From 3f8ddb030b832011f937c9bb02ba5815a5bb8c96 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 24 Jun 2019 17:45:29 +0200 Subject: [PATCH] Fix accounts_passwords_pam_faillock_deny test scenarios and move to OSPP. --- .../config_without_skip.pass.sh | 2 +- .../default_die_pam_unix.fail.sh | 2 +- .../disablefaillock_authconfig.fail.sh | 2 +- .../pam_config_default_die_pam_unix | 4 ++-- .../pam_config_skip_correctly | 4 ++-- .../pam_config_skip_correctly_short | 4 ++-- .../pam_config_skip_longer | 4 ++-- .../pam_config_skip_longer_comment | 4 ++-- .../pam_config_without_skip | 4 ++-- .../remediable_sssd_authconfig.fail.sh | 2 +- .../skip_correctly.pass.sh | 2 +- .../skip_correctly_short.pass.sh | 2 +- .../skip_longer.fail.sh | 2 +- .../skip_longer_comment.fail.sh | 2 +- 14 files changed, 20 insertions(+), 20 deletions(-) diff --git a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/config_without_skip.pass.sh b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/config_without_skip.pass.sh index 9e65de36319..bf197a4055c 100644 --- a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/config_without_skip.pass.sh +++ b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/config_without_skip.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# profiles = xccdf_org.ssgproject.content_profile_C2S +# profiles = xccdf_org.ssgproject.content_profile_ospp cp pam_config_without_skip /etc/pam.d/system-auth cp pam_config_without_skip /etc/pam.d/password-auth diff --git a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/default_die_pam_unix.fail.sh b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/default_die_pam_unix.fail.sh index e03176f8900..cf6cdb2e92c 100644 --- a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/default_die_pam_unix.fail.sh +++ b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/default_die_pam_unix.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# profiles = xccdf_org.ssgproject.content_profile_C2S +# profiles = xccdf_org.ssgproject.content_profile_ospp # remediation = none # Remediation for accounts_passwords_pam_faillock_deny cannot remediate this scenario # The remediation would need to detect and remove default=die from pam_unix.so module diff --git a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/disablefaillock_authconfig.fail.sh b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/disablefaillock_authconfig.fail.sh index 69dcd26334d..f03d8b66fc6 100644 --- a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/disablefaillock_authconfig.fail.sh +++ b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/disablefaillock_authconfig.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash # -# profiles = xccdf_org.ssgproject.content_profile_C2S +# profiles = xccdf_org.ssgproject.content_profile_ospp authconfig --disablefaillock --updateall diff --git a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_default_die_pam_unix b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_default_die_pam_unix index ddaa87153c3..214ad4e2b73 100644 --- a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_default_die_pam_unix +++ b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_default_die_pam_unix @@ -3,11 +3,11 @@ auth required pam_env.so auth required pam_faildelay.so delay=2000000 -auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 +auth required pam_faillock.so preauth silent deny=3 unlock_time=1200 auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass -auth [default=die] pam_faillock.so authfail deny=4 unlock_time=1200 +auth [default=die] pam_faillock.so authfail deny=3 unlock_time=1200 auth required pam_deny.so account required pam_faillock.so diff --git a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_skip_correctly b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_skip_correctly index 4c839c8c133..915b6064e17 100644 --- a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_skip_correctly +++ b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_skip_correctly @@ -3,11 +3,11 @@ auth required pam_env.so auth required pam_faildelay.so delay=2000000 -auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 +auth required pam_faillock.so preauth silent deny=3 unlock_time=1200 auth [success=done ignore=ignore default=2] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass -auth [default=die] pam_faillock.so authfail deny=4 unlock_time=1200 +auth [default=die] pam_faillock.so authfail deny=3 unlock_time=1200 auth required pam_deny.so account required pam_faillock.so diff --git a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_skip_correctly_short b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_skip_correctly_short index 5d62164cd39..654d364c5c1 100644 --- a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_skip_correctly_short +++ b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_skip_correctly_short @@ -3,11 +3,11 @@ auth required pam_env.so auth required pam_faildelay.so delay=2000000 -auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 +auth required pam_faillock.so preauth silent deny=3 unlock_time=1200 auth [success=done ignore=ignore default=1] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass -auth [default=die] pam_faillock.so authfail deny=4 unlock_time=1200 +auth [default=die] pam_faillock.so authfail deny=3 unlock_time=1200 auth required pam_deny.so account required pam_faillock.so diff --git a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_skip_longer b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_skip_longer index e960e84502f..6937ba8543d 100644 --- a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_skip_longer +++ b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_skip_longer @@ -3,11 +3,11 @@ auth required pam_env.so auth required pam_faildelay.so delay=2000000 -auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 +auth required pam_faillock.so preauth silent deny=3 unlock_time=1200 auth [success=done ignore=ignore default=3] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass -auth [default=die] pam_faillock.so authfail deny=4 unlock_time=1200 +auth [default=die] pam_faillock.so authfail deny=3 unlock_time=1200 auth required pam_deny.so account required pam_faillock.so diff --git a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_skip_longer_comment b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_skip_longer_comment index c78f7b5fab1..83421051d5d 100644 --- a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_skip_longer_comment +++ b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_skip_longer_comment @@ -4,11 +4,11 @@ auth required pam_env.so auth required pam_faildelay.so delay=2000000 -auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 +auth required pam_faillock.so preauth silent deny=3 unlock_time=1200 auth [success=done ignore=ignore default=3] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass -auth [default=die] pam_faillock.so authfail deny=4 unlock_time=1200 +auth [default=die] pam_faillock.so authfail deny=3 unlock_time=1200 auth required pam_deny.so account required pam_faillock.so diff --git a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_without_skip b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_without_skip index e988ae79a6d..87e93673a36 100644 --- a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_without_skip +++ b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/pam_config_without_skip @@ -3,10 +3,10 @@ auth required pam_env.so auth required pam_faildelay.so delay=2000000 -auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 +auth required pam_faillock.so preauth silent deny=3 unlock_time=1200 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success -auth [default=die] pam_faillock.so authfail deny=4 unlock_time=1200 +auth [default=die] pam_faillock.so authfail deny=3 unlock_time=1200 auth required pam_deny.so account required pam_faillock.so diff --git a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/remediable_sssd_authconfig.fail.sh b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/remediable_sssd_authconfig.fail.sh index 27d0a519a6a..91e985d93cd 100644 --- a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/remediable_sssd_authconfig.fail.sh +++ b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/remediable_sssd_authconfig.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash # -# profiles = xccdf_org.ssgproject.content_profile_C2S +# profiles = xccdf_org.ssgproject.content_profile_ospp authconfig --enablesssdauth --updateall diff --git a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/skip_correctly.pass.sh b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/skip_correctly.pass.sh index bea2d9beb30..c9493f4dd86 100644 --- a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/skip_correctly.pass.sh +++ b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/skip_correctly.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# profiles = xccdf_org.ssgproject.content_profile_C2S +# profiles = xccdf_org.ssgproject.content_profile_ospp cp pam_config_skip_correctly /etc/pam.d/system-auth cp pam_config_skip_correctly /etc/pam.d/password-auth diff --git a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/skip_correctly_short.pass.sh b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/skip_correctly_short.pass.sh index f5cc81a43a0..8d3fc57e38a 100644 --- a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/skip_correctly_short.pass.sh +++ b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/skip_correctly_short.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# profiles = xccdf_org.ssgproject.content_profile_C2S +# profiles = xccdf_org.ssgproject.content_profile_ospp cp pam_config_skip_correctly_short /etc/pam.d/system-auth cp pam_config_skip_correctly_short /etc/pam.d/password-auth diff --git a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/skip_longer.fail.sh b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/skip_longer.fail.sh index 386c338d455..0811a92365c 100644 --- a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/skip_longer.fail.sh +++ b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/skip_longer.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# profiles = xccdf_org.ssgproject.content_profile_C2S +# profiles = xccdf_org.ssgproject.content_profile_ospp # # remediation = none # Remediation for accounts_passwords_pam_faillock_deny cannot remediate this scenario diff --git a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/skip_longer_comment.fail.sh b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/skip_longer_comment.fail.sh index fa8db5cf664..92b81493d58 100644 --- a/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/skip_longer_comment.fail.sh +++ b/tests/data/group_system/group_accounts/group_accounts-pam/group_locking_out_password_attempts/rule_accounts_passwords_pam_faillock_deny/skip_longer_comment.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# profiles = xccdf_org.ssgproject.content_profile_C2S +# profiles = xccdf_org.ssgproject.content_profile_ospp # # remediation = none # Remediation for accounts_passwords_pam_faillock_deny cannot remediate this scenario