Use pam_faillock instead of pam_tally for bullseye (#56)

Fix #55 See https://github.com/linux-pam/linux-pam/releases/tag/v1.4.0 pam_tally is deprecated and replaced by pam_faillock Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2025-06-21 18:23:42 +02:00 · 2021-02-17 11:36:58 +01:00
parent fa111bc0d0
commit 1a7dd5893a
2 changed files with 14 additions and 6 deletions
--- a/tests/hardening/5.3.2_enable_lockout_failed_password.sh
+++ b/tests/hardening/5.3.2_enable_lockout_failed_password.sh
@ -13,7 +13,7 @@ test_audit() {

    describe Checking resolved state
    register_test retvalshouldbe 0
-    register_test contain "[ OK ] ^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so is present in /etc/pam.d/common-auth"
-    register_test contain "[ OK ] pam_tally[2]?\.so is present in /etc/pam.d/common-account"
+    register_test contain "[ OK ] ^auth[[:space:]]*required[[:space:]]*pam_((tally[2]?)|(faillock))\.so is present in /etc/pam.d/common-auth"
+    register_test contain "[ OK ] pam_((tally[2]?)|(faillock))\.so is present in /etc/pam.d/common-account"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }