Align the pam_account_password_faillock template tests with oval chec…

…k logic

shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh

@@ -5,4 +5,17 @@ rm -f /usr/share/pam-configs/cac_faillock*
 
 DEBIAN_FRONTEND=noninteractive pam-auth-update
 
-echo "#{{{ PRM_NAME }}}={{{ VARIABLE_LOWER_BOUND }}}" > /etc/security/faillock.conf
+SIGN='='
+{{% if EXT_VARIABLE %}}
+VALUE=1
+{{% else %}}
+if [[ {{{ VARIABLE_UPPER_BOUND }}} =~ ^[0-9]+$ ]]; then
+  VALUE=$(( {{{ VARIABLE_UPPER_BOUND }}} - 1 ))
+elif [[ {{{ VARIABLE_LOWER_BOUND }}} =~ ^[0-9]+$ ]]; then
+  VALUE=$(( {{{ VARIABLE_LOWER_BOUND }}} + 1 ))
+else
+  SIGN=""
+fi
+{{% endif %}}
+
+echo "#{{{ PRM_NAME }}}$SIGN$VALUE" > /etc/security/faillock.conf

shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh

@@ -1,5 +1,18 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 
+SIGN='='
+{{% if EXT_VARIABLE %}}
+VALUE=1
+{{% else %}}
+if [[ {{{ VARIABLE_UPPER_BOUND }}} =~ ^[0-9]+$ ]]; then
+  VALUE=$(( {{{ VARIABLE_UPPER_BOUND }}} - 1 ))
+elif [[ {{{ VARIABLE_LOWER_BOUND }}} =~ ^[0-9]+$ ]]; then
+  VALUE=$(( {{{ VARIABLE_LOWER_BOUND }}} + 1 ))
+else
+  SIGN=""
+fi
+{{% endif %}}
+
 {{{ bash_enable_pam_faillock_directly_in_pam_files() }}}
-echo "{{{ PRM_NAME }}}={{{ VARIABLE_LOWER_BOUND }}}" > /etc/security/faillock.conf
+echo "{{{ PRM_NAME }}}$SIGN$VALUE" > /etc/security/faillock.conf

shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh

@@ -4,14 +4,27 @@
 rm -f /usr/share/pam-configs/cac_faillock*
 DEBIAN_FRONTEND=noninteractive pam-auth-update
 
+SIGN='='
+{{% if EXT_VARIABLE %}}
+VALUE=1
+{{% else %}}
+if [[ {{{ VARIABLE_UPPER_BOUND }}} =~ ^[0-9]+$ ]]; then
+  VALUE=$(( {{{ VARIABLE_UPPER_BOUND }}} - 1 ))
+elif [[ {{{ VARIABLE_LOWER_BOUND }}} =~ ^[0-9]+$ ]]; then
+  VALUE=$(( {{{ VARIABLE_LOWER_BOUND }}} + 1 ))
+else
+  SIGN=""
+fi
+{{% endif %}}
+
 cat << EOF > /usr/share/pam-configs/cac_faillock
 Name: Enable pam_faillock to deny access
 Default: yes
 Conflicts: faillock
 Priority: 0
 Auth-Type: Primary
 Auth:
-    [default=die]                   pam_faillock.so authfail {{{ PRM_NAME }}}={{{ VARIABLE_LOWER_BOUND }}}
+    [default=die]                   pam_faillock.so authfail {{{ PRM_NAME }}}$SIGN$VALUE
 EOF
 
 cat << EOF > /usr/share/pam-configs/cac_faillock_notify
@@ -21,7 +34,7 @@ Conflicts: faillock_notify
 Priority: 1025
 Auth-Type: Primary
 Auth:
-    requisite                       pam_faillock.so preauth {{{ PRM_NAME }}}={{{ VARIABLE_LOWER_BOUND }}}
+    requisite                       pam_faillock.so preauth {{{ PRM_NAME }}}$SIGN$VALUE
 Account-Type: Primary
 Account:
     required                        pam_faillock.so

shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh

@@ -5,4 +5,17 @@ rm -f /usr/share/pam-configs/cac_faillock*
 
 DEBIAN_FRONTEND=noninteractive pam-auth-update
 
-echo "{{{ PRM_NAME }}}={{{ VARIABLE_LOWER_BOUND }}}" > /etc/security/faillock.conf
+SIGN='='
+{{% if EXT_VARIABLE %}}
+VALUE=1
+{{% else %}}
+if [[ {{{ VARIABLE_UPPER_BOUND }}} =~ ^[0-9]+$ ]]; then
+  VALUE=$(( {{{ VARIABLE_UPPER_BOUND }}} - 1 ))
+elif [[ {{{ VARIABLE_LOWER_BOUND }}} =~ ^[0-9]+$ ]]; then
+  VALUE=$(( {{{ VARIABLE_LOWER_BOUND }}} + 1 ))
+else
+  SIGN=""
+fi
+{{% endif %}}
+
+echo "{{{ PRM_NAME }}}$SIGN$VALUE" > /etc/security/faillock.conf

shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh

@@ -1,5 +1,23 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 
+SIGN='='
+{{% if EXT_VARIABLE %}}
+VALUE=1
+if [[ {{{ VARIABLE_UPPER_BOUND }}} == "use_ext_variable" ]]; then
+  VALUE=$(( $VALUE + 1 ))
+elif [[ {{{ VARIABLE_LOWER_BOUND }}} == "use_ext_variable" ]]; then
+  VALUE=$(( $VALUE - 1 ))
+fi
+{{% else %}}
+if [[ {{{ VARIABLE_UPPER_BOUND }}} =~ ^[0-9]+$ ]]; then
+  VALUE=$(( {{{ VARIABLE_UPPER_BOUND }}} + 1 ))
+elif [[ {{{ VARIABLE_LOWER_BOUND }}} =~ ^[0-9]+$ ]]; then
+  VALUE=$(( {{{ VARIABLE_LOWER_BOUND }}} - 1 ))
+else
+  SIGN=""
+fi
+{{% endif %}}
+
 {{{ bash_enable_pam_faillock_directly_in_pam_files() }}}
 echo "{{{ PRM_NAME }}}={{{ VARIABLE_UPPER_BOUND }}}" > /etc/security/faillock.conf