Add support for Password Hardening

tests/passw_hardening/conftest.py

@@ -0,0 +1,69 @@
+import pytest
+import test_passw_hardening
+
+def set_default_passw_hardening_policies(duthosts, enum_rand_one_per_hwsku_hostname):
+    duthost = duthosts[enum_rand_one_per_hwsku_hostname]
+
+    passw_hardening_ob_dis = test_passw_hardening.PasswHardening(state='disabled',
+                                            expiration='100',
+                                            expiration_warning='15',
+                                            history='12',
+                                            len_min='8',
+                                            reject_user_passw_match='true',
+                                            lower_class='true',
+                                            upper_class='true',
+                                            digit_class="true",
+                                            special_class='true')
+
+    test_passw_hardening.config_and_review_policies(duthost, passw_hardening_ob_dis, test_passw_hardening.PAM_PASSWORD_CONF_DEFAULT_EXPECTED)
+
+@pytest.fixture(scope="module", autouse=True)
+def passw_version_required(duthosts, enum_rand_one_per_hwsku_hostname):
+    duthost = duthosts[enum_rand_one_per_hwsku_hostname]
+    if not "master" in duthost.os_version:
+        pytest.skip("Password-hardening supported just in master version")
+
+@pytest.fixture(scope="function")
+def clean_passw_policies(duthosts, enum_rand_one_per_hwsku_hostname):
+    yield
+    set_default_passw_hardening_policies(duthosts, enum_rand_one_per_hwsku_hostname)
+
+@pytest.fixture(scope="function")
+def clean_passw_one_policy_user(duthosts, enum_rand_one_per_hwsku_hostname):
+    yield
+    duthost = duthosts[enum_rand_one_per_hwsku_hostname]
+    res_adduser_simple_0 = test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_ONE_POLICY, mode='del')    
+
+
+@pytest.fixture(scope="function")
+def clean_passw_len_min(duthosts, enum_rand_one_per_hwsku_hostname):
+    yield
+    duthost = duthosts[enum_rand_one_per_hwsku_hostname]
+    test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_LEN_MIN, mode='del')
+    duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_LEN_MIN+':/d /etc/security/opasswd')
+
+@pytest.fixture(scope="function")
+def clean_passw_age(duthosts, enum_rand_one_per_hwsku_hostname):
+    yield
+    duthost = duthosts[enum_rand_one_per_hwsku_hostname]
+    test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_AGE, mode='del')
+    duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_AGE+':/d /etc/security/opasswd')
+
+
+@pytest.fixture(scope="function")
+def clean_passw_en_dis_policies(duthosts, enum_rand_one_per_hwsku_hostname):
+    yield
+    duthost = duthosts[enum_rand_one_per_hwsku_hostname]
+    test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_SIMPLE_0, mode='del')
+    test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_SIMPLE_1, mode='del')
+    test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_STRONG, mode='del')
+    duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_SIMPLE_0+':/d /etc/security/opasswd')
+    duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_SIMPLE_1+':/d /etc/security/opasswd')
+    duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_STRONG+':/d /etc/security/opasswd')
+
+@pytest.fixture(scope="function")
+def clean_passw_history(duthosts, enum_rand_one_per_hwsku_hostname):
+    yield
+    duthost = duthosts[enum_rand_one_per_hwsku_hostname]
+    test_passw_hardening.config_user(duthost=duthost, username=test_passw_hardening.USERNAME_HISTORY, mode='del')
+    duthost.shell('sed -i /^'+test_passw_hardening.USERNAME_HISTORY+':/d /etc/security/opasswd')

tests/passw_hardening/sample/passw_hardening_default/common-password

@@ -0,0 +1,36 @@
+#THIS IS AN AUTO-GENERATED FILE
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+# The "yescrypt" option enables
+#hashed passwords using the yescrypt algorithm, introduced in Debian
+#11.  Without this option, the default is Unix crypt.  Prior releases
+#used the option "sha512"; if a shadow password hash will be shared
+#between Debian 11 and older releases replace "yescrypt" with "sha512"
+#for compatibility .  The "obscure" option replaces the old
+#`OBSCURE_CHECKS_ENAB' option in login.defs.  See the pam_unix manpage
+#for other options.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+
+
+password    [success=1 default=ignore]    pam_unix.so obscure yescrypt
+# here's the fallback if no module succeeds
+password    requisite            pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password    required            pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config

