From 13ac521d4a8fe523640da638cfc3ac9d8817dd93 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 23 Feb 2023 15:08:17 +0100
Subject: [PATCH] Increase the robustness of OVAL check

The previous check was reporting "unknown" when there is no password
defined in the /etc/shadow file of the checked system. Before, it was
not clear the reason for the unknown result. Therefore, a new test was
included to check if passwords are inexistent in the system. The rule is
no longer reporting "unknown" and the generated reports are more clearly
informing which checks passed or not.
---
 .../oval/shared.xml                           | 70 +++++++++++--------
 1 file changed, 39 insertions(+), 31 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/oval/shared.xml
index 6aaa2d448661..6dab19e148b2 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/oval/shared.xml
@@ -1,51 +1,59 @@
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
-    {{{ oval_metadata("All password change date is in the past.") }}}
-    <criteria>
-      <criterion comment="passward last change was in the past"
-                 test_ref="test_accounts_password_last_change_time_secs"/>
+    {{{ oval_metadata("All passwords last change date is in the past.") }}}
+    <criteria operator="OR">
+      <criterion test_ref="test_accounts_password_last_change_is_in_past"
+        comment="All passwords last change date is in the past"/>
+      <criterion test_ref="test_accounts_password_last_change_is_in_past_no_pass"
+        comment="There is no password defined in /etc/shadow"/>
     </criteria>
   </definition>
 
-  <local_variable id="var_accounts_password_last_change_time_secs" datatype="int" version="1"
-                  comment="last change component of password entry">
+  <unix:shadow_state id="state_accounts_password_all_chage_past_has_no_password" version="1">
+    <unix:password operation="pattern match">^(!|!!|!\*|\*|!locked)$</unix:password>
+  </unix:shadow_state>
+
+  <unix:shadow_object id="object_accounts_password_all_chage_in_past" version="1">
+    <unix:username operation="pattern match">.*</unix:username>
+    <filter action="exclude">state_accounts_password_all_chage_past_has_no_password</filter>
+  </unix:shadow_object>
+
+  <local_variable id="var_accounts_password_last_change_time_secs" version="1"
+    datatype="int" comment="last change field of shadow entry in seconds">
     <arithmetic arithmetic_operation="multiply">
       <object_component object_ref="object_accounts_password_all_chage_in_past"
-                        item_field="chg_lst"/>
+        item_field="chg_lst"/>
       <literal_component datatype="int">86400</literal_component>
-      </arithmetic>
+    </arithmetic>
   </local_variable>
 
   <local_variable id="var_accounts_password_last_change_time_diff" datatype="int" version="1"
-                  comment="last change component of password entry compared to current time">
+    comment="time difference between the last change field of shadow entry and the current time">
     <time_difference format_2="seconds_since_epoch">
-        <variable_component var_ref="var_accounts_password_last_change_time_secs"/>
+      <variable_component var_ref="var_accounts_password_last_change_time_secs"/>
     </time_difference>
   </local_variable>
 
-  <ind:variable_object  id="object_accounts_password_last_change_time_diff" version="1">
-     <ind:var_ref>var_accounts_password_last_change_time_diff</ind:var_ref>
-   </ind:variable_object>
-
-   <ind:variable_state id="state_accounts_password_last_change_time_diff" version="1">
-      <!-- With negative time I actually get very big number so instead
-           of checking greater than zero I am checking if less than 1000 years -->
-     <ind:value datatype="int" operation="less than or equal">86400000</ind:value>
- </ind:variable_state>
-
- <ind:variable_test check="all" check_existence="all_exist"
-                    id="test_accounts_password_last_change_time_secs" version="1"
-                    comment="Check if the password chage time is less than equal than today.">
+  <ind:variable_test id="test_accounts_password_last_change_is_in_past" version="1"
+    check="all" check_existence="all_exist"
+    comment="Check if the password last chage time is less than or equal today.">
     <ind:object object_ref="object_accounts_password_last_change_time_diff"/>
     <ind:state state_ref="state_accounts_password_last_change_time_diff"/>
-   </ind:variable_test>
+  </ind:variable_test>
 
-  <unix:shadow_object id="object_accounts_password_all_chage_in_past" version="1">
-    <unix:username operation="pattern match">.*</unix:username>
-    <filter action="exclude">state_accounts_password_all_chage_past_has_no_password</filter>
-  </unix:shadow_object>
-  <unix:shadow_state id="state_accounts_password_all_chage_past_has_no_password" version="1">
-      <unix:password operation="pattern match">^(!|!!|!\*|\*|!locked)$</unix:password>
-  </unix:shadow_state>
+  <ind:variable_object id="object_accounts_password_last_change_time_diff" version="1">
+    <ind:var_ref>var_accounts_password_last_change_time_diff</ind:var_ref>
+  </ind:variable_object>
+
+  <ind:variable_state id="state_accounts_password_last_change_time_diff" version="1">
+    <!-- With negative time I actually get very big number so instead
+         of checking greater than zero I am checking if less than 1000 years -->
+    <ind:value datatype="int" operation="less than or equal">86400000</ind:value>
+  </ind:variable_state>
 
+  <ind:variable_test id="test_accounts_password_last_change_is_in_past_no_pass" version="1"
+    check="all" check_existence="none_exist"
+    comment="Check the inexistence of users with a password defined">
+    <ind:object object_ref="object_accounts_password_all_chage_in_past"/>
+  </ind:variable_test>
 </def-group>