content
content copied to clipboard
ComplianceAsCode
Remove sle products from pam_faillock rules
SLE uses the pam_tally2.so module instead
- This PR partially fixes https://github.com/ComplianceAsCode/content/issues/7564
Start a new ephemeral environment with changes proposed in this pull request:
Fedora Environment
Oracle Linux 8 Environment
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
It's probably a good idea to remove the rules from the SLE15 profiles as well:
13 results - 4 files
products/sle15/profiles/hipaa.profile:
100 - audit_rules_kernel_module_loading_init
101: - audit_rules_login_events_faillock
102 - audit_rules_login_events_lastlog
products/sle15/profiles/pci-dss.profile:
18 - var_accounts_maximum_age_login_defs=90
19: - var_accounts_passwords_pam_faillock_deny=6
20: - var_accounts_passwords_pam_faillock_unlock_time=1800
21 - var_sshd_set_keepalive=0
33 - accounts_password_pam_unix_remember
34: - accounts_passwords_pam_faillock_deny
35: - accounts_passwords_pam_faillock_unlock_time
36 - aide_build_database
products/sle15/profiles/pcs-hardening.profile:
153 - audit_rules_kernel_module_loading_init
154: - audit_rules_login_events_faillock
155 - audit_rules_login_events_lastlog
products/sle15/profiles/standard.profile:
92 - var_accounts_fail_delay=4
93: - var_accounts_passwords_pam_faillock_deny=3
94: - var_accounts_passwords_pam_faillock_fail_interval=900
95: - var_accounts_passwords_pam_faillock_unlock_time=never
96 - var_password_pam_retry=3
98 - accounts_password_pam_retry
99: - accounts_passwords_pam_faillock_deny_root
100: - accounts_passwords_pam_faillock_deny
101: - accounts_passwords_pam_faillock_interval
102: - accounts_passwords_pam_faillock_unlock_time
103 - service_httpd_disabled
It's probably a good idea to remove the rules from the SLE15 profiles as well:
13 results - 4 files products/sle15/profiles/hipaa.profile: 100 - audit_rules_kernel_module_loading_init 101: - audit_rules_login_events_faillock 102 - audit_rules_login_events_lastlog products/sle15/profiles/pci-dss.profile: 18 - var_accounts_maximum_age_login_defs=90 19: - var_accounts_passwords_pam_faillock_deny=6 20: - var_accounts_passwords_pam_faillock_unlock_time=1800 21 - var_sshd_set_keepalive=0 33 - accounts_password_pam_unix_remember 34: - accounts_passwords_pam_faillock_deny 35: - accounts_passwords_pam_faillock_unlock_time 36 - aide_build_database products/sle15/profiles/pcs-hardening.profile: 153 - audit_rules_kernel_module_loading_init 154: - audit_rules_login_events_faillock 155 - audit_rules_login_events_lastlog products/sle15/profiles/standard.profile: 92 - var_accounts_fail_delay=4 93: - var_accounts_passwords_pam_faillock_deny=3 94: - var_accounts_passwords_pam_faillock_fail_interval=900 95: - var_accounts_passwords_pam_faillock_unlock_time=never 96 - var_password_pam_retry=3 98 - accounts_password_pam_retry 99: - accounts_passwords_pam_faillock_deny_root 100: - accounts_passwords_pam_faillock_deny 101: - accounts_passwords_pam_faillock_interval 102: - accounts_passwords_pam_faillock_unlock_time 103 - service_httpd_disabled
Indeed @ggbecker . However, I preferred to not remove in this PR. Instead, I informed SUSE maintainers (https://github.com/ComplianceAsCode/content/issues/7564) so they can confirm and proceed with the changes in their profiles. They would probably prefer to replace them by pam_tally2 equivalents instead of just removing.
@marcusburghardt I have noticed the same thing as @ggbecker did and I'm concerned that merging this as is would create an inconsistency: we would be using rules in profiles that don't exist for the given product. Actually I am surprised that the build doesn't fail, I would expect that we have some check for rule platform during the build. I propose to wait with this one after the SLE profiles will be changed.
All right. So, I am aligned to @ggbecker and @jan-cerny on holding this PR until the SLE profiles are updated. According to the @teacup-on-rockingchair comment on https://github.com/ComplianceAsCode/content/issues/7564#issuecomment-1178648347, it is not expected to take so long.
Code Climate has analyzed commit bee3fa75 and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 42.7% (0.0% change).
View more on Code Climate.
![qlty-cloud-legacy[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
@marcusburghardt: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| ci/prow/e2e-aws-rhcos4-high | bee3fa7556db9ef00cbec4a5a53d8abcb04d1232 | link | true | /test e2e-aws-rhcos4-high |
| ci/prow/e2e-aws-rhcos4-moderate | bee3fa7556db9ef00cbec4a5a53d8abcb04d1232 | link | true | /test e2e-aws-rhcos4-moderate |
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}