add testcases for PAM

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2024-11-10 09:14:18 +00:00 · 2021-02-22 15:42:13 +01:00 · 2021-02-22 15:42:13 +01:00 · 23071a183c
commit 23071a183c
parent dba53718cf
3 changed files with 42 additions and 0 deletions
--- a/molecule/os_hardening/converge.yml
+++ b/molecule/os_hardening/converge.yml
@ -15,6 +15,8 @@
    os_security_kernel_enable_core_dump: true
    os_security_suid_sgid_remove_from_unknown: true
    os_auth_pam_passwdqc_enable: false
+    os_auth_retries: 2
+    os_auth_lockout_time: 15
    os_desktop_enable: true
    os_env_extra_user_paths: ['/home']
    os_auth_allow_homeless: true
--- a/molecule/os_hardening/verify.yml
+++ b/molecule/os_hardening/verify.yml
@ -70,3 +70,7 @@
      shell:
        cmd: "grep '027 #override' /etc/login.defs"
      changed_when: false
+
+    - name: include PAM tests
+      include: verify_pam.yml
+      when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'
--- a/molecule/os_hardening/verify_pam.yml
+++ b/molecule/os_hardening/verify_pam.yml
@ -0,0 +1,36 @@
+---
+- name: download pam-tester
+  get_url:
+    url: https://github.com/schurzi/pam-tester/releases/download/latest/pam-tester
+    dest: /bin/pam-tester
+    mode: 0555
+
+- name: set password for test
+  set_fact:
+    test_pw: "myTest!pw"
+
+- name: create testuser
+  user:
+    name: testuser
+    password: "{{ test_pw | password_hash('sha512') }}"
+
+- name: check successfull login with correct password
+  shell:
+    cmd: "pam-tester --user testuser --password {{ test_pw }}"
+
+- name: check unsuccessfull login with incorrect password
+  shell:
+    cmd: "pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
+  with_sequence: count=3
+
+- name: check ussuccessfull login, with orrect password (lockout)
+  shell:
+    cmd: "pam-tester --user testuser --password {{ test_pw }} --expectfail"
+
+- name: wait for account to unlock
+  pause:
+    seconds: 20
+
+- name: check successfull login
+  shell:
+    cmd: "pam-tester --user testuser --password {{ test_pw }}"