Re: [Audit-test-developer] [PATCH] Fix nonexistent faillock on SUSE

[Jiri J. <jja...@re...>]

On 03/26/2015 10:26 AM, Miroslav Vadkerti wrote:
> 
> There will be more places in the suite where you will hit faillock [1]. Would it be possible to
> follow up with this patch and fix the remaining stuff also please?
> 
> Also we prefer sticking to sh compatibility if possible, would you mind replacing command for
> which?

Also if the syntax of if/fi seems too stretched out, feel free to use
ie.
    which faillock >/dev/null && faillock --user "$TEST_USER" --reset

> 
> [1] $ grep -R faillock .
> ./audit-test/crypto/tests/test_ssh_multi.bash:# clear faillock at cleanup
> ./audit-test/crypto/tests/test_ssh_multi.bash:prepend_cleanup "faillock --reset --user $TEST_USER"
> ./audit-test/crypto/tests/test_ssh_multi.bash:prepend_cleanup "faillock --reset --user $TEST_ADMIN"
> ./audit-test/crypto/tests/test_ssh_multi.bash:# clear faillock for $TEST_USER
> ./audit-test/crypto/tests/test_ssh_multi.bash:faillock --reset --user $TEST_USER
> ./audit-test/libpam/run.conf:    + pamfaillock_lock
> ./audit-test/libpam/run.conf:    + pamfaillock_unlock
> ./audit-test/libpam/tests/test_pamfaillock_lock.bash:# Verify pam_faillock will lock an account
> ./audit-test/libpam/tests/test_pamfaillock_lock.bash:# make sure faillock is reset for TEST_USER
> ./audit-test/libpam/tests/test_pamfaillock_lock.bash:/sbin/faillock --user $TEST_USER --reset >
> /dev/null || exit_error
> ./audit-test/libpam/tests/test_pamfaillock_lock.bash:grep -q pam_faillock /etc/pam.d/sshd || grep
> -q pam_faillock /etc/pam.d/password-auth || exit_error
> ./audit-test/libpam/tests/test_pamfaillock_lock.bash:# Unlike pam_tally2, faillock doesn't have a
> --reset=n option that lets us
> ./audit-test/libpam/tests/test_pamfaillock_lock.bash:msg_1="pam_faillock
> uid=$tuid.*exe=./usr/sbin/sshd.*res=success.*"
> ./audit-test/libpam/tests/test_pamfaillock_lock.bash:/sbin/faillock --user $TEST_USER --reset >
> /dev/null || exit_error
> ./audit-test/libpam/tests/test_pamfaillock_unlock.bash:# Verify pam_faillock will unlock an account
> ./audit-test/libpam/tests/test_pamfaillock_unlock.bash:grep -q pam_faillock /etc/pam.d/sshd ||
> grep -q pam_faillock /etc/pam.d/password-auth || exit_error
> ./audit-test/libpam/tests/test_pamfaillock_unlock.bash:# Unlike pam_tally2, faillock doesn't have
> a --reset=n option that lets us
> ./audit-test/libpam/tests/test_pamfaillock_unlock.bash:/sbin/faillock --user $TEST_USER --reset >
> /dev/null || exit_error
> ./audit-test/libpam/tests/test_pamfaillock_unlock.bash:msg_1="faillock reset
> uid=$tuid.*exe=./sbin/faillock.*res=success.*"

The faillock tests probably don't need command-level disablement, if
the tests are not suitable for SuSE, please exclude them in run.conf
of the given bucket (libpam) based on $DISTRO (see rules.mk).

> ./audit-test/trustedprograms/tests/utils.plib:  `faillock --user '$username' --reset`;
> ./audit-test/trustedprograms/tests/utils.plib:  `faillock --user '$username' --reset`;
> ./audit-test/trustedprograms/tests/utils.plib:  `faillock --user '$username' --reset`;
> ./audit-test/trustedprograms/tests/utils.plib:  `faillock --user '$username' --reset`;
> ./audit-test/trustedprograms/tests/utils.plib:  `faillock --user '$username' --reset`;
> ./audit-test/utils/envcheck:    check "[ -z \"$(faillock | grep -v '^\([^ ]*:\|When\)')\" ]" 0 \
> ./audit-test/utils/run.bash:    faillock --user "$TEST_USER" --reset
> ./audit-test/utils/run.bash:    faillock --user "$TEST_ADMIN" --reset
> 

Thanks,
Jiri