Improve template pam_account_password_faillock #12687
Conversation
|
Hi @mpurg. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
mpurg
force-pushed
the
faillock_template_fix
branch
from
a058c3d to
e1ea42b
Compare
|
@Mab879 @jan-cerny I see that one fedora test (conflicting_settings_authselect.fail.sh) is failing with Should the profile be based on Update: I added a fallback command based on the Update2: The ansible remediations in fedora automatus tests are failing because of missing |
Added template to docs.
Defined requirements for variables in template.py:
- ext_variable must be defined since it is used in the remediation
- bounding variables must be 'use_ext_variable', (int), or undefined
(if undefined, bounding variables are initialized to None)
Cleaned up the OVAL:
- fix conditionals to consistently use inclusive comparisons instead of
inclusive for ext_variable, and exclusive for numbers
- remove conditionals which compare to `var_ref="{{{ VARIABLE_*_BOUND}}}"`
as these variables don't exist in the OVAL
- modify check for undefined variable to compare to jinja test none
Fixed to work with new OVAL logic in template (inclusive comparison).
- tests were generalized and are no longer specific to `_deny` rule - tests check the different logic flows defined by template parameters and external variables - a new macro was created to initialize the variables - tests from the rules that use the template were removed
In newer versions of authselect, 'minimal' profile is removed in favor of 'local'. - https://fedoramagazine.org/authselect-in-fedora-linux-40-migrating-to-the-new-local-profile/ - https://github.com/authselect/authselect/releases/tag/1.5.0
mpurg
force-pushed
the
faillock_template_fix
branch
from
e1ea42b to
2507ad8
Compare
The ansible remediation in `pam_account_password_faillock` was fixed to be applicable on same platforms as the remediations in original rules (accounts_passwords_pam_faillock_deny/unlock_time/interval).
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
Code Climate has analyzed commit 8055c39 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 60.9% (0.0% change). View more on Code Climate. |
dodys
added
the
Update Template
|
@Mab879 could you please take a look on this one? |
Description:
pam_account_password_faillock_denyrule from 0 to 1)var_ref="{{{ VARIABLE_*_BOUND}}}"as these variables don't exist in the OVAL_denyrule