok {{{ pwquality_path }}}
difok = 8
@@ -28,6 +28,6 @@ checktext: |-
fixtext: |-
Configure {{{ full_name }}} to require the change of at least 8 of the total number of characters when passwords are changed by setting the "difok" option.
- Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+ Add the following line to "{{{ pwquality_path }}}" (or modify the line to have the required value):
difok = 8
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
index f6d4638b387..ddea274fc5d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
@@ -7,7 +7,7 @@ description: |-
The pam_pwquality module's difok parameter sets the number of characters
in a password that must not be present in and old password during a password change.
- Modify the difok setting in /etc/security/pwquality.conf
+ Modify the difok setting in {{{ pwquality_path }}}
to equal {{{ xccdf_value("var_password_pam_difok") }}} to require differing characters
when changing passwords.
@@ -49,9 +49,9 @@ references:
ocil_clause: 'the value of "difok" is set to less than "{{{ xccdf_value("var_password_pam_difok") }}}", or is commented out'
ocil: |-
- Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command:
+ Verify the value of the "difok" option in "{{{ pwquality_path }}}" with the following command:
- $ sudo grep difok /etc/security/pwquality.conf
+ $ sudo grep difok {{{ pwquality_path }}}
difok = {{{ xccdf_value("var_password_pam_difok") }}}
@@ -66,7 +66,7 @@ template:
fixtext: |-
Configure {{{ full_name }}} to require the change of at least {{{ xccdf_value("var_password_pam_difok") }}} of the total number of characters when passwords are changed by setting the "difok" option.
- Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+ Add the following line to "{{{ pwquality_path }}}" (or modify the line to have the required value):
difok = {{{ xccdf_value("var_password_pam_difok") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
index ea7e644ff4c..563dda34d1e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
@@ -7,7 +7,7 @@ description: |-
The pam_pwquality module's local_users_only parameter controls requirements for
enforcing password complexity by pam_pwquality only for local user accounts and ignoring
centralized user account management password complexity configurations. Enable the local_users_only
- setting in /etc/security/pwquality.conf to require password complexity enforcement
+ setting in {{{ pwquality_path }}} to require password complexity enforcement
for only local user accounts.
rationale: |-
@@ -29,7 +29,7 @@ ocil_clause: 'local_users_only is not uncommented or configured correctly'
ocil: |-
To verify if password complexities are only enforce on local users, run the following command:
- $ grep local_users_only /etc/security/pwquality.conf
+ $ grep local_users_only {{{ pwquality_path }}}
The output should return local_users_only uncommented.
platform: package[libpwquality]
@@ -43,6 +43,6 @@ template:
name: "lineinfile"
vars:
text: "local_users_only"
- path: "/etc/security/pwquality.conf"
+ path: "{{{ pwquality_path }}}"
oval_extend_definitions:
- accounts_password_pam_pwquality
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml
index 2279436e1f7..ab23d4da109 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml
@@ -1,7 +1,7 @@
{{% if product in ["ol8","ol9"] or 'rhel' in product %}}
{{% set filepath_regex="^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$" %}}
{{% else %}}
-{{% set filepath_regex="^/etc/security/pwquality\.conf$" %}}
+{{% set filepath_regex="^" + pwquality_path + "$" %}}
{{% endif %}}
@@ -13,7 +13,7 @@
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/policy/stig/shared.yml
index 6c7b4b36585..3dfd7d66058 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/policy/stig/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/policy/stig/shared.yml
@@ -13,17 +13,15 @@ checktext: |-
Check if root user is required to use complex passwords with the following command:
- $ grep enforce_for_root /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+ $ grep enforce_for_root {{{ pwquality_path }}} /etc/security/pwquality.conf.d/*.conf
- /etc/security/pwquality.conf:enforce_for_root
+ {{{ pwquality_path }}}:enforce_for_root
If "enforce_for_root" is commented or missing, this is a finding.
fixtext: |-
Configure {{{ full_name }}} to enforce password complexity on the root account.
- Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "enforce_for_root" parameter:
+ Add or update the following line in the "{{{ pwquality_path }}}" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory to contain the "enforce_for_root" parameter:
enforce_for_root
-
-
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
index 757b4cc1fb8..a30bc3b2bd4 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
@@ -6,7 +6,7 @@ title: 'Ensure PAM Enforces Password Requirements - Enforce for root User'
description: |-
The pam_pwquality module's enforce_for_root parameter controls requirements for
enforcing password complexity for the root user. Enable the enforce_for_root
- setting in /etc/security/pwquality.conf to require the root user
+ setting in {{{ pwquality_path }}} to require the root user
to use complex passwords.
rationale: |-
@@ -36,14 +36,14 @@ ocil: |-
Check if root user is required to use complex passwords with the following command:
- $ grep enforce_for_root /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+ $ grep enforce_for_root {{{ pwquality_path }}} /etc/security/pwquality.conf.d/*.conf
- /etc/security/pwquality.conf:enforce_for_root
+ {{{ pwquality_path }}}:enforce_for_root
fixtext: |-
Configure {{{ full_name }}} to enforce password complexity on the root account.
- Add or update the following line in /etc/security/pwquality.conf:
+ Add or update the following line in {{{ pwquality_path }}}:
enforce_for_root
@@ -56,6 +56,6 @@ template:
name: "lineinfile"
vars:
text: "enforce_for_root"
- path: "/etc/security/pwquality.conf"
+ path: "{{{ pwquality_path }}}"
backends:
oval: off
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/tests/commented_out.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/tests/commented_out.fail.sh
index 6655826d4af..63824de7121 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/tests/commented_out.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/tests/commented_out.fail.sh
@@ -1,4 +1,4 @@
#!/bin/bash
mkdir -p /etc/security/pwquality.conf.d
-sed -i '/enforce_for_root/d' /etc/security/pwquality.conf.d/*.conf /etc/security/pwquality.conf
-echo '#enforce_for_root' > /etc/security/pwquality.conf
+sed -i '/enforce_for_root/d' /etc/security/pwquality.conf.d/*.conf {{{ pwquality_path }}}
+echo '#enforce_for_root' > {{{ pwquality_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/tests/correct_config.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/tests/correct_config.pass.sh
index d374bb68b1b..0e0f863b65e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/tests/correct_config.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/tests/correct_config.pass.sh
@@ -1,3 +1,3 @@
#!/bin/bash
touch /etc/security/pwquality.conf.d/example.conf
-echo 'enforce_for_root' > /etc/security/pwquality.conf
+echo 'enforce_for_root' > {{{ pwquality_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/tests/not_there.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/tests/not_there.fail.sh
index c828bbe90f4..fca82489e2d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/tests/not_there.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/tests/not_there.fail.sh
@@ -1,4 +1,4 @@
#!/bin/bash
mkdir -p /etc/security/pwquality.conf.d
touch /etc/security/pwquality.conf.d/example.conf
-sed -i '/enforce_for_root/d' /etc/security/pwquality.conf.d/*.conf /etc/security/pwquality.conf
+sed -i '/enforce_for_root/d' /etc/security/pwquality.conf.d/*.conf {{{ pwquality_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/rule.yml
index 354a307c43e..53b571a0b6a 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/rule.yml
@@ -10,7 +10,7 @@ description: |-
Verify the pwquality module is being enforced by operating system by
running the following command:
- $ grep -i enforcing /etc/security/pwquality.conf
+ $ grep -i enforcing {{{ pwquality_path }}}
enforcing = 1
@@ -34,7 +34,7 @@ ocil_clause: 'enforcing is not uncommented or configured correctly'
ocil: |-
To verify that enforcing is correctly applied, run the following command:
- $ grep -i enforcing /etc/security/pwquality.conf
+ $ grep -i enforcing {{{ pwquality_path }}}
The output should return enforcing = 1 uncommented.
