Skip to content

Commit

Permalink
Improve OVAL for accounts_password_pam_unix_authtok
Browse files Browse the repository at this point in the history
- added condition that at least one pam_unix must exist in PAM password file
- cleaned up ids and comments
  • Loading branch information
mpurg committed Jan 22, 2025
1 parent 25cd0c5 commit a66ce8f
Showing 1 changed file with 29 additions and 15 deletions.
Original file line number Diff line number Diff line change
@@ -1,41 +1,55 @@
{{%- set accounts_password_pam_unix_file = '/etc/pam.d/common-password' -%}}
{{%- set accounts_password_pam_file = '/etc/pam.d/common-password' -%}}

<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="1">
{{{ oval_metadata("Configure the system to include use_authtok in pam common_password configuration file") }}}
<criteria>
<criterion test_ref="test_password_pam_unix_use_authtok"
comment="use_authtok is configured in pam unix in common_password file"/>
<criteria operator="AND">
<criterion test_ref="test_{{{ rule_id }}}_pam_unix_exists"
comment="at least one pam_unix line exists in common_password file"/>
<criterion test_ref="test_{{{ rule_id }}}_prm_exists_not_initial"
comment="use_authtok is configured in pam unix in common_password, ignoring first line on stack"/>
</criteria>
</definition>

<ind:textfilecontent54_test id="test_password_pam_unix_use_authtok" version="1"
<ind:textfilecontent54_test id="test_{{{ rule_id }}}_pam_unix_exists" version="1"
check="all" check_existence="at_least_one_exists"
comment="At least one pam_unix line exists">
<ind:object object_ref="obj_{{{ rule_id }}}_pam_unix_exists" />
</ind:textfilecontent54_test>

<ind:textfilecontent54_object id="obj_{{{ rule_id }}}_pam_unix_exists" version="1">
<ind:filepath>{{{ accounts_password_pam_file }}}</ind:filepath>
<ind:pattern operation="pattern match">^[ \t]*password[ \t]+[^#\n\r]+[ \t]+pam_unix\.so.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>

<ind:textfilecontent54_test id="test_{{{ rule_id }}}_prm_exists_not_initial" version="1"
check="all" check_existence="any_exist"
comment="use_authtok is configured in pam unix in common_password file">
<ind:object object_ref="obj_test_use_authtok" />
<ind:state state_ref="ste_test_use_authtok" />
comment="use_authtok is configured in pam unix in common_password file, ignoring first line on stack">
<ind:object object_ref="obj_{{{ rule_id }}}_pam_unix_lines_not_initial" />
<ind:state state_ref="ste_{{{ rule_id }}}_prm_exists" />
</ind:textfilecontent54_test>

<ind:textfilecontent54_object id="obj_test_use_authtok" version="1">
<ind:textfilecontent54_object id="obj_{{{ rule_id }}}_pam_unix_lines_not_initial" version="1">
<set>
<object_reference>obj_test_use_authtok_password_lines_except_first</object_reference>
<filter action="include">ste_test_use_authtok_pam_unix_lines</filter>
<object_reference>obj_{{{ rule_id }}}_password_lines_not_initial</object_reference>
<filter action="include">ste_{{{ rule_id }}}_pam_unix_lines</filter>
</set>
</ind:textfilecontent54_object>

<ind:textfilecontent54_state id="ste_test_use_authtok" version="1">
<ind:textfilecontent54_state id="ste_{{{ rule_id }}}_prm_exists" version="1">
<ind:subexpression operation="pattern match">^[^#\n\r]+[ \t]+pam_unix\.so[ \t]+[^#\n\r]+use_authtok.*$</ind:subexpression>
</ind:textfilecontent54_state>

<!-- Get all password lines except the first line. This is to avoid matching a pam_unix
line on the top of the stack, which does not need use_authtok to pass -->
<ind:textfilecontent54_object id="obj_test_use_authtok_password_lines_except_first" version="1">
<ind:filepath>{{{ accounts_password_pam_unix_file }}}</ind:filepath>
<ind:textfilecontent54_object id="obj_{{{ rule_id }}}_password_lines_not_initial" version="1">
<ind:filepath>{{{ accounts_password_pam_file }}}</ind:filepath>
<ind:pattern operation="pattern match">^[ \t]*password[ \t]+(.+)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">2</ind:instance>
</ind:textfilecontent54_object>

<ind:textfilecontent54_state id="ste_test_use_authtok_pam_unix_lines" version="1">
<ind:textfilecontent54_state id="ste_{{{ rule_id }}}_pam_unix_lines" version="1">
<ind:subexpression operation="pattern match">^[^#\n\r]+[ \t]+pam_unix\.so.*$</ind:subexpression>
</ind:textfilecontent54_state>

Expand Down

0 comments on commit a66ce8f

Please sign in to comment.