-
Notifications
You must be signed in to change notification settings - Fork 709
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve template pam_account_password_faillock #12687
Conversation
Hi @mpurg. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
a058c3d
to
e1ea42b
Compare
@Mab879 @jan-cerny I see that one fedora test (conflicting_settings_authselect.fail.sh) is failing with
Should the profile be based on Update: I added a fallback command based on the Update2: The ansible remediations in fedora automatus tests are failing because of missing |
Added template to docs. Defined requirements for variables in template.py: - ext_variable must be defined since it is used in the remediation - bounding variables must be 'use_ext_variable', (int), or undefined (if undefined, bounding variables are initialized to None) Cleaned up the OVAL: - fix conditionals to consistently use inclusive comparisons instead of inclusive for ext_variable, and exclusive for numbers - remove conditionals which compare to `var_ref="{{{ VARIABLE_*_BOUND}}}"` as these variables don't exist in the OVAL - modify check for undefined variable to compare to jinja test none
Fixed to work with new OVAL logic in template (inclusive comparison).
- tests were generalized and are no longer specific to `_deny` rule - tests check the different logic flows defined by template parameters and external variables - a new macro was created to initialize the variables - tests from the rules that use the template were removed
In newer versions of authselect, 'minimal' profile is removed in favor of 'local'. - https://fedoramagazine.org/authselect-in-fedora-linux-40-migrating-to-the-new-local-profile/ - https://github.com/authselect/authselect/releases/tag/1.5.0
e1ea42b
to
2507ad8
Compare
The ansible remediation in `pam_account_password_faillock` was fixed to be applicable on same platforms as the remediations in original rules (accounts_passwords_pam_faillock_deny/unlock_time/interval).
Code Climate has analyzed commit 8055c39 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 60.9% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@Mab879 could you please take a look on this one? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, thanks!
Description:
pam_account_password_faillock
_deny
rule from 0 to 1)var_ref="{{{ VARIABLE_*_BOUND}}}"
as these variables don't exist in the OVAL_deny
rule