SLE16 related fixes to accounts password template

[teacup-on-rockingchair]

Description:

• Distro defaults from /usr/lib/security/pwquality.conf is used only as bootstrap for pwquality configuration to be hardened. Cannot rely on anything in /usr/etc to remain same after distro or package upgrade so hardening should be based only on configuration in /etc

Rationale:

• bash/ansible remediations now copy distro defaults from /usr/lib/security/pwquality.conf to /etc/security/pwquality.conf. This affects rules accounts_password_pam_dcredit, accounts_password_pam_lcredit, accounts_password_pam_minlen and non-template using rule like accounts_password_pam_retry should have same behaviour

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
@@ -8,6 +8,8 @@
 if grep -sq dcredit /etc/security/pwquality.conf.d/*.conf ; then
     sed -i "/dcredit/d" /etc/security/pwquality.conf.d/*.conf
 fi
+
+
 
 
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck
@@ -8,6 +8,8 @@
 if grep -sq dictcheck /etc/security/pwquality.conf.d/*.conf ; then
     sed -i "/dictcheck/d" /etc/security/pwquality.conf.d/*.conf
 fi
+
+
 
 
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_difok' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_difok
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_difok
@@ -8,6 +8,8 @@
 if grep -sq difok /etc/security/pwquality.conf.d/*.conf ; then
     sed -i "/difok/d" /etc/security/pwquality.conf.d/*.conf
 fi
+
+
 
 
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
@@ -8,6 +8,8 @@
 if grep -sq lcredit /etc/security/pwquality.conf.d/*.conf ; then
     sed -i "/lcredit/d" /etc/security/pwquality.conf.d/*.conf
 fi
+
+
 
 
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat
@@ -8,6 +8,8 @@
 if grep -sq maxclassrepeat /etc/security/pwquality.conf.d/*.conf ; then
     sed -i "/maxclassrepeat/d" /etc/security/pwquality.conf.d/*.conf
 fi
+
+
 
 
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
@@ -8,6 +8,8 @@
 if grep -sq maxrepeat /etc/security/pwquality.conf.d/*.conf ; then
     sed -i "/maxrepeat/d" /etc/security/pwquality.conf.d/*.conf
 fi
+
+
 
 
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxsequence' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_maxsequence
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_maxsequence
@@ -8,6 +8,8 @@
 if grep -sq maxsequence /etc/security/pwquality.conf.d/*.conf ; then
     sed -i "/maxsequence/d" /etc/security/pwquality.conf.d/*.conf
 fi
+
+
 
 
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
@@ -8,6 +8,8 @@
 if grep -sq minclass /etc/security/pwquality.conf.d/*.conf ; then
     sed -i "/minclass/d" /etc/security/pwquality.conf.d/*.conf
 fi
+
+
 
 
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
@@ -8,6 +8,8 @@
 if grep -sq minlen /etc/security/pwquality.conf.d/*.conf ; then
     sed -i "/minlen/d" /etc/security/pwquality.conf.d/*.conf
 fi
+
+
 
 
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
@@ -8,6 +8,8 @@
 if grep -sq ocredit /etc/security/pwquality.conf.d/*.conf ; then
     sed -i "/ocredit/d" /etc/security/pwquality.conf.d/*.conf
 fi
+
+
 
 
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
@@ -2,6 +2,8 @@
 if rpm --quiet -q kernel-core && { rpm --quiet -q libpwquality; }; then
 
 var_password_pam_retry=''
+
+
 
 
 # Strip any search characters in the key arg so that the key can be replaced without

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
@@ -8,6 +8,8 @@
 if grep -sq ucredit /etc/security/pwquality.conf.d/*.conf ; then
     sed -i "/ucredit/d" /etc/security/pwquality.conf.d/*.conf
 fi
+
+
 
 
 

[openshift-ci]

@teacup-on-rockingchair: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.18-images	0a01e3d	link	true	/test 4.18-images
ci/prow/e2e-aws-openshift-node-compliance	0a01e3d	link	true	/test e2e-aws-openshift-node-compliance
ci/prow/e2e-aws-openshift-platform-compliance	0a01e3d	link	true	/test e2e-aws-openshift-platform-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jan-cerny]

I have reviewed the code and succesfully run automatus tests locally. The fail is rule rsyslog_files_permissions isn't caused by the contents of this PR and is currently being solved in #14715.