SLE related fixes for pam_faillock configuration file

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_almalinux
+# platform = multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle
 # reboot = false
 # strategy = restrict
 # complexity = low

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/debian.xml

@@ -11,13 +11,13 @@
         <criterion
             test_ref="test_accounts_passwords_pam_faillock_deny_root_pam_unix_auth"
             comment="pam_unix.so appears only once in auth section of common-auth"/>
-	
+
 
         <!-- pam_faillock.so parameters can be defined directly in pam files or, in newer
-             versions, in /etc/security/faillock.conf. The last is the recommended option when
+             versions, in {{{ pam_faillock_conf_path }}}. The last is the recommended option when
              available. Also, is the option used by auselect tool. However, regardless the
              approach, a minimal declaration is common in pam files. -->
-	
+
         <criterion
             test_ref="test_accounts_passwords_pam_faillock_deny_root_pam_faillock_auth"
             comment="pam_faillock.so is properly defined in auth section of common-auth"/>
@@ -26,11 +26,11 @@
             comment="pam_faillock.so is properly defined in account section of common-account"/>
       </criteria>
 
-      <!-- pam_faillock.so parameters should be defined in /etc/security/faillock.conf whenever
+      <!-- pam_faillock.so parameters should be defined in {{{ pam_faillock_conf_path }}} whenever
            possible. But due to backwards compatibility, they are also allowed in pam files
            directly. In case they are defined in both places, pam files have precedence and this
            may confuse the assessment. The following tests ensure only one option is used. Note
-           that if faillock.conf is available, authselect tool only manage parameters on it -->
+           that if {{{ pam_faillock_conf_path }}} is available, authselect tool only manage parameters on it -->
       <criteria operator="OR"
                 comment="Check expected value for pam_faillock.so even_deny_root parameter">
         <criteria operator="AND"
@@ -40,16 +40,16 @@
               comment="Check the even_deny_root parameter in auth section of common-auth file"/>
           <criterion
               test_ref="test_accounts_passwords_pam_faillock_deny_root_parameter_no_faillock_conf"
-              comment="Ensure /etc/security/faillock.conf is not used together with pam files"/>
+              comment="Ensure {{{ pam_faillock_conf_path }}} is not used together with pam files"/>
         </criteria>
         <criteria operator="AND"
-		  comment="Check expected pam_faillock.so even_deny_root parameter in faillock.conf">
+		  comment="Check expected pam_faillock.so even_deny_root parameter in {{{ pam_faillock_conf_path }}}">
           <criterion
               test_ref="test_accounts_passwords_pam_faillock_deny_root_parameter_no_pamd_auth"
               comment="Check the even_deny_root parameter is not present common-auth file"/>
           <criterion
               test_ref="test_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf"
-              comment="Ensure the even_deny_root parameter is present in /etc/security/faillock.conf"/>
+              comment="Ensure the even_deny_root parameter is present in {{{ pam_faillock_conf_path }}}"/>
         </criteria>
       </criteria>
     </criteria>
@@ -95,7 +95,7 @@
 <constant_variable
     id="var_accounts_passwords_pam_faillock_deny_root_faillock_conf_parameter_regex"
     datatype="string" version="1"
-    comment="regex to identify deny entry in /etc/security/faillock.conf">
+    comment="regex to identify deny entry in {{{ pam_faillock_conf_path }}}">
 <value>^[\s]*even_deny_root</value>
 </constant_variable>
 
@@ -137,7 +137,7 @@
       object_ref="object_accounts_passwords_pam_faillock_deny_root_pam_faillock_auth"/>
 </ind:textfilecontent54_test>
 
-<!-- Check common definition of pam_faillock.so in common-account --> 
+<!-- Check common definition of pam_faillock.so in common-account -->
 <ind:textfilecontent54_object
     version="1"
     id="object_accounts_passwords_pam_faillock_deny_root_pam_faillock_account"
@@ -195,12 +195,12 @@
       object_ref="object_accounts_passwords_pam_faillock_deny_root_parameter_presence_pamd_auth"/>
 </ind:textfilecontent54_test>
 
-<!-- Check pam_faillock.so even_deny_root parameter in /etc/security/faillock.conf -->
+<!-- Check pam_faillock.so even_deny_root parameter in {{{ pam_faillock_conf_path }}} -->
 <ind:textfilecontent54_object
     version="1"
     id="object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf"
-    comment="Try to get the even_deny_root parameter from /etc/security/faillock.conf">
-  <ind:filepath operation="pattern match">^/etc/security/faillock.conf$</ind:filepath>
+    comment="Try to get the even_deny_root parameter from {{{ pam_faillock_conf_path }}}">
+  <ind:filepath operation="pattern match">^{{{ pam_faillock_conf_path }}}$</ind:filepath>
   <ind:pattern operation="pattern match"
                var_ref="var_accounts_passwords_pam_faillock_deny_root_faillock_conf_parameter_regex"/>
 <ind:instance datatype="int" operation="equals">1</ind:instance>
@@ -209,15 +209,15 @@
 <ind:textfilecontent54_test
     check="all" check_existence="all_exist" version="1"
     id="test_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf"
-    comment="Check the expected even_deny_root parameter in /etc/security/faillock.conf">
+    comment="Check the expected even_deny_root parameter in {{{ pam_faillock_conf_path }}}">
   <ind:object
       object_ref="object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf"/>
 </ind:textfilecontent54_test>
 