platform: package[libpwquality]
@@ -50,8 +50,7 @@ template:
name: "lineinfile"
vars:
text: "enforcing = 1"
- path: "/etc/security/pwquality.conf"
+ path: "{{{ pwquality_path }}}"
oval_extend_definitions:
- accounts_password_pam_pwquality
{{% endif %}}
-
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/tests/commented.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/tests/commented.fail.sh
index 10021875e2c..4e38a441b09 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/tests/commented.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/tests/commented.fail.sh
@@ -1,3 +1,3 @@
#!/bin/bash
-echo '# enforcing = 1' > /etc/security/pwquality.conf
+echo '# enforcing = 1' > {{{ pwquality_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/tests/correct.pass.sh
index d2a75c5fd4e..9c39941311a 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/tests/correct.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/tests/correct.pass.sh
@@ -4,4 +4,4 @@
{{{ bash_pam_pwquality_enable() }}}
{{% endif %}}
-echo 'enforcing = 1' > /etc/security/pwquality.conf
+echo 'enforcing = 1' > {{{ pwquality_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/tests/wrong_value.fail.sh
index 77b2d85e38f..deb5d5eaa27 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/tests/wrong_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/tests/wrong_value.fail.sh
@@ -1,3 +1,3 @@
#!/bin/bash
-echo 'enforcing = 0' > /etc/security/pwquality.conf
+echo 'enforcing = 0' > {{{ pwquality_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/policy/stig/shared.yml
index 79c663f98b9..7a725cef15a 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/policy/stig/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/policy/stig/shared.yml
@@ -18,15 +18,15 @@ checktext: |-
Check the value for "lcredit" with the following command:
- $ sudo grep lcredit /etc/security/pwquality.conf /etc/security/pwquality.conf/*.conf
+ $ sudo grep lcredit {{{ pwquality_path }}} /etc/security/pwquality.conf/*.conf
- /etc/security/pwquality.conf:lcredit = -1
+ {{{ pwquality_path }}}:lcredit = -1
If the value of "lcredit" is a positive number or is commented out, this is a finding.
fixtext: |-
Configure {{{ full_name }}} to enforce password complexity by requiring that at least one lower-case character be used by setting the "lcredit" option.
- Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+ Add the following line to "{{{ pwquality_path }}}" (or modify the line to have the required value):
lcredit = -1
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
index 7d9481339c5..f9e970dc509 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
@@ -8,7 +8,7 @@ description: |-
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each lowercase character. Modify the lcredit setting in
- /etc/security/pwquality.conf to require the use of a lowercase character in passwords.
+ {{{ pwquality_path }}} to require the use of a lowercase character in passwords.
rationale: |-
Use of a complex password helps to increase the time and resources required
@@ -52,14 +52,14 @@ ocil: |-
Check the value for "lcredit" with the following command:
- $ sudo grep lcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+ $ sudo grep lcredit {{{ pwquality_path }}} /etc/security/pwquality.conf.d/*.conf
- /etc/security/pwquality.conf:lcredit = -1
+ {{{ pwquality_path }}}:lcredit = -1
fixtext: |-
Configure {{{ full_name }}} to enforce password complexity by requiring that at least one lower-case character be used by setting the "lcredit" option.
- Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+ Add the following line to "{{{ pwquality_path }}}" (or modify the line to have the required value):
lcredit = {{{ xccdf_value('var_password_pam_lcredit') }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/policy/stig/shared.yml
index 0f91c8176e5..8dd367b620b 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/policy/stig/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/policy/stig/shared.yml
@@ -11,9 +11,9 @@ vuldiscussion: |-
password is compromised.
checktext: |-
- Verify the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command:
+ Verify the value of the "maxclassrepeat" option in "{{{ pwquality_path }}}" with the following command:
- $ grep maxclassrepeat /etc/security/pwquality.conf
+ $ grep maxclassrepeat {{{ pwquality_path }}}
maxclassrepeat = 4
@@ -22,6 +22,6 @@ checktext: |-
fixtext: |-
Configure {{{ full_name }}} to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option.
- Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value):
+ Add the following line to "{{{ pwquality_path }}}" conf (or modify the line to have the required value):
maxclassrepeat = 4
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
index 661ee296ac6..e73461f9240 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
@@ -7,7 +7,7 @@ description: |-
The pam_pwquality module's maxclassrepeat parameter controls requirements for
consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters from the same character class. Modify the
- maxclassrepeat setting in /etc/security/pwquality.conf to equal {{{ xccdf_value("var_password_pam_maxclassrepeat") }}}
+ maxclassrepeat setting in {{{ pwquality_path }}} to equal {{{ xccdf_value("var_password_pam_maxclassrepeat") }}}
to prevent a run of ({{{ xccdf_value("var_password_pam_maxclassrepeat") }}} + 1) or more identical characters.
rationale: |-
@@ -41,9 +41,9 @@ references:
ocil_clause: the value of "maxclassrepeat" is set to "0", more than "{{{ xccdf_value("var_password_pam_maxclassrepeat") }}}" or is commented out
ocil: |-
- Verify the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command:
+ Verify the value of the "maxclassrepeat" option in "{{{ pwquality_path }}}" with the following command:
- $ grep maxclassrepeat /etc/security/pwquality.conf
+ $ grep maxclassrepeat {{{ pwquality_path }}}
maxclassrepeat = {{{ xccdf_value("var_password_pam_maxclassrepeat") }}}
@@ -59,7 +59,7 @@ template:
fixtext: |-
Configure {{{ full_name }}} to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option.
- Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value):
+ Add the following line to "{{{ pwquality_path }}}" conf (or modify the line to have the required value):
maxclassrepeat = {{{ xccdf_value("var_password_pam_maxclassrepeat") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/policy/stig/shared.yml
index b1b8c029c06..496340c1dfb 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/policy/stig/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/policy/stig/shared.yml
@@ -11,9 +11,9 @@ vuldiscussion: |-
password is compromised.
checktext: |-
- Verify the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command:
+ Verify the value of the "maxrepeat" option in "{{{ pwquality_path }}}" with the following command:
- $ grep maxrepeat /etc/security/pwquality.conf
+ $ grep maxrepeat {{{ pwquality_path }}}
maxrepeat = 3
@@ -22,6 +22,6 @@ checktext: |-
fixtext: |-
Configure {{{ full_name }}} to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option.
- Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+ Add the following line to "{{{ pwquality_path }}}" (or modify the line to have the required value):
maxrepeat = 3
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
index 439b2082b2c..effd993b1fe 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
@@ -7,7 +7,7 @@ description: |-
The pam_pwquality module's maxrepeat parameter controls requirements for
consecutive repeating characters. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters. Modify the maxrepeat setting
- in /etc/security/pwquality.conf to equal {{{ xccdf_value("var_password_pam_maxrepeat") }}} to prevent a
+ in {{{ pwquality_path }}} to equal {{{ xccdf_value("var_password_pam_maxrepeat") }}} to prevent a
run of ({{{ xccdf_value("var_password_pam_maxrepeat") }}} + 1) or more identical characters.
rationale: |-
@@ -43,9 +43,9 @@ references:
ocil_clause: the value of "maxrepeat" is set to more than "{{{ xccdf_value("var_password_pam_maxrepeat") }}}" or is commented out
ocil: |-
- Verify the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command:
+ Verify the value of the "maxrepeat" option in "{{{ pwquality_path }}}" with the following command:
- $ grep maxrepeat /etc/security/pwquality.conf
+ $ grep maxrepeat {{{ pwquality_path }}}
maxrepeat = {{{ xccdf_value("var_password_pam_maxrepeat") }}}
@@ -63,7 +63,7 @@ template:
fixtext: |-
Configure {{{ full_name }}} to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option.
- Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+ Add the following line to "/{{{ pwquality_path }}}" (or modify the line to have the required value):
maxrepeat = {{{ xccdf_value("var_password_pam_maxrepeat") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/policy/stig/shared.yml
index eefd019d804..d8f4c1dda58 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/policy/stig/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/policy/stig/shared.yml
@@ -11,9 +11,9 @@ vuldiscussion: |-
password is compromised.
checktext: |-
- Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command:
+ Verify the value of the "minclass" option in "{{{ pwquality_path }}}" with the following command:
- $ grep minclass /etc/security/pwquality.conf
+ $ grep minclass {{{ pwquality_path }}}
minclass = 4
@@ -22,6 +22,6 @@ checktext: |-
fixtext: |-
Configure {{{ full_name }}} to require the change of at least 4 character classes when passwords are changed by setting the "minclass" option.
- Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+ Add the following line to "{{{ pwquality_path }}}" (or modify the line to have the required value):
minclass = 4
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
index 1db28272a56..64d3c1fc49d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
@@ -17,7 +17,7 @@ description: |-
* Digits
* Special characters (for example, punctuation)
- Modify the minclass setting in /etc/security/pwquality.conf entry
+ Modify the minclass setting in {{{ pwquality_path }}} entry
to require {{{ xccdf_value("var_password_pam_minclass") }}}
differing categories of characters when changing passwords.
@@ -55,9 +55,9 @@ references:
ocil_clause: the value of "minclass" is set to less than "{{{ xccdf_value("var_password_pam_minclass") }}}" or is commented out
ocil: |-
- Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command:
+ Verify the value of the "minclass" option in "{{{ pwquality_path }}}" with the following command:
- $ grep minclass /etc/security/pwquality.conf
+ $ grep minclass {{{ pwquality_path }}}
minclass = {{{ xccdf_value("var_password_pam_minclass") }}}
@@ -72,7 +72,7 @@ template:
fixtext: |-
Configure {{{ full_name }}} to require the change of at least {{{ xccdf_value("var_password_pam_minclass") }}} character classes when passwords are changed by setting the "minclass" option.
- Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+ Add the following line to "{{{ pwquality_path }}}" (or modify the line to have the required value):
minclass = {{{ xccdf_value("var_password_pam_minclass") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/policy/stig/shared.yml
index 1ef08a664bf..b01bbb434bc 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/policy/stig/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/policy/stig/shared.yml
@@ -6,7 +6,7 @@ vuldiscussion: |-
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.
- {{{ full_name }}} utilizes "pwquality" as a mechanism to enforce password complexity. Configurations are set in the "etc/security/pwquality.conf" file.
+ {{{ full_name }}} utilizes "pwquality" as a mechanism to enforce password complexity. Configurations are set in the "{{{ pwquality_path }}}" file.
The "minlen", sometimes noted as minimum length, acts as a "score" of complexity based on the credit components of the "pwquality" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total "score" of "minlen". This will enable "minlen" to require a 15-character minimum.
@@ -15,7 +15,7 @@ vuldiscussion: |-
checktext: |-
Verify that {{{ full_name }}} enforces a minimum 15-character password length with the following command:
- $ grep minlen /etc/security/pwquality.conf
+ $ grep minlen {{{ pwquality_path }}}
minlen = 15
@@ -24,6 +24,6 @@ checktext: |-
fixtext: |-
Configure {{{ full_name }}} to enforce a minimum 15-character password length.
- Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+ Add the following line to "{{{ pwquality_path }}}" (or modify the line to have the required value):
minlen = 15
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
index d1e07169c90..0aa3acff19f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
@@ -50,14 +50,14 @@ ocil_clause: 'the command does not return a "minlen" value of "{{{ xccdf_value("
ocil: |-
Verify that {{{ full_name }}} enforces a minimum {{{ xccdf_value("var_password_pam_minlen") }}}-character password length with the following command:
- $ grep minlen /etc/security/pwquality.conf
+ $ grep minlen {{{ pwquality_path }}}
minlen = {{{ xccdf_value("var_password_pam_minlen") }}}
fixtext: |-
Configure {{{ full_name }}} to enforce a minimum {{{ xccdf_value("var_password_pam_minlen") }}}-character password length.
- Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+ Add the following line to "{{{ pwquality_path }}}" (or modify the line to have the required value):
minlen = {{{ xccdf_value("var_password_pam_minlen") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/policy/stig/shared.yml
index ede5507dd8c..ea8c1163109 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/policy/stig/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/policy/stig/shared.yml
@@ -6,12 +6,12 @@ vuldiscussion: |-
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
- {{{ full_name }}} utilizes "pwquality" as a mechanism to enforce password complexity. Note that to require special characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "/etc/security/pwquality.conf".
+ {{{ full_name }}} utilizes "pwquality" as a mechanism to enforce password complexity. Note that to require special characters without degrading the "minlen" value, the credit value must be expressed as a negative number in "{{{ pwquality_path }}}".
checktext: |-
Verify that {{{ full_name }}} enforces password complexity by requiring that at least one special character with the following command:
- $ sudo grep ocredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+ $ sudo grep ocredit {{{ pwquality_path }}} /etc/security/pwquality.conf.d/*.conf
ocredit = -1
@@ -20,6 +20,6 @@ checktext: |-
fixtext: |-
Configure {{{ full_name }}} to enforce password complexity by requiring that at least one special character be used by setting the "ocredit" option.
- Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+ Add the following line to "{{{ pwquality_path }}}" (or modify the line to have the required value):
ocredit = -1
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
index 8621dacad6d..d6944c1703f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
@@ -9,7 +9,7 @@ description: |-
any password will be required to contain that many special characters.
When set to a positive number, pam_pwquality will grant +1
additional length credit for each special character. Modify the ocredit setting
- in /etc/security/pwquality.conf to equal {{{ xccdf_value("var_password_pam_ocredit") }}}
+ in {{{ pwquality_path }}} to equal {{{ xccdf_value("var_password_pam_ocredit") }}}
to require use of a special character in passwords.
rationale: |-
@@ -51,14 +51,14 @@ ocil_clause: 'value of "ocredit" is a positive number or is commented out'
ocil: |-
Verify that {{{ full_name }}} enforces password complexity by requiring that at least one special character with the following command:
- $ sudo grep ocredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+ $ sudo grep ocredit {{{ pwquality_path }}} /etc/security/pwquality.conf.d/*.conf
ocredit = {{{ xccdf_value("var_password_pam_ocredit") }}}
fixtext: |-
Configure {{{ full_name }}} to enforce password complexity by requiring that at least one special character be used by setting the "ocredit" option.
- Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+ Add the following line to "{{{ pwquality_path }}}" (or modify the line to have the required value):
ocredit = {{{ xccdf_value("var_password_pam_ocredit") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/tests/ospp.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/tests/ospp.pass.sh
index 36a3733728e..a8284c2b6e6 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/tests/ospp.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/tests/ospp.pass.sh
@@ -2,4 +2,4 @@
#
# profiles = xccdf_org.ssgproject.content_profile_ospp
-echo "ocredit=-1" > /etc/security/pwquality.conf
+echo "ocredit=-1" > {{{ pwquality_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/tests/ospp_invalid.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/tests/ospp_invalid.fail.sh
index bf3cd53d0e7..4e68214c1a0 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/tests/ospp_invalid.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/tests/ospp_invalid.fail.sh
@@ -2,4 +2,4 @@
#
# profiles = xccdf_org.ssgproject.content_profile_ospp
-echo "ocredit=4" > /etc/security/pwquality.conf
+echo "ocredit=4" > {{{ pwquality_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/tests/ospp_stricter.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/tests/ospp_stricter.pass.sh
index 7f515890915..dc3f6f5b52e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/tests/ospp_stricter.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/tests/ospp_stricter.pass.sh
@@ -2,4 +2,4 @@
#
# profiles = xccdf_org.ssgproject.content_profile_ospp
-echo "ocredit=-2" > /etc/security/pwquality.conf
+echo "ocredit=-2" > {{{ pwquality_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/ansible/shared.yml
new file mode 100644
index 00000000000..3914b01dbfc
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/ansible/shared.yml
@@ -0,0 +1,7 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+
+{{{ ansible_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'requisite', 'pam_pwquality.so', '', '', 'BOF', rule_id=rule_id, rule_title=rule_title) }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh
index 38f2d36dbe2..f7900437492 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh
@@ -1,3 +1,7 @@
-# platform = multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_ubuntu
+{{% if product in ['sle15', 'sle16'] %}}
+{{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'requisite', 'pam_pwquality.so', '', '', 'BOF') }}}
+{{% else %}}
{{{ bash_pam_pwquality_enable() }}}
+{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/sle.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/sle.xml
new file mode 100644
index 00000000000..26121be2125
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/sle.xml
@@ -0,0 +1,37 @@
+{{% if product in ['sle15', 'sle16'] %}}
+{{% set configuration_files = ["common-password"] %}}
+{{% endif %}}
+
+
+ {{{ oval_metadata("Check pam_pwquality module is enabled", rule_title=rule_title) }}}
+
+ {{% for file in configuration_files %}}
+
+ {{% endfor %}}
+
+
+
+ {{% macro test_pwquality_enabled(path, test_ref) %}}
+
+
+
+ {{% endmacro %}}
+
+ {{% macro object_pwquality_enabled(path, test_ref) %}}
+
+ {{{ path }}}
+ ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$
+ 1
+
+ {{% endmacro %}}
+
+ {{% for file in configuration_files %}}
+ {{{ test_pwquality_enabled( path="/etc/pam.d/" ~ file ,
+ test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}}
+ {{{ object_pwquality_enabled( path="/etc/pam.d/" ~ file ,
+ test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}}
+ {{% endfor %}}
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_retry/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_retry/policy/stig/shared.yml
index cd84a4f84ce..7c66bfb955f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_retry/policy/stig/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_retry/policy/stig/shared.yml
@@ -24,7 +24,7 @@ checktext: |-
Check for the use of the retry option in the security directory with the following command:
- $ grep -w retry /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+ $ grep -w retry {{{ pwquality_path }}} /etc/security/pwquality.conf.d/*.conf
retry = 3
@@ -33,7 +33,7 @@ checktext: |-
fixtext: |-
- Add or update the following line in the "/etc/security/pwquality.conf" file
+ Add or update the following line in the "{{{ pwquality_path }}}" file
or a file in the "/etc/security/pwquality.conf.d/" directory to contain the
"retry" parameter:
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_retry/rule.yml
index ff27eed6de6..5b5427b5f8f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_retry/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_retry/rule.yml
@@ -1,11 +1,11 @@
documentation_complete: true
-title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session in /etc/security/pwquality.conf'
+title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session in {{{ pwquality_path }}}'
description: |-
To configure the number of retry prompts that are permitted per-session:
- Edit the /etc/security/pwquality.conf to include
+ Edit the {{{ pwquality_path }}} to include
retry={{{xccdf_value("var_password_pam_retry") }}}, or a lower value if site
policy is more restrictive. The profile requirement is a maximum of retry={{{xccdf_value("var_password_pam_retry") }}} prompts
per session.
