Merge pull request #14095 from teacup-on-rockingchair/pwquality_pwhistory_file_use_var

pwquality and pwhistory fixes

Author: teacup-on-rockingchair

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/oval/shared.xml

@@ -35,7 +35,7 @@
             comment="Check the pam_pwhistory.so remember parameter is absent in password-auth file"/>
           <criterion
             test_ref="test_accounts_password_pam_pwhistory_remember_password_auth_pwhistory_conf"
-            comment="Check the remember parameter in /etc/security/pwhistory.conf"/>
+            comment="Check the remember parameter in {{{ pwhistory_path }}}"/>
         </criteria>
       </criteria>
     </criteria>
@@ -82,15 +82,15 @@
 
   <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
     id="test_accounts_password_pam_pwhistory_remember_password_auth_no_pwhistory_conf"
-    comment="Check the absence of remember parameter in /etc/security/pwhistory.conf">
+    comment="Check the absence of remember parameter in {{{ pwhistory_path }}}">
     <ind:object
       object_ref="object_accounts_password_pam_pwhistory_remember_password_auth_param_conf"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object
     id="object_accounts_password_pam_pwhistory_remember_password_auth_param_conf" version="1"
-    comment="Collect the pam_pwhistory.so remember parameter from /etc/security/pwhistory.conf">
-    <ind:filepath operation="pattern match">^/etc/security/pwhistory.conf$</ind:filepath>
+    comment="Collect the pam_pwhistory.so remember parameter from {{{ pwhistory_path }}}">
+    <ind:filepath operation="pattern match">^{{{ pwhistory_path }}}$</ind:filepath>
     <ind:pattern operation="pattern match"
       var_ref="var_accounts_password_pam_pwhistory_remember_password_auth_conf_param_regex"/>
     <ind:instance datatype="int" operation="equals">1</ind:instance>
@@ -107,7 +107,7 @@
   <ind:textfilecontent54_test
     id="test_accounts_password_pam_pwhistory_remember_password_auth_pwhistory_conf" version="1"
     check="all" check_existence="all_exist"
-    comment="Check remember parameter is present and correct in /etc/security/pwhistory.conf">
+    comment="Check remember parameter is present and correct in {{{ pwhistory_path }}}">
     <ind:object object_ref="object_accounts_password_pam_pwhistory_remember_password_auth_param_conf"/>
     <ind:state state_ref="state_accounts_password_pam_pwhistory_remember_password_auth"/>
   </ind:textfilecontent54_test>

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml

@@ -21,7 +21,7 @@ description: |-
 
     Otherwise, it should be enabled using an authselect custom profile.
     <br/><br/>
-    Newer systems also have the <tt>/etc/security/pwhistory.conf</tt> file for setting
+    Newer systems also have the <tt>{{{ pwhistory_path }}}</tt> file for setting
     <tt>pam_pwhistory</tt> module options. This file should be used whenever available.
     Otherwise, the <tt>pam_pwhistory</tt> module options can be set in PAM files.
     <br/><br/>
@@ -56,7 +56,7 @@ references:
 
 ocil_clause: |-
     the pam_pwhistory.so module is not used, the "remember" module option is not set in
-    /etc/pam.d/password-auth or in /etc/security/pwhistory.conf, or is set in both files, or is set
+    /etc/pam.d/password-auth or in {{{ pwhistory_path }}}, or is set in both files, or is set
     with a value less than "{{{ xccdf_value("var_password_pam_remember") }}}"
 
 ocil: |-
@@ -70,9 +70,9 @@ ocil: |-
     password {{{ xccdf_value("var_password_pam_remember_control_flag") }}} pam_pwhistory.so use_authtok remember={{{ xccdf_value("var_password_pam_remember") }}}</pre>
 
     {{% if product not in ["ol7"] %}}
-    Verify the "/etc/security/pwhistory.conf" file using the following command:
+    Verify the "{{{ pwhistory_path }}}" file using the following command:
 
-    <pre>$ grep remember /etc/security/pwhistory.conf
+    <pre>$ grep remember {{{ pwhistory_path }}}
     remember = {{{ xccdf_value("var_password_pam_remember") }}}</pre>
 
     The pam_pwhistory.so "remember" option must be configured only in one file.
@@ -89,7 +89,7 @@ fixtext: |-
     First ensure the pam_pwhistory.so module is enabled in the password section of "/etc/pam.d/password-auth":
     <pre>password {{{ xccdf_value("var_password_pam_remember_control_flag") }}} pam_pwhistory.so use_authtok</pre>
 
-    If the "/etc/security/pwhistory.conf" is present in the system, use it to set the "remember" option:
+    If the "{{{ pwhistory_path }}}" is present in the system, use it to set the "remember" option:
     <pre>remember = {{{ xccdf_value("var_password_pam_remember") }}}</pre>
 
     Otherwise, include the "remember" option in "/etc/pam.d/password-auth" file:

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_conflict_settings.fail.sh

@@ -15,5 +15,5 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_conf.pass.sh

@@ -16,5 +16,5 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_correct_value_pam.pass.sh

@@ -15,4 +15,4 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_argument.fail.sh

@@ -18,4 +18,4 @@ else
     fi
 fi
 authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_missing_line.fail.sh

@@ -14,4 +14,4 @@ else
     sed -i --follow-symlinks '/.*pam_pwhistory\.so/d' $CUSTOM_PASSWORD_AUTH
 fi
 authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_modified_pam.fail.sh

@@ -11,4 +11,4 @@ if ! $(grep -q "^[^#].*pam_pwhistory\.so.*remember=" $SYSTEM_AUTH_FILE); then
 else
    sed -i --follow-symlinks "s/\(.*pam_pwhistory\.so.*remember=\)[[:digit:]]\+\s\(.*\)/\1/g" $SYSTEM_AUTH_FILE
 fi
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_conf.fail.sh

@@ -16,5 +16,5 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/authselect_wrong_value_pam.fail.sh

@@ -15,4 +15,4 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}