Changes to AUTH-9286 to check for minimum age as well

2015-10-27 12:42:41 +01:00 · 2015-10-27 12:42:41 +01:00 · 7b3299fcb9
parent 7afc82a8aa
commit 7b3299fcb9
2 changed files with 25 additions and 5 deletions
--- a/include/consts
+++ b/include/consts
@ -110,6 +110,8 @@ unset LANG
    OS=""; OS_MODE=""
    OS_REDHAT_OR_CLONE=0
    OSIRISBINARY=""
+    PASSWORD_MAXIMUM_DAYS=-1
+    PASSWORD_MINIMUM_DAYS=-1
    PAM_2F_AUTH_ENABLED=0
    PAM_2F_AUTH_REQUIRED=0
    PAM_AUTH_BRUTE_FORCE_PROTECTION=0
--- a/include/tests_authentication
+++ b/include/tests_authentication
@ -663,20 +663,36 @@
 #
    # Test        : AUTH-9286
    # Description : Check user password aging
+    # Notes       : MIN = minimum age, avoid rotation of passwords too quickly
+    #             : MAX = maximum age, ensure regular change of passwords
    if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking user password aging"
    if [ ${SKIPTEST} -eq 0 ]; then
+        logtext "Test: Checking PASS_MIN_DAYS option in /etc/login.defs "
+        FIND=`grep "^PASS_MIN_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MIN_DAYS") { print $2 } }'`
+        if [ "${FIND}" = "" -o "${FIND}" = "0" ]; then
+            logtext "Result: password minimum age is not configured"
+            Display --indent 2 --text "- Checking user password aging (minimum)" --result DISABLED --color YELLOW
+            ReportSuggestion ${TEST_NO} "Configure minimum password age in /etc/login.defs"
+            AddHP 0 1
+          else
+            logtext "Result: password needs to be at least ${FIND} days old"
+            PASSWORD_MINIMUM_DAYS=${FIND}
+            Display --indent 2 --text "- Checking user password aging (minimum)" --result CONFIGURED --color GREEN
+            AddHP 3 3
+        fi
+
        logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs "
        FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'`
        if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
            logtext "Result: password aging limits are not configured"
-            Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW
-            ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base"
+            Display --indent 2 --text "- Checking user password aging (maximum)" --result DISABLED --color YELLOW
+            ReportSuggestion ${TEST_NO} "Configure maximum password age in /etc/login.defs"
            AddHP 0 1
          else
-            logtext "Result: accounts with password aging set are checked against PASS_MAX_DAYS"
-            logtext "Result: value of PASS_MAX_DAYS is ${FIND}"
-            Display --indent 2 --text "- Checking user password aging" --result OK --color GREEN
+            logtext "Result: max password age is ${FIND} days"
+            PASSWORD_MAXIMUM_DAYS=${FIND}
+            Display --indent 2 --text "- Checking user password aging (maximum)" --result CONFIGURED --color GREEN
            AddHP 3 3
        fi
    fi
@ -1144,6 +1160,8 @@ report "ldap_pam_enabled=${LDAP_PAM_ENABLED}"
 if [ ! "${LDAP_CLIENT_CONFIG_FILE}" = "" ]; then
    report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"
 fi
+report "password_min_days=${PASSWORD_MINIMUM_DAYS}"
+report "password_max_days=${PASSWORD_MAXIMUM_DAYS}"

 wait_for_keypress