Merge pull request #10175 from marcusburghardt/pwhistory_control

Accept required and requisite control flag for pam_pwhistory

controls/cis_rhel8.yml

@@ -2267,7 +2267,7 @@ controls:
     rules:
       - accounts_password_pam_pwhistory_remember_password_auth
       - accounts_password_pam_pwhistory_remember_system_auth
-      - var_password_pam_remember_control_flag=requisite
+      - var_password_pam_remember_control_flag=requisite_or_required
       - var_password_pam_remember=5
 
   - id: 5.5.4

controls/cis_rhel9.yml

@@ -2112,7 +2112,7 @@ controls:
     rules:
       - accounts_password_pam_pwhistory_remember_password_auth
       - accounts_password_pam_pwhistory_remember_system_auth
-      - var_password_pam_remember_control_flag=requisite
+      - var_password_pam_remember_control_flag=requisite_or_required
       - var_password_pam_remember=5
 
   - id: 5.5.4

controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml

@@ -5,7 +5,7 @@ controls:
         title: {{{ full_name }}} must prohibit password reuse for a minimum of five generations.
         rules:
             - var_password_pam_remember=5
-            - var_password_pam_remember_control_flag=requisite
+            - var_password_pam_remember_control_flag=requisite_or_required
             - accounts_password_pam_pwhistory_remember_password_auth
             - accounts_password_pam_pwhistory_remember_system_auth
         status: automated

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml

@@ -129,3 +129,7 @@ warnings:
        Newer versions of <tt>authselect</tt> contain an authselect feature to easily and properly
        enable <tt>pam_pwhistory.so</tt> module. If this feature is not yet available in your
        system, an authselect custom profile must be used to avoid integrity issues in PAM files.
+       If a custom profile was created and used in the system before this authselect feature was
+       available, the new feature can't be used with this custom profile and the
+       remediation will fail. In this case, the custom profile should be recreated or manually
+       updated.

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var

@@ -20,4 +20,5 @@ options:
     "sufficient": "sufficient"
     "binding": "binding"
     "ol8": "required,requisite"
+    "requisite_or_required": "requisite,required"
     default: "requisite"

products/rhel8/profiles/stig.profile

@@ -37,7 +37,7 @@ selections:
     - var_accounts_minimum_age_login_defs=1
     - var_accounts_max_concurrent_login_sessions=10
     - var_password_pam_remember=5
-    - var_password_pam_remember_control_flag=requisite
+    - var_password_pam_remember_control_flag=requisite_or_required
     - var_selinux_state=enforcing
     - var_selinux_policy_name=targeted
     - var_password_pam_unix_rounds=5000

tests/data/profile_stability/rhel8/stig.profile

@@ -435,7 +435,7 @@ selections:
 - var_accounts_minimum_age_login_defs=1
 - var_accounts_max_concurrent_login_sessions=10
 - var_password_pam_remember=5
-- var_password_pam_remember_control_flag=requisite
+- var_password_pam_remember_control_flag=requisite_or_required
 - var_selinux_state=enforcing
 - var_selinux_policy_name=targeted
 - var_password_pam_unix_rounds=5000

tests/data/profile_stability/rhel8/stig_gui.profile

@@ -443,7 +443,7 @@ selections:
 - var_accounts_minimum_age_login_defs=1
 - var_accounts_max_concurrent_login_sessions=10
 - var_password_pam_remember=5
-- var_password_pam_remember_control_flag=requisite
+- var_password_pam_remember_control_flag=requisite_or_required
 - var_selinux_state=enforcing
 - var_selinux_policy_name=targeted
 - var_password_pam_unix_rounds=5000