@@ -35,7 +35,7 @@ ocil: |-
Verify {{{ full_name }}} is configured to limit the "pwquality" retry option to {{{ xccdf_value("var_password_pam_retry") }}}.
Check for the use of the "pwquality" retry option in the pwquality.conf file with the following command:
- $ grep retry /etc/security/pwquality.conf
+ $ grep retry {{{ pwquality_path }}}
template:
name: accounts_password
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml
index 423c20b3fd9..e95e96d9e49 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml
@@ -1,9 +1,9 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_almalinux
+# platform = Red Hat Virtualization 4,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
# reboot = false
# strategy = configure
# complexity = low
# disruption = medium
-{{% if 'ubuntu' in product %}}
+{{% if 'ubuntu' in product or product in ['sle15', 'sle16'] %}}
{{% set configuration_files = ["common-password"] %}}
{{% elif 'ol' in families or 'rhel' in product or 'almalinux' in product %}}
{{% set configuration_files = ["password-auth","system-auth"] %}}
@@ -13,11 +13,11 @@
{{{ ansible_instantiate_variables("var_password_pam_retry") }}}
-{{% if product in ['rhel8', 'rhel9', 'almalinux'] -%}}
+{{% if product in ['rhel8', 'rhel9', 'almalinux', 'sle15', 'sle16'] -%}}
- name: Ensure PAM variable retry is set accordingly
ansible.builtin.lineinfile:
create: yes
- dest: "/etc/security/pwquality.conf"
+ dest: "{{{ pwquality_path }}}"
regexp: '^\s*retry'
line: "retry = {{ var_password_pam_retry }}"
{{% for cfile in configuration_files %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh
index 2b4ade92754..038b92cbe0d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh
@@ -2,6 +2,8 @@
{{% if 'ol' in families or 'rhel' in product %}}
{{% set configuration_files = ["password-auth","system-auth"] %}}
+{{% elif product in ['sle15', 'sle16'] %}}
+{{% set configuration_files = ["common-password"] %}}
{{% else %}}
{{% set configuration_files = ["system-auth"] %}}
{{% endif %}}
@@ -9,15 +11,15 @@
{{{ bash_instantiate_variables("var_password_pam_retry") }}}
-{{% if 'rhel' in product -%}}
- {{{ bash_replace_or_append('/etc/security/pwquality.conf',
+{{% if 'rhel' in product or product in ['sle15', 'sle16'] -%}}
+ {{{ bash_replace_or_append(pwquality_path,
'^retry',
'$var_password_pam_retry',
'%s = %s', cce_identifiers=cce_identifiers) }}}
{{% for cfile in configuration_files %}}
{{{ bash_remove_pam_module_option_configuration(pam_file='/etc/pam.d/' ~ cfile,
group='password',
- control="",
+ control="",
module='pam_pwquality.so',
option='retry') }}}
{{% endfor %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
index 24020830de4..59a6928b85d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
@@ -1,6 +1,6 @@
-{{% if 'ubuntu' in product or 'debian' in product %}}
+{{% if 'ubuntu' in product or 'debian' in product or product in ['sle15', 'sle16'] %}}
{{% set configuration_files = ["common-password"] %}}
-{{% elif product in ['ol8','ol9'] or 'rhel' in product %}}
+{{% elif product in ['ol8', 'ol9'] or 'rhel' in product %}}
{{% set configuration_files = ["password-auth","system-auth"] %}}
{{% else %}}
{{% set configuration_files = ["system-auth"] %}}
@@ -9,7 +9,7 @@
{{{ oval_metadata("The password retry should meet minimum requirements", rule_title=rule_title) }}}
- {{% if 'debian' not in product and 'ubuntu' not in product %}}
+ {{% if 'debian' not in product and 'ubuntu' not in product and product not in ['sle15', 'sle16'] %}}
{{% endif %}}
@@ -20,13 +20,13 @@
{{% endfor %}}
{{% if 'ol' not in families%}}
-
+
{{% for file in configuration_files %}}
{{% endfor %}}
-
{{% endif %}}
@@ -89,14 +89,14 @@
{{% if 'ol' not in families %}}
+ comment="check the configuration of {{{ pwquality_path }}}">
- /etc/security/pwquality.conf
+ {{{ pwquality_path }}}
^[\s]*retry[\s]*=[\s]*(\d+)(?:[\s]|$)
1
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
index 23cb7d257ef..4dbcdb9759f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
@@ -5,8 +5,8 @@ title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts
description: |-
To configure the number of retry prompts that are permitted per-session:
- {{% if product in ['ol8', 'ol9'] or 'rhel' in product %}}
- Edit the /etc/security/pwquality.conf to include
+ {{% if product in ['ol8', 'ol9'] or 'rhel' in product or product in ['sle15', 'sle16'] %}}
+ Edit the {{{ pwquality_path }}} to include
{{% else %}}
Edit the pam_pwquality.so statement in
{{% if 'ubuntu' not in product and 'debian' not in product %}}
@@ -50,12 +50,12 @@ ocil_clause: 'the value of "retry" is set to "0" or greater than "{{{ xccdf_valu
ocil: |-
Verify {{{ full_name }}} is configured to limit the "pwquality" retry option to {{{ xccdf_value("var_password_pam_retry") }}}.
- {{% if product in ['ol8', 'ol9'] or 'rhel' in product %}}
- Check for the use of the "pwquality" retry option in the pwquality.conf file with the following command:
- $ grep retry /etc/security/pwquality.conf
+ {{% if product in ['ol8', 'ol9', 'sle15', 'sle16'] or 'rhel' in product %}}
+ Check for the use of the "pwquality" retry option in the {{{ pwquality_path }}} file with the following command:
+ $ grep retry {{{ pwquality_path }}}
{{% else %}}
Check for the use of the "pwquality" retry option in the PAM files with the following command:
- {{% if 'ubuntu' in product or 'debian' in product %}}
+ {{% if 'ubuntu' in product or 'debian' in product or product in ['sle15', 'sle16'] %}}
$ grep pam_pwquality /etc/pam.d/common-password
{{% else %}}
$ grep pam_pwquality /etc/pam.d/system-auth
@@ -73,8 +73,8 @@ platform: package[libpwquality]
fixtext: |-
Configure {{{ full_name }}} to limit the "pwquality" retry option to {{{ xccdf_value("var_password_pam_retry") }}}.
- {{% if product in ['ol8', 'ol9'] or 'rhel' in product %}}
- Add the following line to the "/etc/security/pwquality.conf" file (or modify the line to have the required value):
+ {{% if product in ['ol8', 'ol9', 'sle15', 'sle16'] or 'rhel' in product %}}
+ Add the following line to the "{{{ pwquality_path }}}" file (or modify the line to have the required value):
retry={{{ xccdf_value("var_password_pam_retry") }}}
{{% else %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/argument_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/argument_missing.fail.sh
index cd2aba80e64..71408925d90 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/argument_missing.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/argument_missing.fail.sh
@@ -1,8 +1,10 @@
#!/bin/bash
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_ubuntu,multi_platform_almalinux
+# platform = Red Hat Virtualization 4,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
# variables = var_password_pam_retry=3
{{% if 'ol' in families %}}
# packages = authselect
+{{% elif product in ['sle15', 'sle16'] %}}
+# packages = libpwquality1
{{% endif %}}
source common.sh
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh
index 25c99268098..9dbb0a0168d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh
@@ -1,4 +1,4 @@
-{{% if 'ubuntu' in product %}}
+{{% if 'ubuntu' in product or product in ['sle15', 'sle16'] %}}
configuration_files=("common-password")
{{% elif 'ol' in families or 'rhel' in product %}}
configuration_files=("password-auth" "system-auth")
@@ -24,4 +24,4 @@ for file in ${configuration_files[@]}; do
done
{{% endif%}}
-truncate -s 0 /etc/security/pwquality.conf
+truncate -s 0 {{{ pwquality_path }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_commented.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_commented.fail.sh
index a151577a500..81983e0ffc0 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_commented.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_commented.fail.sh
@@ -5,7 +5,7 @@
source common.sh
-CONF_FILE="/etc/security/pwquality.conf"
+CONF_FILE="{{{ pwquality_path }}}"
retry_cnt=3
if grep -q "^.*retry\s*=" "$CONF_FILE"; then
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh
index 36ddc1d9464..c3c66525870 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh
@@ -5,7 +5,7 @@
source common.sh
-CONF_FILE="/etc/security/pwquality.conf"
+CONF_FILE="{{{ pwquality_path }}}"
retry_cnt=3
truncate -s 0 $CONF_FILE
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct.pass.sh
index d65976fa13b..dba54f3dc80 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct.pass.sh
@@ -5,7 +5,7 @@
source common.sh
-CONF_FILE="/etc/security/pwquality.conf"
+CONF_FILE="{{{ pwquality_path }}}"
retry_cnt=3
if grep -q "^.*retry\s*=" "$CONF_FILE"; then
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct_with_space.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct_with_space.pass.sh
index 39f98ec3faa..ced31e1d496 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct_with_space.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct_with_space.pass.sh
@@ -5,7 +5,7 @@
source common.sh
-CONF_FILE="/etc/security/pwquality.conf"
+CONF_FILE="{{{ pwquality_path }}}"
retry_cnt=3
if grep -q "^.*retry\s*=" "$CONF_FILE"; then
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh
index d2a2dc2d07b..ec09ced67de 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh
@@ -5,7 +5,7 @@
source common.sh
-CONF_FILE="/etc/security/pwquality.conf"
+CONF_FILE="{{{ pwquality_path }}}"
retry_cnt=3
truncate -s 0 $CONF_FILE
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_overriden.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_overriden.fail.sh
index 2bd6c06a50e..bb17e7bfce8 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_overriden.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_overriden.fail.sh
@@ -5,7 +5,7 @@
source common.sh
-echo "retry = 3" > /etc/security/pwquality.conf
+echo "retry = 3" > {{{ pwquality_path }}}
for file in ${configuration_files[@]}; do
{{{ bash_ensure_pam_module_option('/etc/authselect/custom/testingProfile/$file',
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_wrong.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_wrong.fail.sh
index 459ae7843ce..92997aa60df 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_wrong.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_wrong.fail.sh
@@ -5,7 +5,7 @@
source common.sh
-CONF_FILE="/etc/security/pwquality.conf"
+CONF_FILE="{{{ pwquality_path }}}"
retry_cnt=7
if grep -q "^.*retry\s*=" "$CONF_FILE"; then
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/policy/stig/shared.yml
index 6bc199e3bfd..c39dd058eab 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/policy/stig/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/policy/stig/shared.yml
@@ -18,7 +18,7 @@ checktext: |-
Check the value for "ucredit" with the following command:
- $ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf/*.conf
+ $ sudo grep ucredit {{{ pwquality_path }}} /etc/security/pwquality.conf/*.conf
ucredit = -1
@@ -27,6 +27,6 @@ checktext: |-
fixtext: |-
Configure {{{ full_name }}} to enforce password complexity by requiring that at least one upper-case character be used by setting the "ucredit" option.
- Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
+ Add the following line to {{{ pwquality_path }}} (or modify the line to have the required value):
ucredit = -1
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
index a8ce84933b8..ee99e46b003 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
@@ -8,7 +8,7 @@ description: |-
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each uppercase character. Modify the ucredit setting in
- /etc/security/pwquality.conf to require the use of an uppercase character in passwords.
+ {{{ pwquality_path }}} to require the use of an uppercase character in passwords.
rationale: |-
Use of a complex password helps to increase the time and resources required to compromise the password.
@@ -49,14 +49,14 @@ ocil: |-
Check the value for "ucredit" with the following command:
- $ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+ $ sudo grep ucredit {{{ pwquality_path }}} /etc/security/pwquality.conf.d/*.conf
ucredit = -1
fixtext: |-
Configure {{{ full_name }}} to enforce password complexity by requiring that at least one upper-case character be used by setting the "ucredit" option.
- Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
+ Add the following line to {{{ pwquality_path }}} (or modify the line to have the required value):
ucredit = {{{ xccdf_value("var_password_pam_ucredit") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/group.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/group.yml
index d467e7803e4..ea32856dfb6 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/group.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/group.yml
@@ -11,7 +11,7 @@ description: |-
character, make sure that pam_pwquality exists in /etc/pam.d/system-auth:
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth.
