610856c7cf
Currently CIS Benchmark fails when checking faillock and pwquality
configuration when it doesn't find them set in faillock.conf and
pwquality.conf, even though some items pass, as they are correctly
configured in /etc/pam.d/common-auth and /etc/pam.d/common-password.
CIS recommends having the configuration only in one place, and requires
those separate files to contain them.
This change removes faillock and pwquality configurations from the
/etc/pam.d files, adds them to the recommended configuration files,
and does not change any password requirements or lock rules.
Test Plan:
PASS: Run build-pkgs -c -p pam-config.
PASS: Install pam-config deb file and check if faillock.conf from
libpam-modules is renamed with .old suffix.
PASS: Roll back pam-config package to master and check if faillock.conf
from libpam-modules is renamed back.
PASS: Run build-image.
PASS: Run fresh install of AIO-SX with complete bootstrap and unlock of
the controller-0.
PASS: Run fresh install of AIO-DX with complete bootstrap and unlock of
controller-0 and controller-1.
PASS: Change password 5 times and then try to use the first password of
the sequence again to verify if it is using password history.
PASS: Try password without at least 1 uppercase letter.
PASS: Try password without at least 1 lowercase letter.
PASS: Try password without at least one number.
PASS: Try password without at least one special character.
PASS: Try password with less than 12 character and verify if it fails.
PASS: Try password with less than 3 different characters from the old
one and verify that it fails.
Story: 2011283
Task: 51351
Change-Id: I00424030b8fd877752908c35793627df16eb31c8
Signed-off-by: Rodrigo Tavares <Rodrigo.DosSantosTavares@windriver.com>
9 lines
90 B
Plaintext
9 lines
90 B
Plaintext
difok=3
|
|
minlen=12
|
|
minclass=4
|
|
ocredit=-1
|
|
lcredit=-1
|
|
ucredit=-1
|
|
dcredit=-1
|
|
enforce_for_root
|