Check Configuration of password remember

and set default to 60 see Telekom 2021.07-01 SoC 3.01 Req 25 and SoC 3.65 Req46
dev-sec · Jul 21, 2021 · deddf31 · deddf31
1 parent 2735730
commit deddf31
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/controls/os_spec.rb b/controls/os_spec.rb
@@ -282,3 +282,25 @@
     end
   end
 end
+
+control 'os-14' do
+  impact 1.0
+  title 'Check pam config - RedHat specific'
+  desc 'Check config of files in /etc/pam.d.'
+
+  pam_files = ['/etc/pam.d/system-auth', '/etc/pam.d/password-auth']
+
+  pam_files.each do |pam_file|
+    describe file(pam_file) do
+      it { should exist }
+      it { should be_owned_by 'root' }
+      its('group') { should eq 'root' }
+      its(:content) { should match /^password    requisite     pam_pwhistory.so remember=60 use_authtok$/ }
+      its(:content) { should match /^password    requisite     pam_pwquality.so try_first_pass retry=3 authtok_type=$/ }
+      its(:content) { should match /^auth        required      pam_faillock.so preauth silent audit even_deny_root deny=5 unlock_time=15$/ }
+      its(:content) { should match /^auth        required      pam_faillock.so authfail audit even_deny_root deny=5 unlock_time=15$/ }
+      its(:content) { should match /^account     required      pam_faillock.so$/ }
+    end
+  end
+  only_if { os.redhat? }
+end