- Next, modify the settings in /etc/security/pwquality.conf to match the following:
+ Next, modify the settings in {{{ pwquality_path }}} to match the following:
difok = 4
minlen = 14
dcredit = -1
diff --git a/product_properties/10-pwhistory-conf.yml b/product_properties/10-pwhistory-conf.yml
new file mode 100644
index 00000000000..b94e4c5461e
--- /dev/null
+++ b/product_properties/10-pwhistory-conf.yml
@@ -0,0 +1,7 @@
+default:
+ pwhistory_path: "/etc/security/pwhistory.conf"
+
+overrides:
+{{% if product == 'sle16' %}}
+ pwhistory_path: "/usr/etc/security/pwhistory.conf"
+{{% endif %}}
diff --git a/product_properties/10-pwquality-conf.yml b/product_properties/10-pwquality-conf.yml
new file mode 100644
index 00000000000..8a991951eb7
--- /dev/null
+++ b/product_properties/10-pwquality-conf.yml
@@ -0,0 +1,7 @@
+default:
+ pwquality_path: "/etc/security/pwquality.conf"
+
+overrides:
+{{% if product == 'sle16' %}}
+ pwquality_path: "/usr/lib/security/pwquality.conf"
+{{% endif %}}
diff --git a/shared/applicability/package.yml b/shared/applicability/package.yml
index 8f52bdbb069..01dfcf4f948 100644
--- a/shared/applicability/package.yml
+++ b/shared/applicability/package.yml
@@ -47,7 +47,7 @@ args:
iptables:
pkgname: iptables
libpwquality:
- {{% if 'ubuntu' in product or 'debian' in product %}}
+ {{% if 'ubuntu' in product or 'debian' in product or product in ['sle15', 'sle16', 'slmicro6'] %}}
pkgname: libpwquality1
{{% else %}}
pkgname: libpwquality
diff --git a/shared/checks/oval/accounts_password_pam_pwquality.xml b/shared/checks/oval/accounts_password_pam_pwquality.xml
index dd94f729efa..9a7b4723bd6 100644
--- a/shared/checks/oval/accounts_password_pam_pwquality.xml
+++ b/shared/checks/oval/accounts_password_pam_pwquality.xml
@@ -24,7 +24,7 @@
- {{% if 'ubuntu' in product or 'debian' in product %}}
+ {{% if 'ubuntu' in product or 'debian' in product or product in ['sle15', 'sle16'] %}}
/etc/pam.d/common-password
{{% else %}}
/etc/pam.d/system-auth
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index cfd87ef9046..ad741fe8e35 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -1163,16 +1163,16 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
#}}
{{%- macro ansible_pam_pwhistory_parameter_value(pam_file, parameter, pwhistory_var_name='', rule_title=None, rule_id=None) -%}}
-- name: '{{{ rule_title }}} - Check the presence of /etc/security/pwhistory.conf file'
+- name: '{{{ rule_title }}} - Check the presence of {{{ pwhistory_path }}} file'
ansible.builtin.stat:
- path: /etc/security/pwhistory.conf
+ path: {{{ pwhistory_path }}}
register: result_pwhistory_conf_check
-- name: '{{{ rule_title }}} - pam_pwhistory.so parameters are configured in /etc/security/pwhistory.conf file'
+- name: '{{{ rule_title }}} - pam_pwhistory.so parameters are configured in {{{ pwhistory_path }}} file'
block:
- - name: '{{{ rule_title }}} - Ensure the pam_pwhistory.so {{{ parameter }}} parameter in /etc/security/pwhistory.conf'
+ - name: '{{{ rule_title }}} - Ensure the pam_pwhistory.so {{{ parameter }}} parameter in {{{ pwhistory_path }}}'
ansible.builtin.lineinfile:
- path: /etc/security/pwhistory.conf
+ path: {{{ pwhistory_path }}}
{{%- if pwhistory_var_name == '' %}}
regexp: ^\s*{{{ parameter }}}
line: {{{ parameter }}}
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index fd7413c567c..fea3b072dc5 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -1093,7 +1093,7 @@ fi
#}}
{{%- macro bash_pam_pwhistory_parameter_value(pam_file, option, value='') -%}}
-PWHISTORY_CONF="/etc/security/pwhistory.conf"
+PWHISTORY_CONF="{{{ pwhistory_path }}}"
if [ -f $PWHISTORY_CONF ]; then
{{%- if value == '' %}}
regex="^\s*{{{ option }}}"
diff --git a/shared/templates/accounts_password/ansible.template b/shared/templates/accounts_password/ansible.template
index baf0586c86a..739665e949c 100644
--- a/shared/templates/accounts_password/ansible.template
+++ b/shared/templates/accounts_password/ansible.template
@@ -39,9 +39,13 @@
{{{ ansible_pam_pwquality_enable('/usr/share/pam-configs/cac_pwquality', rule_title=rule_title) }}}
{{% endif %}}
+{{% if product in ['sle15', 'sle16'] %}}
+{{{ ansible_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'requisite', 'pam_pwquality.so', '', '', 'BOF', rule_id=rule_id, rule_title=rule_title) }}}
+{{% endif %}}
+
- name: {{{ rule_title }}} - Ensure PAM variable {{{ VARIABLE }}} is set accordingly
ansible.builtin.lineinfile:
create: yes
- dest: "/etc/security/pwquality.conf"
+ dest: "{{{ pwquality_path }}}"
regexp: '^#?\s*{{{ VARIABLE }}}'
line: "{{{ VARIABLE }}} = {{ var_password_pam_{{{ VARIABLE }}} }}"
diff --git a/shared/templates/accounts_password/bash.template b/shared/templates/accounts_password/bash.template
index 64b8c8be56d..75420036ed1 100644
--- a/shared/templates/accounts_password/bash.template
+++ b/shared/templates/accounts_password/bash.template
@@ -31,4 +31,8 @@ fi
{{{ bash_pam_pwquality_enable() }}}
{{% endif %}}
-{{{ bash_replace_or_append('/etc/security/pwquality.conf', '^' ~ VARIABLE , '$var_password_pam_' ~ VARIABLE , '%s = %s', cce_identifiers=cce_identifiers) }}}
+{{% if product in ['sle15', 'sle16'] %}}
+{{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'requisite', 'pam_pwquality.so', '', '', 'BOF') }}}
+{{% endif %}}
+
+{{{ bash_replace_or_append(pwquality_path, '^' ~ VARIABLE , '$var_password_pam_' ~ VARIABLE , '%s = %s', cce_identifiers=cce_identifiers) }}}
diff --git a/shared/templates/accounts_password/oval.template b/shared/templates/accounts_password/oval.template
index eb455c8c01a..bf4b86b19ba 100644
--- a/shared/templates/accounts_password/oval.template
+++ b/shared/templates/accounts_password/oval.template
@@ -1,7 +1,7 @@
{{% if 'ol' in families or 'rhel' in product %}}
{{% set filepath_regex="^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$" %}}
{{% else %}}
-{{% set filepath_regex="^/etc/security/pwquality\.conf$" %}}
+{{% set filepath_regex="^" + pwquality_path + "$" %}}
{{% endif %}}
@@ -51,7 +51,7 @@
{{% endif %}}
diff --git a/shared/templates/accounts_password/tests/commented.fail.sh b/shared/templates/accounts_password/tests/commented.fail.sh
index 88165876f5e..5d8889b3b45 100644
--- a/shared/templates/accounts_password/tests/commented.fail.sh
+++ b/shared/templates/accounts_password/tests/commented.fail.sh
@@ -1,6 +1,10 @@
#!/bin/bash
# variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
-truncate -s 0 /etc/security/pwquality.conf
+{{% if product in ["sle15", "sle16"] %}}
+{{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'required', 'pam_pwquality.so', '', '', '') }}}
+{{% endif %}}
-echo "#{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
+truncate -s 0 "{{{ pwquality_path }}}"
+
+echo "#{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> "{{{ pwquality_path }}}"
diff --git a/shared/templates/accounts_password/tests/conflicting_values.fail.sh b/shared/templates/accounts_password/tests/conflicting_values.fail.sh
index 3517ff43083..cfa91516599 100644
--- a/shared/templates/accounts_password/tests/conflicting_values.fail.sh
+++ b/shared/templates/accounts_password/tests/conflicting_values.fail.sh
@@ -1,8 +1,12 @@
#!/bin/bash
# variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
-truncate -s 0 /etc/security/pwquality.conf
+{{% if product in ["sle15", "sle16"] %}}
+{{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'required', 'pam_pwquality.so', '', '', '') }}}
+{{% endif %}}
-echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
+truncate -s 0 "{{{ pwquality_path }}}"
-echo "{{{ VARIABLE }}} = {{{ TEST_WRONG_VALUE }}}" >> /etc/security/pwquality.conf
+echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> "{{{ pwquality_path }}}"
+
+echo "{{{ VARIABLE }}} = {{{ TEST_WRONG_VALUE }}}" >> "{{{ pwquality_path }}}"
diff --git a/shared/templates/accounts_password/tests/conflicting_values_directory.fail.sh b/shared/templates/accounts_password/tests/conflicting_values_directory.fail.sh
index 17a1bd387d2..07e3b43eb38 100644
--- a/shared/templates/accounts_password/tests/conflicting_values_directory.fail.sh
