Implement pwquality macro

[alanmcanonical]

Description:

• Create bash_pam_pwquality_enable macro
• Create bash_pam_pwquality_parameter_value macro
• Use these macro in accounts_password_pam_retry remediation

Rationale:

• Use pam-auth-update to dynamically remediate and test pam stack

[openshift-ci]

Hi @alanmcanonical. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[alanmcanonical]

Issue 1

For sle15 test, I saw the oval log:

I: oscap:     Opening file '/etc/pam.d/system-auth'. [oscap(392):probe_worker(7057a56006c0):oval_fts.c:838:oval_fts_open_prefixed]
D: oscap:     lstat() failed: errno: 2, 'No such file or directory'. [oscap(392):probe_worker(7057a56006c0):oval_fts.c:844:oval_fts_open_prefixed]

It indicates that system-auth doesn't exist in sle15, and this patch could solve this issue but need someone from suse to confirm

diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh
index 608e1ab3fb..621b4e32c4 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh
@@ -2,6 +2,8 @@
 
 {{% if product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}}
 {{% set configuration_files = ["password-auth","system-auth"] %}}
+{{% elif 'sle15' in product %}}
+{{% set configuration_files = ["common-password"] %}}
 {{% else %}}
 {{% set configuration_files = ["system-auth"] %}}
 {{% endif %}}
@@ -9,7 +11,7 @@
 
 {{{ bash_instantiate_variables("var_password_pam_retry") }}}
 
-{{% if product in ['ol8', 'ol9', 'rhel8', 'rhel9'] -%}}
+{{% if product in ['sle15', 'ol8', 'ol9', 'rhel8', 'rhel9'] -%}}
 	{{{ bash_replace_or_append('/etc/security/pwquality.conf',
 							   '^retry',
 							   '$var_password_pam_retry',
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
index 4ae8aec49b..e83e5a9d51 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
@@ -1,4 +1,4 @@
-{{% if 'ubuntu' in product or 'debian' in product %}}
+{{% if 'ubuntu' in product or 'debian' in product or 'sle15' in product %}}
 {{% set configuration_files = ["common-password"] %}}
 {{% elif product in ['ol8','ol9','rhel8', 'rhel9'] %}}
 {{% set configuration_files = ["password-auth","system-auth"] %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh
index 517cb8c3ed..b618cb3103 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh
@@ -1,4 +1,4 @@
-{{% if 'ubuntu' in product %}}
+{{% if 'ubuntu' in product or 'sle15' in product %}}
 configuration_files=("common-password")
 {{% elif product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}}
 configuration_files=("password-auth" "system-auth")
@@ -22,6 +22,6 @@ DEBIAN_FRONTEND=noninteractive pam-auth-update
 for file in ${configuration_files[@]}; do
 	sed -i --follow-symlinks "/pam_pwquality\.so/d" "/etc/pam.d/$file"
 done
-{{% endif%}}
+{{% endif %}}
 
 truncate -s 0 /etc/security/pwquality.conf

Issue 2

As of Automatus UBI8 test

It shows that ERROR - Terminating due to error: Couldn't install required packages: authselect,pam.
I checked and confirmed the authselect is not shipped with Red Hat Universal Base Image 8.

[dodys]

@mpurg is currently testing it, we will take some time before merging this

[mpurg]

Minor changes

[mpurg]

We don't need to remove the retry parameter from cac_pwquality. The file is created in bash_pam_pwquality_enable macro and doesn't contain the parameter.

[alanmcanonical]

Remove Done, delete these line.

[mpurg]

Should we remove all pwquality configs or just cac_pwquality?

[alanmcanonical]

The container has no cac_pwquality config at default, so no need to delete it at all.

[codeclimate]

Code Climate has analyzed commit 73b8561 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.

[dodys]

lgtm, thanks!