Merge pull request #14607 from teacup-on-rockingchair/sle16_pco_dss_password_rules_patches

Sle16 pci dss password rules patches

Author: teacup-on-rockingchair

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/bash/shared.sh

@@ -56,7 +56,11 @@ template:
     vars:
       path: /etc/pam.d/common-auth
       type: auth
+      {{% if 'sle' in product %}}
+      control_flag: sufficient
+      {{% else %}}
       control_flag: required
+      {{% endif %}}
       module: pam_unix.so
       arguments:
         - argument: sha512

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/rule.yml

@@ -27,6 +27,7 @@ selections:
     - var_multiple_time_servers=suse
     - var_multiple_time_pools=suse
     - var_accounts_tmout=15_min
+    - var_accounts_passwords_pam_faillock_dir=run
     - audit_rules_enable_syscall_auditing
     - '!ntpd_specify_multiple_servers'
     - '!ntpd_specify_remote_server'
@@ -36,25 +37,20 @@ selections:
     - '!package_libreswan_installed'
     - '!use_pam_wheel_for_su'
     - '!aide_periodic_cron_checking'
-    - '!accounts_password_pam_dcredit'
     - '!accounts_password_pam_pwhistory_remember_system_auth'
     - '!sysctl_kernel_core_pattern'
     - '!configure_firewalld_ports'
     - '!accounts_passwords_pam_tally2'
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!audit_rules_login_events_tallylog'
-    - '!accounts_passwords_pam_faillock_deny'
     - '!file_owner_user_cfg'
-    - '!accounts_passwords_pam_faillock_unlock_time'
     - '!ensure_redhat_gpgkey_installed'
     - '!package_sequoia-sq_installed'
     - '!ensure_almalinux_gpgkey_installed'
     - '!firewalld_loopback_traffic_restricted'
-    - '!accounts_password_pam_lcredit'
     - '!file_group_ownership_var_log_audit'
     - '!package_ftp_removed'
     - '!gnome_gdm_disable_guest_login'
-    - '!accounts_password_pam_minlen'
     - '!no_password_auth_for_systemaccounts'
     - '!file_groupowner_user_cfg'
     - '!ensure_root_password_configured'
@@ -83,3 +79,8 @@ selections:
     - '!set_ipv6_loopback_traffic'
     - '!set_loopback_traffic'
     - '!nftables_ensure_default_deny_policy'
+    - '!cracklib_accounts_password_pam_dcredit'
+    - '!cracklib_accounts_password_pam_lcredit'
+    - '!cracklib_accounts_password_pam_minlen'
+    - '!cracklib_accounts_password_pam_retry'
+    - 'accounts_password_pam_retry'

products/sle16/profiles/pci-dss-4.profile

@@ -854,7 +854,7 @@ fi
     bash_ensure_pam_module_configuration(
     '/etc/pam.d/common-auth',
     'auth',
-    '\[success=1 default=ignore\]',
+    'sufficient',
     'pam_unix.so',
     '',
     '',
@@ -2766,7 +2766,7 @@ This macro creates a Bash conditional which checks the system architecture in /p
 
 
 {{#
-    Set a sshd configuration parameter to a value for system with default configuration in /usr subdir 
+    Set a sshd configuration parameter to a value for system with default configuration in /usr subdir
 
 :parameter parameter: Parameter to set
 :type parameter: str