+++ b/shared/templates/accounts_password/tests/conflicting_values_directory.fail.sh
@@ -3,9 +3,9 @@
# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
# variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
-truncate -s 0 /etc/security/pwquality.conf
+truncate -s 0 "{{{ pwquality_path }}}"
-echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
+echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> "{{{ pwquality_path }}}"
config_dir="/etc/security/pwquality.conf.d"
mkdir -p $config_dir
diff --git a/shared/templates/accounts_password/tests/correct_value.pass.sh b/shared/templates/accounts_password/tests/correct_value.pass.sh
index 247f7281802..aa16d4a4ebd 100644
--- a/shared/templates/accounts_password/tests/correct_value.pass.sh
+++ b/shared/templates/accounts_password/tests/correct_value.pass.sh
@@ -19,6 +19,10 @@
}}}
{{% endif %}}
-truncate -s 0 /etc/security/pwquality.conf
+{{% if product in ["sle15", "sle16"] %}}
+{{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'required', 'pam_pwquality.so', '', '', '') }}}
+{{% endif %}}
+
+truncate -s 0 "{{{ pwquality_path }}}"
-echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
+echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> "{{{ pwquality_path }}}"
diff --git a/shared/templates/accounts_password/tests/correct_value_directory.pass.sh b/shared/templates/accounts_password/tests/correct_value_directory.pass.sh
index d10e78e8dc4..7456fd31430 100644
--- a/shared/templates/accounts_password/tests/correct_value_directory.pass.sh
+++ b/shared/templates/accounts_password/tests/correct_value_directory.pass.sh
@@ -24,7 +24,7 @@
}}}
{{% endif %}}
-truncate -s 0 /etc/security/pwquality.conf
+truncate -s 0 "{{{ pwquality_path }}}"
config_dir="/etc/security/pwquality.conf.d"
mkdir -p $config_dir
diff --git a/shared/templates/accounts_password/tests/duplicated_values.pass.sh b/shared/templates/accounts_password/tests/duplicated_values.pass.sh
index 7ff593da0c7..490948bcf12 100644
--- a/shared/templates/accounts_password/tests/duplicated_values.pass.sh
+++ b/shared/templates/accounts_password/tests/duplicated_values.pass.sh
@@ -19,7 +19,11 @@
}}}
{{% endif %}}
-truncate -s 0 /etc/security/pwquality.conf
+{{% if product in ["sle15", "sle16"] %}}
+{{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'required', 'pam_pwquality.so', '', '', '') }}}
+{{% endif %}}
+
+truncate -s 0 "{{{ pwquality_path }}}"
-echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
-echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
+echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> "{{{ pwquality_path }}}"
+echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> "{{{ pwquality_path }}}"
diff --git a/shared/templates/accounts_password/tests/multiple_correct_value.pass.sh b/shared/templates/accounts_password/tests/multiple_correct_value.pass.sh
index 386bd0bb7b5..27b6962dd81 100644
--- a/shared/templates/accounts_password/tests/multiple_correct_value.pass.sh
+++ b/shared/templates/accounts_password/tests/multiple_correct_value.pass.sh
@@ -21,9 +21,13 @@
}}}
{{% endif %}}
-truncate -s 0 /etc/security/pwquality.conf
+{{% if product in ["sle15", "sle16"] %}}
+{{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'required', 'pam_pwquality.so', '', '', '') }}}
+{{% endif %}}
+
+truncate -s 0 "{{{ pwquality_path }}}"
-echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
+echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> "{{{ pwquality_path }}}"
config_dir="/etc/security/pwquality.conf.d"
mkdir -p $config_dir
diff --git a/shared/templates/accounts_password/tests/password_auth_overwritten.fail.sh b/shared/templates/accounts_password/tests/password_auth_overwritten.fail.sh
index 116e8d42a94..c2871e478eb 100644
--- a/shared/templates/accounts_password/tests/password_auth_overwritten.fail.sh
+++ b/shared/templates/accounts_password/tests/password_auth_overwritten.fail.sh
@@ -4,9 +4,9 @@
# platform = multi_platform_ol
# variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
-truncate -s 0 /etc/security/pwquality.conf
+truncate -s 0 "{{{ pwquality_path }}}"
-echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
+echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> "{{{ pwquality_path }}}"
{{{
bash_ensure_pam_module_configuration('/etc/pam.d/password-auth',
diff --git a/shared/templates/accounts_password/tests/system_auth_overwritten.fail.sh b/shared/templates/accounts_password/tests/system_auth_overwritten.fail.sh
index e651d74cc76..6205849e296 100644
--- a/shared/templates/accounts_password/tests/system_auth_overwritten.fail.sh
+++ b/shared/templates/accounts_password/tests/system_auth_overwritten.fail.sh
@@ -4,9 +4,9 @@
# platform = multi_platform_ol
# variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
-truncate -s 0 /etc/security/pwquality.conf
+truncate -s 0 "{{{ pwquality_path }}}"
-echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
+echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> "{{{ pwquality_path }}}"
{{{
bash_ensure_pam_module_configuration('/etc/pam.d/system-auth',
diff --git a/shared/templates/accounts_password/tests/wrong_value.fail.sh b/shared/templates/accounts_password/tests/wrong_value.fail.sh
index 008e2602857..7bea53edcae 100644
--- a/shared/templates/accounts_password/tests/wrong_value.fail.sh
+++ b/shared/templates/accounts_password/tests/wrong_value.fail.sh
@@ -1,6 +1,10 @@
#!/bin/bash
# variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
-truncate -s 0 /etc/security/pwquality.conf
+{{% if product in ["sle15", "sle16"] %}}
+{{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'required', 'pam_pwquality.so', '', '', '') }}}
+{{% endif %}}
-echo "{{{ VARIABLE }}} = {{{ TEST_WRONG_VALUE }}}" >> /etc/security/pwquality.conf
+truncate -s 0 "{{{ pwquality_path }}}"
+
+echo "{{{ VARIABLE }}} = {{{ TEST_WRONG_VALUE }}}" >> "{{{ pwquality_path }}}"
diff --git a/shared/templates/accounts_password/tests/wrong_value_directory.fail.sh b/shared/templates/accounts_password/tests/wrong_value_directory.fail.sh
index bc3852603c4..790bccd0031 100644
--- a/shared/templates/accounts_password/tests/wrong_value_directory.fail.sh
+++ b/shared/templates/accounts_password/tests/wrong_value_directory.fail.sh
@@ -1,11 +1,10 @@
#!/bin/bash
# variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
-
# This test will ensure that the remediation also applies the configuration in
# /etc/security/pwquality.conf.d/*.conf files
-truncate -s 0 /etc/security/pwquality.conf
+truncate -s 0 "{{{ pwquality_path }}}"
config_dir="/etc/security/pwquality.conf.d"
mkdir -p $config_dir
diff --git a/shared/templates/accounts_password/tests/wrong_value_vs_zero.fail.sh b/shared/templates/accounts_password/tests/wrong_value_vs_zero.fail.sh
index e4d57ca2d70..5b25c5cd4cf 100644
--- a/shared/templates/accounts_password/tests/wrong_value_vs_zero.fail.sh
+++ b/shared/templates/accounts_password/tests/wrong_value_vs_zero.fail.sh
@@ -4,6 +4,6 @@
# platform = Not Applicable
{{% endif %}}
-truncate -s 0 /etc/security/pwquality.conf
+truncate -s 0 "{{{ pwquality_path }}}"
-echo "{{{ VARIABLE }}} = {{{ TEST_WRONG_VS_ZERO_VALUE }}}" >> /etc/security/pwquality.conf
+echo "{{{ VARIABLE }}} = {{{ TEST_WRONG_VS_ZERO_VALUE }}}" >> "{{{ pwquality_path }}}"
diff --git a/tests/data/product_stability/alinux2.yml b/tests/data/product_stability/alinux2.yml
index a5ea062bfc8..91f916c717a 100644
--- a/tests/data/product_stability/alinux2.yml
+++ b/tests/data/product_stability/alinux2.yml
@@ -58,6 +58,8 @@ platform_package_overrides:
zipl: s390utils-base
product: alinux2
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/alinux3.yml b/tests/data/product_stability/alinux3.yml
index 9cfcf3c7f5f..976b60be3be 100644
--- a/tests/data/product_stability/alinux3.yml
+++ b/tests/data/product_stability/alinux3.yml
@@ -58,6 +58,8 @@ platform_package_overrides:
zipl: s390utils-base
product: alinux3
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/anolis23.yml b/tests/data/product_stability/anolis23.yml
index f358fb6d2b3..75c3026d37b 100644
