content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

Drop usage of pam_faillock rules from SLE12 platform

Open teacup-on-rockingchair opened this issue 3 years ago • 7 comments

Description:

  • Use alternate rules based on pam_tally2 module present in SLE12 platform instead of pam_faillock which is not available

Rationale:

  • Replace usage of accounts_passwords_pam_faillock_deny with accounts_passwords_pam_tally2 rule for SLE platforms

  • Replace accounts_passwords_pam_faillock_unlock_time with accounts_passwords_pam_tally2_unlock_time for SLE platforms

  • Replace accounts_passwords_pam_faillock_deny_root with accounts_passwords_pam_tally2_deny_root for SLE platform

  • Add accounts_passwords_pam_tally2 rule instead of accounts_passwords_pam_faillock_deny

  • Drop accounts_passwords_pam_faillock_interval rule for SLE12 platform. Unfortunately no pam_tally2 alternative found for this functionality, so until pam_faillock is not ported to SLE12 as in SLE15, better to disable the rule

  • Fixes #9115

teacup-on-rockingchair avatar Aug 29 '22 06:08 teacup-on-rockingchair

Hi @teacup-on-rockingchair. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci[bot] avatar Aug 29 '22 06:08 openshift-ci[bot]

Start a new ephemeral environment with changes proposed in this pull request:

sle12 (from CTF) Environment (using Fedora as testing environment) Open in Gitpod

Fedora Testing Environment Open in Gitpod

Oracle Linux 8 Environment Open in Gitpod

github-actions[bot] avatar Aug 29 '22 06:08 github-actions[bot]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_policytype'.
--- xccdf_org.ssgproject.content_rule_selinux_policytype
+++ xccdf_org.ssgproject.content_rule_selinux_policytype
@@ -522,4 +522,4 @@
 .
 
 [ident]:
-CCE-91546-2
+CCE-91547-0

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_policytype' differs.
--- xccdf_org.ssgproject.content_rule_selinux_policytype
+++ xccdf_org.ssgproject.content_rule_selinux_policytype
@@ -34,7 +34,7 @@
 state: present
 when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
- - CCE-91546-2
+ - CCE-91547-0
 - NIST-800-171-3.1.2
 - NIST-800-171-3.7.2
 - NIST-800-53-AC-3

github-actions[bot] avatar Aug 29 '22 06:08 github-actions[bot]

There is an issue with the same CCE used in two rules:

 44/173 Test  #44: unique-cces .........................................................***Failed    0.39 sec

cce CCE-91546-2 is included in files: 
 - linux_os/guide/system/selinux/selinux_policytype/rule.yml
 - linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/rule.yml

marcusburghardt avatar Aug 31 '22 07:08 marcusburghardt

/ok-to-test

marcusburghardt avatar Aug 31 '22 07:08 marcusburghardt

@teacup-on-rockingchair: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-rhcos4-moderate e8c3b56e8fff33c1b3bab21d143d070da7980525 link true /test e2e-aws-rhcos4-moderate

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-ci[bot] avatar Oct 02 '22 07:10 openshift-ci[bot]

Code Climate has analyzed commit e8c3b56e and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 40.7% (0.0% change).

View more on Code Climate.

qlty-cloud-legacy[bot] avatar Oct 02 '22 08:10 qlty-cloud-legacy[bot]