1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
{{% if product == "ol8" or 'rhel' in product %}}
{{% set filepath_regex="^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$" %}}
{{% else %}}
{{% set filepath_regex="^/etc/security/pwquality\.conf$" %}}
{{% endif %}}
<def-group>
<definition class="compliance" id="{{{ _RULE_ID }}}" version="3">
{{{ oval_metadata("The password " + VARIABLE + " should meet minimum requirements") }}}
<criteria operator="AND" comment="conditions for {{{ VARIABLE }}} are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="accounts_password_pam_pwquality" />
<criteria operator="OR">
<criterion comment="pwquality.conf" test_ref="test_password_pam_pwquality_{{{ VARIABLE }}}" />
</criteria>
{{% if "ol" in product %}}
<criterion comment="{{{ VARIABLE }}} is not overwritten in system-auth"
test_ref="test_password_pam_pwquality_{{{ VARIABLE }}}_not_overwritten"/>
{{% endif %}}
</criteria>
</definition>
{{% if "ol" in product %}}
<ind:textfilecontent54_test check="all" check_existence="none_exist"
comment="check the configuration of /etc/pam.d/system-auth doens't override pwquality.conf"
id="test_password_pam_pwquality_{{{ VARIABLE }}}_not_overwritten" version="1">
<ind:object object_ref="obj_password_pam_pwquality_{{{ VARIABLE }}}_not_overwritten" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_password_pam_pwquality_{{{ VARIABLE }}}_not_overwritten"
version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern
operation="pattern match">^\s*password.*pam_pwquality\.so.*\b{{{ VARIABLE }}}\b</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
{{% endif %}}
<ind:textfilecontent54_test check="all" state_operator="AND"
comment="check the configuration of /etc/security/pwquality.conf"
id="test_password_pam_pwquality_{{{ VARIABLE }}}" version="3">
<ind:object object_ref="obj_password_pam_pwquality_{{{ VARIABLE }}}" />
<ind:state state_ref="state_password_pam_{{{ VARIABLE }}}" />
{{%- if ZERO_COMPARISON_OPERATION %}}
<ind:state state_ref="state_password_pam_{{{ VARIABLE }}}_zero_comparison" />
{{%- endif %}}
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_password_pam_pwquality_{{{ VARIABLE }}}" version="3">
<ind:filepath operation="pattern match">{{{ filepath_regex }}}</ind:filepath>
<ind:pattern operation="pattern match">^\s*{{{ VARIABLE }}}[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_state id="state_password_pam_{{{ VARIABLE }}}" version="3">
<ind:subexpression datatype="int" operation="{{{ OPERATION }}}" var_ref="var_password_pam_{{{ VARIABLE }}}" />
</ind:textfilecontent54_state>
{{%- if ZERO_COMPARISON_OPERATION %}}
<ind:textfilecontent54_state id="state_password_pam_{{{ VARIABLE }}}_zero_comparison" version="1">
<ind:subexpression datatype="int" operation="{{{ ZERO_COMPARISON_OPERATION }}}" >0</ind:subexpression>
</ind:textfilecontent54_state>
{{%- endif %}}
<external_variable comment="External variable for pam_{{{ VARIABLE }}}" datatype="int" id="var_password_pam_{{{ VARIABLE }}}" version="3" />
</def-group>
|