 <ind:textfilecontent54_test
     check="all" check_existence="none_exist" version="1"
     id="test_accounts_passwords_pam_faillock_deny_root_parameter_no_faillock_conf"
-    comment="Check the absence of even_deny_root parameter in /etc/security/faillock.conf">
+    comment="Check the absence of even_deny_root parameter in {{{ pam_faillock_conf_path }}}">
   <ind:object
       object_ref="object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf"/>
 </ind:textfilecontent54_test>

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml

@@ -18,7 +18,7 @@
         </criteria>
 
         <!-- pam_faillock.so parameters can be defined directly in pam files or, in newer
-             versions, in /etc/security/faillock.conf. The last is the recommended option when
+             versions, in {{{ pam_faillock_conf_path }}}. The last is the recommended option when
              available. Also, is the option used by auselect tool. However, regardless the
              approach, a minimal declaration is common in pam files. -->
         {{% if 'ol' not in families %}}
@@ -39,11 +39,11 @@
         {{% endif %}}
       </criteria>
 
-      <!-- pam_faillock.so parameters should be defined in /etc/security/faillock.conf whenever
+      <!-- pam_faillock.so parameters should be defined in {{{ pam_faillock_conf_path }}} whenever
            possible. But due to backwards compatibility, they are also allowed in pam files
            directly. In case they are defined in both places, pam files have precedence and this
            may confuse the assessment. The following tests ensure only one option is used. Note
-           that if faillock.conf is available, authselect tool only manage parameters on it -->
+           that if {{{ pam_faillock_conf_path }}} is available, authselect tool only manage parameters on it -->
       <criteria operator="OR"
                 comment="Check expected value for pam_faillock.so even_deny_root parameter">
         {{% if 'ol' not in families %}}
@@ -57,11 +57,11 @@
               comment="Check the even_deny_root parameter in auth section of password-auth file"/>
           <criterion
               test_ref="test_accounts_passwords_pam_faillock_deny_root_parameter_no_faillock_conf"
-              comment="Ensure /etc/security/faillock.conf is not used together with pam files"/>
+              comment="Ensure {{{ pam_faillock_conf_path }}} is not used together with pam files"/>
         </criteria>
         {{% endif %}}
         <criteria operator="AND"
-              comment="Check expected pam_faillock.so even_deny_root parameter in faillock.conf">
+              comment="Check expected pam_faillock.so even_deny_root parameter in {{{ pam_faillock_conf_path }}}">
           <criterion
               test_ref="test_accounts_passwords_pam_faillock_deny_root_parameter_no_pamd_system"
               comment="Check the even_deny_root parameter is not present system-auth file"/>
@@ -70,7 +70,7 @@
               comment="Check the even_deny_root parameter is not present password-auth file"/>
           <criterion
               test_ref="test_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf"
-              comment="Ensure the even_deny_root parameter is present in /etc/security/faillock.conf"/>
+              comment="Ensure the even_deny_root parameter is present in {{{ pam_faillock_conf_path }}}"/>
         </criteria>
       </criteria>
     </criteria>
@@ -106,7 +106,7 @@
   <constant_variable
               id="var_accounts_passwords_pam_faillock_deny_root_faillock_conf_parameter_regex"
               datatype="string" version="1"
-              comment="regex to identify deny entry in /etc/security/faillock.conf">
+              comment="regex to identify deny entry in {{{ pam_faillock_conf_path }}}">
     <value>^[\s]*even_deny_root</value>
   </constant_variable>
 
@@ -257,26 +257,26 @@
          object_ref="object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password"/>
   </ind:textfilecontent54_test>
 