--- a/tests/data/product_stability/anolis23.yml
+++ b/tests/data/product_stability/anolis23.yml
@@ -57,6 +57,8 @@ platform_package_overrides:
zipl: s390utils-base
product: anolis23
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/anolis8.yml b/tests/data/product_stability/anolis8.yml
index 6ea514a4da3..047b06690ba 100644
--- a/tests/data/product_stability/anolis8.yml
+++ b/tests/data/product_stability/anolis8.yml
@@ -57,6 +57,8 @@ platform_package_overrides:
zipl: s390utils-base
product: anolis8
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/debian11.yml b/tests/data/product_stability/debian11.yml
index 4a82ddf4bf2..0432dc4a7a7 100644
--- a/tests/data/product_stability/debian11.yml
+++ b/tests/data/product_stability/debian11.yml
@@ -66,6 +66,8 @@ platform_package_overrides:
zipl: s390utils-base
product: debian11
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/debian12.yml b/tests/data/product_stability/debian12.yml
index 8fe0afe738a..cbe3ea40064 100644
--- a/tests/data/product_stability/debian12.yml
+++ b/tests/data/product_stability/debian12.yml
@@ -67,6 +67,8 @@ platform_package_overrides:
zipl: s390utils-base
product: debian12
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/debian13.yml b/tests/data/product_stability/debian13.yml
index 75a041831bf..717f3b81d34 100644
--- a/tests/data/product_stability/debian13.yml
+++ b/tests/data/product_stability/debian13.yml
@@ -68,6 +68,8 @@ platform_package_overrides:
zipl: s390utils-base
product: debian13
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/eks.yml b/tests/data/product_stability/eks.yml
index b1c88cb7b8b..9e6ded0f469 100644
--- a/tests/data/product_stability/eks.yml
+++ b/tests/data/product_stability/eks.yml
@@ -64,6 +64,8 @@ platform_package_overrides:
zipl: s390utils-base
product: eks
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/example.yml b/tests/data/product_stability/example.yml
index b44035b82b6..69eab4cfc9c 100644
--- a/tests/data/product_stability/example.yml
+++ b/tests/data/product_stability/example.yml
@@ -59,6 +59,8 @@ platform_package_overrides:
zipl: s390utils-base
product: example
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/fedora.yml b/tests/data/product_stability/fedora.yml
index b0cc325cbc6..4490a784a32 100644
--- a/tests/data/product_stability/fedora.yml
+++ b/tests/data/product_stability/fedora.yml
@@ -98,6 +98,8 @@ previous_release_fingerprint: ACB5EE4E831C74BB7C168D27F55AD3FB5323552A
previous_version: 37
product: fedora
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
rawhide_pkg_release: 63d04c2c
rawhide_pkg_version: a15b79cc
rawhide_release_fingerprint: 115DF9AEF857853EE8445D0A0727707EA15B79CC
diff --git a/tests/data/product_stability/firefox.yml b/tests/data/product_stability/firefox.yml
index 5e2e4b39888..89c1f9fc181 100644
--- a/tests/data/product_stability/firefox.yml
+++ b/tests/data/product_stability/firefox.yml
@@ -54,6 +54,8 @@ platform_package_overrides:
zipl: s390utils-base
product: firefox
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/ocp4.yml b/tests/data/product_stability/ocp4.yml
index 6d944e445d7..8a4644b1d01 100644
--- a/tests/data/product_stability/ocp4.yml
+++ b/tests/data/product_stability/ocp4.yml
@@ -164,6 +164,8 @@ platform_package_overrides:
zipl: s390utils-base
product: ocp4
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/ol7.yml b/tests/data/product_stability/ol7.yml
index 28fc8780ad5..78c1564f874 100644
--- a/tests/data/product_stability/ol7.yml
+++ b/tests/data/product_stability/ol7.yml
@@ -67,6 +67,8 @@ platform_package_overrides:
zipl: s390utils-base
product: ol7
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/ol8.yml b/tests/data/product_stability/ol8.yml
index 98abd16cb3d..c9ea23f4093 100644
--- a/tests/data/product_stability/ol8.yml
+++ b/tests/data/product_stability/ol8.yml
@@ -66,6 +66,8 @@ platform_package_overrides:
zipl: s390utils-base
product: ol8
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/ol9.yml b/tests/data/product_stability/ol9.yml
index e3173eaef35..031f15365c0 100644
--- a/tests/data/product_stability/ol9.yml
+++ b/tests/data/product_stability/ol9.yml
@@ -69,6 +69,8 @@ platform_package_overrides:
zipl: s390utils-base
product: ol9
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/openembedded.yml b/tests/data/product_stability/openembedded.yml
index 68ecc97b11e..093cb4ba57a 100644
--- a/tests/data/product_stability/openembedded.yml
+++ b/tests/data/product_stability/openembedded.yml
@@ -70,6 +70,8 @@ platform_package_overrides:
zipl: s390utils-base
product: openembedded
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/opensuse.yml b/tests/data/product_stability/opensuse.yml
index 36f1cdb2d0f..c0f66a9fc8d 100644
--- a/tests/data/product_stability/opensuse.yml
+++ b/tests/data/product_stability/opensuse.yml
@@ -66,6 +66,8 @@ platform_package_overrides:
zipl: s390utils-base
product: opensuse
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/rhcos4.yml b/tests/data/product_stability/rhcos4.yml
index 2518614670e..85fb367ea00 100644
--- a/tests/data/product_stability/rhcos4.yml
+++ b/tests/data/product_stability/rhcos4.yml
@@ -62,6 +62,8 @@ platform_package_overrides:
zipl: s390utils-base
product: rhcos4
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/rhel10.yml b/tests/data/product_stability/rhel10.yml
index 284e8461348..e48dab2c647 100644
--- a/tests/data/product_stability/rhel10.yml
+++ b/tests/data/product_stability/rhel10.yml
@@ -68,6 +68,8 @@ platform_package_overrides:
zipl: s390utils-base
product: rhel10
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/rhel8.yml b/tests/data/product_stability/rhel8.yml
index d8aef9ae364..72d2313f460 100644
--- a/tests/data/product_stability/rhel8.yml
+++ b/tests/data/product_stability/rhel8.yml
@@ -118,6 +118,8 @@ platform_package_overrides:
zipl: s390utils-base
product: rhel8
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/rhel9.yml b/tests/data/product_stability/rhel9.yml
index cd1afd61b31..852b3100a1d 100644
--- a/tests/data/product_stability/rhel9.yml
+++ b/tests/data/product_stability/rhel9.yml
@@ -74,6 +74,8 @@ platform_package_overrides:
zipl: s390utils-base
product: rhel9
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/rhv4.yml b/tests/data/product_stability/rhv4.yml
index 198d6f3db0a..5b3870e66c1 100644
--- a/tests/data/product_stability/rhv4.yml
+++ b/tests/data/product_stability/rhv4.yml
@@ -67,6 +67,8 @@ platform_package_overrides:
zipl: s390utils-base
product: rhv4
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/sle12.yml b/tests/data/product_stability/sle12.yml
index 858c9119c96..2cf54101d67 100644
--- a/tests/data/product_stability/sle12.yml
+++ b/tests/data/product_stability/sle12.yml
@@ -67,6 +67,8 @@ platform_package_overrides:
zipl: s390utils-base
product: sle12
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/sle15.yml b/tests/data/product_stability/sle15.yml
index a3cecb59132..08d2ee23e45 100644
--- a/tests/data/product_stability/sle15.yml
+++ b/tests/data/product_stability/sle15.yml
@@ -71,6 +71,8 @@ platform_package_overrides:
zipl: s390utils-base
product: sle15
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/ubuntu2204.yml b/tests/data/product_stability/ubuntu2204.yml
index 7ed5f5618ae..4b68ce8e037 100644
--- a/tests/data/product_stability/ubuntu2204.yml
+++ b/tests/data/product_stability/ubuntu2204.yml
@@ -75,6 +75,8 @@ platform_package_overrides:
zipl: s390utils-base
product: ubuntu2204
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
diff --git a/tests/data/product_stability/ubuntu2404.yml b/tests/data/product_stability/ubuntu2404.yml
index 9ce793a8454..57968574c6f 100644
--- a/tests/data/product_stability/ubuntu2404.yml
+++ b/tests/data/product_stability/ubuntu2404.yml
@@ -76,6 +76,8 @@ platform_package_overrides:
zipl: s390utils-base
product: ubuntu2404
profiles_root: ./profiles
+pwhistory_path: /etc/security/pwhistory.conf
+pwquality_path: /etc/security/pwquality.conf
reference_uris:
anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers