From 83e684f84a8961d4307d9c25bc105fb7034e3237 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Mon, 2 Dec 2024 14:32:35 +0000 Subject: [PATCH] Align the pam_account_password_faillock template tests with oval check logic --- .../tests/ubuntu_commented_values.fail.sh | 15 ++++++++++++++- .../tests/ubuntu_correct.pass.sh | 15 ++++++++++++++- .../tests/ubuntu_correct_pamd.pass.sh | 17 +++++++++++++++-- .../tests/ubuntu_missing_pamd.fail.sh | 15 ++++++++++++++- .../tests/ubuntu_wrong_value.fail.sh | 18 ++++++++++++++++++ 5 files changed, 75 insertions(+), 5 deletions(-) diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh index 6bdd5c01ed45..1c3243ece6f2 100644 --- a/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh @@ -5,4 +5,17 @@ rm -f /usr/share/pam-configs/cac_faillock* DEBIAN_FRONTEND=noninteractive pam-auth-update -echo "#{{{ PRM_NAME }}}={{{ VARIABLE_LOWER_BOUND }}}" > /etc/security/faillock.conf +SIGN='=' +{{% if EXT_VARIABLE %}} +VALUE=1 +{{% else %}} +if [[ {{{ VARIABLE_UPPER_BOUND }}} =~ ^[0-9]+$ ]]; then + VALUE=$(( {{{ VARIABLE_UPPER_BOUND }}} - 1 )) +elif [[ {{{ VARIABLE_LOWER_BOUND }}} =~ ^[0-9]+$ ]]; then + VALUE=$(( {{{ VARIABLE_LOWER_BOUND }}} + 1 )) +else + SIGN="" +fi +{{% endif %}} + +echo "#{{{ PRM_NAME }}}$SIGN$VALUE" > /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh index 1bd13d29bbcc..22f41a7d30d7 100644 --- a/shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh @@ -1,5 +1,18 @@ #!/bin/bash # platform = multi_platform_ubuntu +SIGN='=' +{{% if EXT_VARIABLE %}} +VALUE=1 +{{% else %}} +if [[ {{{ VARIABLE_UPPER_BOUND }}} =~ ^[0-9]+$ ]]; then + VALUE=$(( {{{ VARIABLE_UPPER_BOUND }}} - 1 )) +elif [[ {{{ VARIABLE_LOWER_BOUND }}} =~ ^[0-9]+$ ]]; then + VALUE=$(( {{{ VARIABLE_LOWER_BOUND }}} + 1 )) +else + SIGN="" +fi +{{% endif %}} + {{{ bash_enable_pam_faillock_directly_in_pam_files() }}} -echo "{{{ PRM_NAME }}}={{{ VARIABLE_LOWER_BOUND }}}" > /etc/security/faillock.conf +echo "{{{ PRM_NAME }}}$SIGN$VALUE" > /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh index 5615b71bfdf8..c160c2785eb7 100644 --- a/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh @@ -4,6 +4,19 @@ rm -f /usr/share/pam-configs/cac_faillock* DEBIAN_FRONTEND=noninteractive pam-auth-update +SIGN='=' +{{% if EXT_VARIABLE %}} +VALUE=1 +{{% else %}} +if [[ {{{ VARIABLE_UPPER_BOUND }}} =~ ^[0-9]+$ ]]; then + VALUE=$(( {{{ VARIABLE_UPPER_BOUND }}} - 1 )) +elif [[ {{{ VARIABLE_LOWER_BOUND }}} =~ ^[0-9]+$ ]]; then + VALUE=$(( {{{ VARIABLE_LOWER_BOUND }}} + 1 )) +else + SIGN="" +fi +{{% endif %}} + cat << EOF > /usr/share/pam-configs/cac_faillock Name: Enable pam_faillock to deny access Default: yes @@ -11,7 +24,7 @@ Conflicts: faillock Priority: 0 Auth-Type: Primary Auth: - [default=die] pam_faillock.so authfail {{{ PRM_NAME }}}={{{ VARIABLE_LOWER_BOUND }}} + [default=die] pam_faillock.so authfail {{{ PRM_NAME }}}$SIGN$VALUE EOF cat << EOF > /usr/share/pam-configs/cac_faillock_notify @@ -21,7 +34,7 @@ Conflicts: faillock_notify Priority: 1025 Auth-Type: Primary Auth: - requisite pam_faillock.so preauth {{{ PRM_NAME }}}={{{ VARIABLE_LOWER_BOUND }}} + requisite pam_faillock.so preauth {{{ PRM_NAME }}}$SIGN$VALUE Account-Type: Primary Account: required pam_faillock.so diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh index dc2cb64023aa..b6b81d4fff16 100644 --- a/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh @@ -5,4 +5,17 @@ rm -f /usr/share/pam-configs/cac_faillock* DEBIAN_FRONTEND=noninteractive pam-auth-update -echo "{{{ PRM_NAME }}}={{{ VARIABLE_LOWER_BOUND }}}" > /etc/security/faillock.conf +SIGN='=' +{{% if EXT_VARIABLE %}} +VALUE=1 +{{% else %}} +if [[ {{{ VARIABLE_UPPER_BOUND }}} =~ ^[0-9]+$ ]]; then + VALUE=$(( {{{ VARIABLE_UPPER_BOUND }}} - 1 )) +elif [[ {{{ VARIABLE_LOWER_BOUND }}} =~ ^[0-9]+$ ]]; then + VALUE=$(( {{{ VARIABLE_LOWER_BOUND }}} + 1 )) +else + SIGN="" +fi +{{% endif %}} + +echo "{{{ PRM_NAME }}}$SIGN$VALUE" > /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh index 55940d18e18f..83a0aa48e96e 100644 --- a/shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh @@ -1,5 +1,23 @@ #!/bin/bash # platform = multi_platform_ubuntu +SIGN='=' +{{% if EXT_VARIABLE %}} +VALUE=1 +if [[ {{{ VARIABLE_UPPER_BOUND }}} == "use_ext_variable" ]]; then + VALUE=$(( $VALUE + 1 )) +elif [[ {{{ VARIABLE_LOWER_BOUND }}} == "use_ext_variable" ]]; then + VALUE=$(( $VALUE - 1 )) +fi +{{% else %}} +if [[ {{{ VARIABLE_UPPER_BOUND }}} =~ ^[0-9]+$ ]]; then + VALUE=$(( {{{ VARIABLE_UPPER_BOUND }}} + 1 )) +elif [[ {{{ VARIABLE_LOWER_BOUND }}} =~ ^[0-9]+$ ]]; then + VALUE=$(( {{{ VARIABLE_LOWER_BOUND }}} - 1 )) +else + SIGN="" +fi +{{% endif %}} + {{{ bash_enable_pam_faillock_directly_in_pam_files() }}} echo "{{{ PRM_NAME }}}={{{ VARIABLE_UPPER_BOUND }}}" > /etc/security/faillock.conf