-  <!-- Check pam_faillock.so even_deny_root parameter in /etc/security/faillock.conf -->
+  <!-- Check pam_faillock.so even_deny_root parameter in {{{ pam_faillock_conf_path }}} -->
   <ind:textfilecontent54_object version="1"
       id="object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf"
-      comment="Try to get the even_deny_root parameter from /etc/security/faillock.conf">
-    <ind:filepath operation="pattern match">^/etc/security/faillock.conf$</ind:filepath>
+      comment="Try to get the even_deny_root parameter from {{{ pam_faillock_conf_path }}}">
+    <ind:filepath operation="pattern match">^{{{ pam_faillock_conf_path }}}$</ind:filepath>
     <ind:pattern operation="pattern match"
           var_ref="var_accounts_passwords_pam_faillock_deny_root_faillock_conf_parameter_regex"/>
     <ind:instance datatype="int" operation="equals">1</ind:instance>
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
         id="test_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf"
-        comment="Check the expected even_deny_root parameter in /etc/security/faillock.conf">
+        comment="Check the expected even_deny_root parameter in {{{ pam_faillock_conf_path }}}">
     <ind:object
          object_ref="object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
         id="test_accounts_passwords_pam_faillock_deny_root_parameter_no_faillock_conf"
-        comment="Check the absence of even_deny_root parameter in /etc/security/faillock.conf">
+        comment="Check the absence of even_deny_root parameter in {{{ pam_faillock_conf_path }}}">
     <ind:object
          object_ref="object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf"/>
   </ind:textfilecontent54_test>

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/sle15.xml → linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/sle.xml

@@ -14,7 +14,7 @@
 
 
         <!-- pam_faillock.so parameters can be defined directly in pam files or, in newer
-             versions, in /etc/security/faillock.conf. The last is the recommended option when
+             versions, in "{{{ pam_faillock_conf_path }}}". The last is the recommended option when
              available. Also, is the option used by auselect tool. However, regardless the
              approach, a minimal declaration is common in pam files. -->
 
@@ -26,11 +26,11 @@
             comment="pam_faillock.so is properly defined in account section of common-account"/>
       </criteria>
 
-      <!-- pam_faillock.so parameters should be defined in /etc/security/faillock.conf whenever
+      <!-- pam_faillock.so parameters should be defined in {{{ pam_faillock_conf_path }}} whenever
            possible. But due to backwards compatibility, they are also allowed in pam files
            directly. In case they are defined in both places, pam files have precedence and this
            may confuse the assessment. The following tests ensure only one option is used. Note
-           that if faillock.conf is available, authselect tool only manage parameters on it -->
+           that if {{{ pam_faillock_conf_path }}} is available, authselect tool only manage parameters on it -->
       <criteria operator="OR"
                 comment="Check expected value for pam_faillock.so even_deny_root parameter">
         <criteria operator="AND"
@@ -40,16 +40,16 @@
               comment="Check the even_deny_root parameter in auth section of common-auth file"/>
           <criterion
               test_ref="test_accounts_passwords_pam_faillock_deny_root_parameter_no_faillock_conf"
-              comment="Ensure /etc/security/faillock.conf is not used together with pam files"/>
+              comment="Ensure {{{ pam_faillock_conf_path }}} is not used together with pam files"/>
         </criteria>
         <criteria operator="AND"
-		  comment="Check expected pam_faillock.so even_deny_root parameter in faillock.conf">
+		  comment="Check expected pam_faillock.so even_deny_root parameter in {{{ pam_faillock_conf_path }}}">
           <criterion
               test_ref="test_accounts_passwords_pam_faillock_deny_root_parameter_no_pamd_auth"
               comment="Check the even_deny_root parameter is not present common-auth file"/>
           <criterion
               test_ref="test_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf"
-              comment="Ensure the even_deny_root parameter is present in /etc/security/faillock.conf"/>
+              comment="Ensure the even_deny_root parameter is present in {{{ pam_faillock_conf_path }}}"/>
         </criteria>
       </criteria>
     </criteria>
@@ -74,8 +74,9 @@
   <constant_variable
       id="var_accounts_passwords_pam_faillock_deny_root_pam_faillock_account_regex"
       datatype="string" version="1"
-      comment="regex to identify pam_faillock.so entry in common-account">
-<value>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=\b)(?=.*?\bnew_authtok_reqd=(ok|done)\b)(?=.*?\bdefault=(bad|ignore)\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=\b)(?=.*\bdefault=\b).*\])[\s]+pam_faillock\.so</value>
+      comment="regex to identify pam_faillock.so entry in common-account is before pam_unix.so">
+      <value>^\s*account\s+required\s+pam_faillock\.so.*[\s\S]*^\s*account[\s]+(required|\[(?=.*?\bsuccess=\b)(?=.*?\bnew_authtok_reqd=(ok|done)\b)(?=.*?\bdefault=(bad|ignore)\b).*\])[\s]+pam_unix\.so</value>
+
 </constant_variable>
 
 <constant_variable
@@ -95,7 +96,7 @@
 <constant_variable
     id="var_accounts_passwords_pam_faillock_deny_root_faillock_conf_parameter_regex"
     datatype="string" version="1"
-    comment="regex to identify deny entry in /etc/security/faillock.conf">
+    comment="regex to identify deny entry in {{{ pam_faillock_conf_path }}}">
 <value>^[\s]*even_deny_root</value>
 </constant_variable>
 
