Introduce new rule authconfig_config_files_symlinks

[freddieRv]

Description:

• This new rule covers the DISA STIG requirement OL07-00-010199.
• Add OVAL checks and a few tests for this new rule.
• Also include this rule in OL7 and RHEL7 stig profiles.

Rationale:

• OL7/RHEL7 STIG efforts. This requirement was added to the OL7 DISA STIG in the v2r10 revision and RHEL7 DISA STIG v3r10 one.

Review Hints:

• Here is the fix text from DISA:

Rename the existing configuration files (skip this step if symbolic links are already present):
     $ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac
     $ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac
	
Create custom system-auth configuration file:
     $ sudo vi /etc/pam.d/system-auth-local
	
The new file, at minimum, must contain the following lines:
	
auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
auth        include       system-auth-ac
auth        sufficient    pam_unix.so try_first_pass
auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900

account     required      pam_faillock.so
account     include       system-auth-ac

password    requisite     pam_pwhistory.so use_authtok remember=5 retry=3
password    include       system-auth-ac
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok

session     include       system-auth-ac

Create custom password-auth configuration file:
     $ sudo vi /etc/pam.d/password-auth-local
	
The new file, at minimum, must contain the following lines:

auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
auth        include       password-auth-ac
auth        sufficient    pam_unix.so try_first_pass
auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900

account     required      pam_faillock.so
account     include       password-auth-ac

password    requisite     pam_pwhistory.so use_authtok remember=5 retry=3
password    include       password-auth-ac
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok

session     include       password-auth-ac
	
Create new or move existing symbolic links to the new custom configuration files:
     $ sudo ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth
     $ sudo ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth

Once finished, the file structure should be the following:
    $ sudo ls -1 /etc/pam.d/{password,system}-auth*

    /etc/pam.d/password-auth
    /etc/pam.d/password-auth-ac
    /etc/pam.d/password-auth-local
    /etc/pam.d/system-auth
    /etc/pam.d/system-auth-ac
    /etc/pam.d/system-auth-local

• While the introduced OVAL content does check what the DISA requirement states. I would like to discuss the feasibility of automated remediations. I think the tricky part is to make sure that the -local files properly include the -ac ones.
• Also I believe remediating this requirement would not impact the currently available remediations which edit PAM files

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel7 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[marcusburghardt]

Regarding the remediation, I believe it is too risky an automation with so many changes in PAM. PAM files are very sensible to ordering and custom PAM files could easily make it impossible to safely find the correct patterns.

My suggestion would be skip the remediation for this rule and include a warning in the rule.yml informing this remediation should be carefully and manually done by the administration, in alignment to the site policy.

[marcusburghardt]

FYI @yuumasato

[openshift-ci]

@freddieRv: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-rhcos4-high	3728a7a	link	true	/test e2e-aws-rhcos4-high

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[codeclimate]

Code Climate has analyzed commit 3728a7a and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 49.5% (0.0% change).

View more on Code Climate.

[marcusburghardt]

LGTM. Thanks @freddieRv

[marcusburghardt]

Automatus CS8 and Automatus CS9 are failing because the rule prodtype is limited to ol7 and rhel7.

[marcusburghardt]

I am overriding the CODEOWNERS file as @freddieRv can not merge this PR.

[vojtapolasek]

@freddieRv Hello, would you please move this rule into a different group? I think it belongs more into "accounts" than "auditing".