{{{ oval_metadata(DESCRIPTION, rule_title=rule_title) }}} {{% if 'debian' in product or 'ubuntu' in product or product in ['sle15', 'sle16'] %}} {{% else %}} {{% if 'ol' not in families %}} {{% endif %}} {{% if 'ol' not in families %}} {{% endif %}} {{% endif %}} ^\s*auth\N+pam_unix\.so {{% if 'debian' in product or product in ['sle15', 'sle16'] %}} ^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc {{% elif 'ubuntu' in product %}} ^\s*auth\s+(requisite|required)\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail {{% elif 'openeuler' in product or 'kylinserver' in product %}} ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail {{% else %}} ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail {{% endif %}} {{% if 'debian' in product or 'ubuntu' in product or product in ['sle15', 'sle16'] %}} ^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$ {{% elif 'openeuler' in product or 'kylinserver' in product %}} ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so {{% else %}} ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so {{% endif %}} {{{ PRM_REGEX_PAMD }}} {{{ PRM_REGEX_CONF }}} {{% macro generate_test_faillock_enabled(file_stem) %}} /etc/pam.d/{{{file_stem}}}-auth 1 /etc/pam.d/{{{ file_stem }}}-auth 1 {{% endmacro %}} {{{ generate_test_faillock_enabled (file_stem="system") }}} {{{ generate_test_faillock_enabled (file_stem="password") }}} {{{ generate_test_faillock_enabled (file_stem="common") }}} {{% macro generate_test_faillock_account(file_stem, file) %}} /etc/pam.d/{{{ file }}} 1 {{% endmacro %}} {{{ generate_test_faillock_account (file_stem="system", file="system-auth") }}} {{{ generate_test_faillock_account (file_stem="password", file="password-auth") }}} {{{ generate_test_faillock_account (file_stem="common", file="common-account") }}} {{% macro generate_check_parameter_in_pam_file(file_stem) %}} {{% if VARIABLE_UPPER_BOUND is not none %}} {{% endif %}} {{% if VARIABLE_LOWER_BOUND is not none %}} {{% endif %}} /etc/pam.d/{{{ file_stem }}}-auth 1 {{% endmacro %}} {{% if VARIABLE_UPPER_BOUND is not none %}} {{% if VARIABLE_UPPER_BOUND == "use_ext_variable" %}} {{% else %}} {{{ VARIABLE_UPPER_BOUND }}} {{% endif %}} {{% endif %}} {{% if VARIABLE_LOWER_BOUND is not none %}} {{% if VARIABLE_LOWER_BOUND == "use_ext_variable" %}} {{% else %}} {{{ VARIABLE_LOWER_BOUND }}} {{% endif %}} {{% endif %}} {{{ generate_check_parameter_in_pam_file (file_stem="system") }}} {{{ generate_check_parameter_in_pam_file (file_stem="password") }}} {{{ generate_check_parameter_in_pam_file (file_stem="common") }}} {{% if VARIABLE_UPPER_BOUND is not none %}} {{% endif %}} {{% if VARIABLE_LOWER_BOUND is not none %}} {{% endif %}} {{{ pam_faillock_conf_path }}} 1