@@ -195,12 +196,12 @@
       object_ref="object_accounts_passwords_pam_faillock_deny_root_parameter_presence_pamd_auth"/>
 </ind:textfilecontent54_test>
 
-<!-- Check pam_faillock.so even_deny_root parameter in /etc/security/faillock.conf -->
+<!-- Check pam_faillock.so even_deny_root parameter in {{{ pam_faillock_conf_path }}} -->
 <ind:textfilecontent54_object
     version="1"
     id="object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf"
-    comment="Try to get the even_deny_root parameter from /etc/security/faillock.conf">
-  <ind:filepath operation="pattern match">^/etc/security/faillock.conf$</ind:filepath>
+    comment="Try to get the even_deny_root parameter from {{{ pam_faillock_conf_path }}}">
+  <ind:filepath operation="pattern match">^{{{ pam_faillock_conf_path }}}$</ind:filepath>
   <ind:pattern operation="pattern match"
                var_ref="var_accounts_passwords_pam_faillock_deny_root_faillock_conf_parameter_regex"/>
 <ind:instance datatype="int" operation="equals">1</ind:instance>
@@ -209,15 +210,15 @@
 <ind:textfilecontent54_test
     check="all" check_existence="all_exist" version="1"
     id="test_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf"
-    comment="Check the expected even_deny_root parameter in /etc/security/faillock.conf">
+    comment="Check the expected even_deny_root parameter in {{{ pam_faillock_conf_path }}}">
   <ind:object
       object_ref="object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf"/>
 </ind:textfilecontent54_test>
 
 <ind:textfilecontent54_test
     check="all" check_existence="none_exist" version="1"
     id="test_accounts_passwords_pam_faillock_deny_root_parameter_no_faillock_conf"
-    comment="Check the absence of even_deny_root parameter in /etc/security/faillock.conf">
+    comment="Check the absence of even_deny_root parameter in {{{ pam_faillock_conf_path }}}">
   <ind:object
       object_ref="object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf"/>
 </ind:textfilecontent54_test>

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/policy/stig/shared.yml

@@ -9,7 +9,7 @@ vuldiscussion: |-
 checktext: |-
     Verify {{{ full_name }}} is configured to lock the root account after three unsuccessful logon attempts with the command:
 
-    $ sudo grep even_deny_root /etc/security/faillock.conf
+    $ sudo grep even_deny_root {{{ pam_faillock_conf_path }}}
 
     even_deny_root
 
@@ -20,8 +20,6 @@ fixtext: |-
 
     $ sudo authselect enable-feature with-faillock
 
-    Edit the "/etc/security/faillock.conf" by uncommenting or adding the following line:
+    Edit the "{{{ pam_faillock_conf_path }}}" by uncommenting or adding the following line:
 
     even_deny_root
-
-

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml

@@ -52,7 +52,7 @@ ocil: |-
     Verify {{{ full_name }}} is configured to lock the root account after {{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}}
     unsuccessful logon attempts with the command:
 
-    <pre>$ grep even_deny_root /etc/security/faillock.conf</pre>
+    <pre>$ grep even_deny_root {{{ pam_faillock_conf_path }}}</pre>
     even_deny_root
 
 
@@ -62,7 +62,7 @@ fixtext: |-
 
     $ sudo authselect enable-feature with-faillock
 
-    Then edit the <tt>/etc/security/faillock.conf</tt> file as follows:
+    Then edit the <tt>{{{ pam_faillock_conf_path }}}</tt> file as follows:
     add or uncomment the following line:
     <pre>even_deny_root</pre>
 
@@ -74,7 +74,7 @@ warnings:
         PAM files, the <tt>authselect</tt> integrity check will fail and the remediation will be
         aborted in order to preserve intentional changes. In this case, an informative message will
         be shown in the remediation report.
-        If the system supports the <tt>/etc/security/faillock.conf</tt> file, the pam_faillock
+        If the system supports the <tt>{{{ pam_faillock_conf_path }}}</tt> file, the pam_faillock
         parameters should be defined in <tt>faillock.conf</tt> file.
 
 srg_requirement: |-

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/tests/conflicting_settings_authselect.fail.sh

@@ -10,9 +10,9 @@ CUSTOM_PROFILE_DIR="/etc/authselect/custom/testingProfile"
 
 authselect select --force custom/testingProfile
 
-truncate -s 0 /etc/security/faillock.conf
+truncate -s 0 "{{{ pam_faillock_conf_path }}}"
 
-echo "even_deny_root" > /etc/security/faillock.conf
+echo "even_deny_root" > "{{{ pam_faillock_conf_path }}}"
 
 {{{ bash_pam_faillock_enable() }}}