Skip to content

Fix rule accounts_password_pam_pwhistory_use_authtok #14275

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Mab879 merged 2 commits into from
Jan 7, 2026
Merged

Fix rule accounts_password_pam_pwhistory_use_authtok #14275

Mab879 merged 2 commits into from
Jan 7, 2026

Conversation

@jan-cerny
Copy link
Collaborator

@jan-cerny jan-cerny commented Jan 6, 2026
edited
Loading

The remediations shouldn't update the /etc/pam.d/system-auth and /etc/pam.d/password-auth directly, it would conflict with authselect. The remediations need to update the authselect profile instead, and then let authselect to modify the files in /etc/pam.d/.

Blocks #14269

@jan-cerny
Fix rule accounts_password_pam_pwhistory_use_authtok
71d1b24 
The remediations shouldn't update the /etc/pam.d/system-auth and
/etc/pam.d/password-auth directly, it would conflict with authselect.
The remediations need to update the authselect profile instead,
and then let authselect to modify the files in /etc/pam.d/.
@jan-cerny jan-cerny added this to the 0.1.80 milestone Jan 6, 2026
@jan-cerny jan-cerny mentioned this pull request Jan 6, 2026
Draft
@github-actions
Copy link

github-actions bot commented Jan 6, 2026
edited
Loading

ATEX Test Results

Test artifacts have been submitted to Testing Farm.

Results: View Test Results
Workflow Run: View Workflow Details

This comment was automatically generated by the ATEX workflow.

@Mab879 Mab879 self-assigned this Jan 6, 2026
Mab879
Mab879 reviewed Jan 6, 2026
View reviewed changes
...out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/rhel_correct.pass.sh Outdated
pam_profile_path="/etc/authselect/$CUSTOM_PROFILE"

for authselect_file in "$pam_profile_path"/password-auth "$pam_profile_path"/system-auth; do
if grep -Pq '^\h*password\h+([^#\n\r]+)\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' "$authselect_file"; then
Copy link
Member

@Mab879 Mab879 Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if grep -Pq '^\h*password\h+([^#\n\r]+)\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' "$authselect_file"; then
if ! grep -Pq '^\h*password\h+([^#\n\r]+)\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' "$authselect_file"; then

Currently, this seems only add if it is already there.

@jan-cerny
Copy link
Collaborator Author

jan-cerny commented Jan 7, 2026

I have fixed the test scenario

@openshift-ci
Copy link

openshift-ci bot commented Jan 7, 2026

@jan-cerny: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 44634a3 link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@Mab879 Mab879 merged commit 88bf598 into ComplianceAsCode:master Jan 7, 2026
140 of 142 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

Assignees

@Mab879 Mab879

Labels

None yet

Projects

None yet

Milestone

0.1.80

Development

Successfully merging this pull request may close these issues.

2 participants

@jan-cerny @Mab879