diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/bash/shared.sh deleted file mode 100644 index e6e1362bee8d..000000000000 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/bash/shared.sh +++ /dev/null @@ -1,3 +0,0 @@ -# platform = multi_platform_sle - -{{{ bash_ensure_pam_module_options('/etc/pam.d/common-auth', 'auth', 'required', 'pam_unix.so', 'sha512', '', '') }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/rule.yml index 34b4754a9757..6ec113bd3fb3 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/rule.yml @@ -56,7 +56,11 @@ template: vars: path: /etc/pam.d/common-auth type: auth + {{% if 'sle' in product %}} + control_flag: sufficient + {{% else %}} control_flag: required + {{% endif %}} module: pam_unix.so arguments: - argument: sha512 diff --git a/products/sle16/profiles/pci-dss-4.profile b/products/sle16/profiles/pci-dss-4.profile index 6b771a83155a..ba7de6b6ccc2 100644 --- a/products/sle16/profiles/pci-dss-4.profile +++ b/products/sle16/profiles/pci-dss-4.profile @@ -27,6 +27,7 @@ selections: - var_multiple_time_servers=suse - var_multiple_time_pools=suse - var_accounts_tmout=15_min + - var_accounts_passwords_pam_faillock_dir=run - audit_rules_enable_syscall_auditing - '!ntpd_specify_multiple_servers' - '!ntpd_specify_remote_server' @@ -36,25 +37,20 @@ selections: - '!package_libreswan_installed' - '!use_pam_wheel_for_su' - '!aide_periodic_cron_checking' - - '!accounts_password_pam_dcredit' - '!accounts_password_pam_pwhistory_remember_system_auth' - '!sysctl_kernel_core_pattern' - '!configure_firewalld_ports' - '!accounts_passwords_pam_tally2' - '!accounts_passwords_pam_tally2_unlock_time' - '!audit_rules_login_events_tallylog' - - '!accounts_passwords_pam_faillock_deny' - '!file_owner_user_cfg' - - '!accounts_passwords_pam_faillock_unlock_time' - '!ensure_redhat_gpgkey_installed' - '!package_sequoia-sq_installed' - '!ensure_almalinux_gpgkey_installed' - '!firewalld_loopback_traffic_restricted' - - '!accounts_password_pam_lcredit' - '!file_group_ownership_var_log_audit' - '!package_ftp_removed' - '!gnome_gdm_disable_guest_login' - - '!accounts_password_pam_minlen' - '!no_password_auth_for_systemaccounts' - '!file_groupowner_user_cfg' - '!ensure_root_password_configured' @@ -83,3 +79,8 @@ selections: - '!set_ipv6_loopback_traffic' - '!set_loopback_traffic' - '!nftables_ensure_default_deny_policy' + - '!cracklib_accounts_password_pam_dcredit' + - '!cracklib_accounts_password_pam_lcredit' + - '!cracklib_accounts_password_pam_minlen' + - '!cracklib_accounts_password_pam_retry' + - 'accounts_password_pam_retry' diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index f41a8eb87bf2..f40ea6ef53fd 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -854,7 +854,7 @@ fi bash_ensure_pam_module_configuration( '/etc/pam.d/common-auth', 'auth', - '\[success=1 default=ignore\]', + 'sufficient', 'pam_unix.so', '', '', @@ -2766,7 +2766,7 @@ This macro creates a Bash conditional which checks the system architecture in /p {{# - Set a sshd configuration parameter to a value for system with default configuration in /usr subdir + Set a sshd configuration parameter to a value for system with default configuration in /usr subdir :parameter parameter: Parameter to set :type parameter: str