Changes to AUTH-9286 to check for minimum age as well

include/consts

@@ -110,6 +110,8 @@ unset LANG
     OS=""; OS_MODE=""
     OS_REDHAT_OR_CLONE=0
     OSIRISBINARY=""
+    PASSWORD_MAXIMUM_DAYS=-1
+    PASSWORD_MINIMUM_DAYS=-1
     PAM_2F_AUTH_ENABLED=0
     PAM_2F_AUTH_REQUIRED=0
     PAM_AUTH_BRUTE_FORCE_PROTECTION=0

include/tests_authentication

@@ -663,20 +663,36 @@
 #
     # Test        : AUTH-9286
     # Description : Check user password aging
+    # Notes       : MIN = minimum age, avoid rotation of passwords too quickly
+    #             : MAX = maximum age, ensure regular change of passwords
     if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking user password aging"
     if [ ${SKIPTEST} -eq 0 ]; then
+        logtext "Test: Checking PASS_MIN_DAYS option in /etc/login.defs "
+        FIND=`grep "^PASS_MIN_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MIN_DAYS") { print $2 } }'`
+        if [ "${FIND}" = "" -o "${FIND}" = "0" ]; then
+            logtext "Result: password minimum age is not configured"
+            Display --indent 2 --text "- Checking user password aging (minimum)" --result DISABLED --color YELLOW
+            ReportSuggestion ${TEST_NO} "Configure minimum password age in /etc/login.defs"
+            AddHP 0 1
+          else
+            logtext "Result: password needs to be at least ${FIND} days old"
+            PASSWORD_MINIMUM_DAYS=${FIND}
+            Display --indent 2 --text "- Checking user password aging (minimum)" --result CONFIGURED --color GREEN
+            AddHP 3 3
+        fi
+
         logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs "
         FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'`
         if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
             logtext "Result: password aging limits are not configured"
-            Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW
-            ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base"
+            Display --indent 2 --text "- Checking user password aging (maximum)" --result DISABLED --color YELLOW
+            ReportSuggestion ${TEST_NO} "Configure maximum password age in /etc/login.defs"
             AddHP 0 1
           else
-            logtext "Result: accounts with password aging set are checked against PASS_MAX_DAYS"
-            logtext "Result: value of PASS_MAX_DAYS is ${FIND}"
-            Display --indent 2 --text "- Checking user password aging" --result OK --color GREEN
+            logtext "Result: max password age is ${FIND} days"
+            PASSWORD_MAXIMUM_DAYS=${FIND}
+            Display --indent 2 --text "- Checking user password aging (maximum)" --result CONFIGURED --color GREEN
             AddHP 3 3
         fi
     fi
@@ -1144,6 +1160,8 @@ report "ldap_pam_enabled=${LDAP_PAM_ENABLED}"
 if [ ! "${LDAP_CLIENT_CONFIG_FILE}" = "" ]; then
     report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"
 fi
+report "password_min_days=${PASSWORD_MINIMUM_DAYS}"
+report "password_max_days=${PASSWORD_MAXIMUM_DAYS}"
 
 wait_for_keypress