Improve template pam_account_password_faillock

Added template to docs. Defined requirements for variables in template.py: - ext_variable must be defined since it is used in the remediation - bounding variables must be 'use_ext_variable', (int), or undefined (if undefined, bounding variables are initialized to None) Cleaned up the OVAL: - fix conditionals to consistently use inclusive comparisons instead of inclusive for ext_variable, and exclusive for numbers - remove conditionals which compare to `var_ref="{{{ VARIABLE_*_BOUND}}}"` as these variables don't exist in the OVAL - modify check for undefined variable to compare to jinja test none
ComplianceAsCode · Dec 9, 2024 · faa4da4 · faa4da4
1 parent c8baf7a
commit faa4da4
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 14 deletions.
diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
@@ -621,6 +621,30 @@ When the remediation is applied duplicate occurrences of `key` are removed.
     - **app** - optional. If not set the check will use the default text `The respective application or service`.
       If set, the `app` is used within sentences like: "`application` is configured correctly and configuration file exists"
 
+#### pam_account_password_faillock
+-   Checks if the pam_faillock is enabled in PAM and if the specified
+    parameter is correctly configured either in /etc/security/faillock.conf
+    or directly in /etc/pam.d/* files.
+
+    The allowed interval for the faillock parameter is defined by
+    template parameters `variable_lower_bound` and `variable_upper_bound`.
+    The boundaries are inclusive (lower <= parameter value <= upper) and
+    can be set as:
+    - `use_ext_variable`: use value in external XCCDF variable defined by `ext_variable`
+    - number: literal number
+    - undefined: no boundary
+
+-   Parameters:
+    -   **description** - Description of rule
+    -   **prm_name** - name of faillock parameter
+    -   **prm_regex_conf** - regex for faillock parameter in /etc/security/faillock.conf
+    -   **prm_regex_pamd** - regex for faillock parameter in /etc/pam.d/*
+    -   **variable_lower_bound** - lower boundary for allowed parameter value
+    -   **variable_upper_bound** - upper boundary for allowed parameter value
+    -   **ext_variable** - external XCCDG variable used to define interval boundaries and
+                           the value used in the remediation.
+
+
 #### pam_options
 -   Checks if the parameters or arguments of a given Linux-PAM (Pluggable
     Authentication Modules) module in a given PAM configuration file

diff --git a/shared/templates/pam_account_password_faillock/oval.template b/shared/templates/pam_account_password_faillock/oval.template
@@ -240,10 +240,10 @@
       id="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_pamd_{{{ file_stem }}}"
       comment="Check the expected {{{ PRM_NAME }}} value in {{{ file_stem }}}-auth">
     <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_pamd_{{{ file_stem }}}"/>
-    {{% if VARIABLE_UPPER_BOUND is defined and VARIABLE_UPPER_BOUND != "none" %}}
+    {{% if VARIABLE_UPPER_BOUND is not none %}}
     <ind:state state_ref="state_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_upper_bound"/>
     {{% endif %}}
-    {{% if VARIABLE_LOWER_BOUND is defined and VARIABLE_LOWER_BOUND != "none" %}}
+    {{% if VARIABLE_LOWER_BOUND is not none %}}
     <ind:state state_ref="state_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_lower_bound"/>
     {{% endif %}}
   </ind:textfilecontent54_test>
@@ -264,34 +264,28 @@
   <external_variable id="{{{ EXT_VARIABLE }}}" datatype="int"
                      comment="external variable to use" version="1"/>
 
-  {{% if VARIABLE_UPPER_BOUND is defined and VARIABLE_UPPER_BOUND != "none" %}}
+  {{% if VARIABLE_UPPER_BOUND is not none %}}
   <ind:textfilecontent54_state
       version="1"
       id="state_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_upper_bound">
     {{% if VARIABLE_UPPER_BOUND == "use_ext_variable" %}}
     <ind:subexpression datatype="int" operation="less than or equal"
 		       var_ref="{{{ EXT_VARIABLE }}}"/>
-    {{% elif VARIABLE_UPPER_BOUND is number %}}
-    <ind:subexpression datatype="int" operation="less than">{{{ VARIABLE_UPPER_BOUND }}}</ind:subexpression>
     {{% else %}}
-    <ind:subexpression datatype="int" operation="less than or equal"
-		       var_ref="{{{ VARIABLE_UPPER_BOUND }}}"/>
+    <ind:subexpression datatype="int" operation="less than or equal">{{{ VARIABLE_UPPER_BOUND }}}</ind:subexpression>
     {{% endif %}}
   </ind:textfilecontent54_state>
   {{% endif %}}
 
-  {{% if VARIABLE_LOWER_BOUND is defined and VARIABLE_LOWER_BOUND != "none" %}}
+  {{% if VARIABLE_LOWER_BOUND is not none %}}
   <ind:textfilecontent54_state
       version="1"
       id="state_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_lower_bound">
     {{% if VARIABLE_LOWER_BOUND == "use_ext_variable" %}}
     <ind:subexpression datatype="int" operation="greater than or equal"
 		       var_ref="{{{ EXT_VARIABLE }}}"/>
-    {{% elif VARIABLE_LOWER_BOUND is number %}}
-    <ind:subexpression datatype="int" operation="greater than">{{{ VARIABLE_LOWER_BOUND }}}</ind:subexpression>
     {{% else %}}
-    <ind:subexpression datatype="int" operation="greater than or equal"
-		       var_ref="{{{ VARIABLE_LOWER_BOUND }}}"/>
+    <ind:subexpression datatype="int" operation="greater than or equal">{{{ VARIABLE_LOWER_BOUND }}}</ind:subexpression>
     {{% endif %}}
   </ind:textfilecontent54_state>
   {{% endif %}}
@@ -305,10 +299,10 @@
 			      id="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_faillock_conf"
 			      comment="Check the expected {{{ PRM_NAME }}} value in /etc/security/faillock.conf">
     <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_faillock_conf"/>
-    {{% if VARIABLE_UPPER_BOUND is defined and VARIABLE_UPPER_BOUND != "none" %}}
+    {{% if VARIABLE_UPPER_BOUND is not none %}}
     <ind:state state_ref="state_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_upper_bound"/>
     {{% endif %}}
-    {{% if VARIABLE_LOWER_BOUND is defined and VARIABLE_LOWER_BOUND != "none" %}}
+    {{% if VARIABLE_LOWER_BOUND is not none %}}
     <ind:state state_ref="state_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_lower_bound"/>
     {{% endif %}}
   </ind:textfilecontent54_test>

diff --git a/shared/templates/pam_account_password_faillock/template.py b/shared/templates/pam_account_password_faillock/template.py
@@ -0,0 +1,16 @@
+def preprocess(data, lang):
+    if data.get("ext_variable") is None:
+        errmsg = ("The template instance of the rule {0} requires the "
+                  "ext_variable to be defined".format(_rule_id))
+        raise ValueError(errmsg)
+
+    for var in ["variable_upper_bound", "variable_lower_bound"]:
+        data[var] = data.get(var, None)
+        if data.get(var) is not None and \
+           data.get(var) != "use_ext_variable" and \
+           type(data.get(var)) != int:
+            errmsg = ("The template instance of the rule {0} requires the "
+                      "parameter {1} is either 'use_ext_variable' or "
+                      "a number or undefined".formate(_rule_id, var))
+            raise ValueError(errmsg)
+    return data