tests/passw_hardening/sample/passw_hardening_digits/common-password

@@ -0,0 +1,39 @@
+#THIS IS AN AUTO-GENERATED FILE
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+# The "yescrypt" option enables
+#hashed passwords using the yescrypt algorithm, introduced in Debian
+#11.  Without this option, the default is Unix crypt.  Prior releases
+#used the option "sha512"; if a shadow password hash will be shared
+#between Debian 11 and older releases replace "yescrypt" with "sha512"
+#for compatibility .  The "obscure" option replaces the old
+#`OBSCURE_CHECKS_ENAB' option in login.defs.  See the pam_unix manpage
+#for other options.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+
+password    requisite      pam_cracklib.so retry=3 maxrepeat=0 minlen=1 ucredit=0 lcredit=0 dcredit=-1 ocredit=0  enforce_for_root
+
+password    required       pam_pwhistory.so remember=0 use_authtok enforce_for_root
+
+password    [success=1 default=ignore]    pam_unix.so obscure yescrypt
+# here's the fallback if no module succeeds
+password    requisite            pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password    required            pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config

tests/passw_hardening/sample/passw_hardening_enable/common-password

@@ -0,0 +1,39 @@
+#THIS IS AN AUTO-GENERATED FILE
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+# The "yescrypt" option enables
+#hashed passwords using the yescrypt algorithm, introduced in Debian
+#11.  Without this option, the default is Unix crypt.  Prior releases
+#used the option "sha512"; if a shadow password hash will be shared
+#between Debian 11 and older releases replace "yescrypt" with "sha512"
+#for compatibility .  The "obscure" option replaces the old
+#`OBSCURE_CHECKS_ENAB' option in login.defs.  See the pam_unix manpage
+#for other options.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+
+password    requisite      pam_cracklib.so retry=3 maxrepeat=0 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 reject_username enforce_for_root
+
+password    required       pam_pwhistory.so remember=12 use_authtok enforce_for_root
+
+password    [success=1 default=ignore]    pam_unix.so obscure yescrypt
+# here's the fallback if no module succeeds
+password    requisite            pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password    required            pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config

tests/passw_hardening/sample/passw_hardening_history/common-password

@@ -0,0 +1,39 @@
+#THIS IS AN AUTO-GENERATED FILE
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+# The "yescrypt" option enables
+#hashed passwords using the yescrypt algorithm, introduced in Debian
+#11.  Without this option, the default is Unix crypt.  Prior releases
+#used the option "sha512"; if a shadow password hash will be shared
+#between Debian 11 and older releases replace "yescrypt" with "sha512"
+#for compatibility .  The "obscure" option replaces the old
+#`OBSCURE_CHECKS_ENAB' option in login.defs.  See the pam_unix manpage
+#for other options.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+
+password    requisite      pam_cracklib.so retry=3 maxrepeat=0 minlen=1 ucredit=0 lcredit=0 dcredit=-1 ocredit=0  enforce_for_root
+
+password    required       pam_pwhistory.so remember=10 use_authtok enforce_for_root
+
+password    [success=1 default=ignore]    pam_unix.so obscure yescrypt
+# here's the fallback if no module succeeds
+password    requisite            pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password    required            pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config

tests/passw_hardening/sample/passw_hardening_lower_letter/common-password

@@ -0,0 +1,39 @@
+#THIS IS AN AUTO-GENERATED FILE
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+# The "yescrypt" option enables
+#hashed passwords using the yescrypt algorithm, introduced in Debian
+#11.  Without this option, the default is Unix crypt.  Prior releases
+#used the option "sha512"; if a shadow password hash will be shared
+#between Debian 11 and older releases replace "yescrypt" with "sha512"
+#for compatibility .  The "obscure" option replaces the old
+#`OBSCURE_CHECKS_ENAB' option in login.defs.  See the pam_unix manpage
+#for other options.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+
+password    requisite      pam_cracklib.so retry=3 maxrepeat=0 minlen=1 ucredit=0 lcredit=-1 dcredit=0 ocredit=0  enforce_for_root
+
+password    required       pam_pwhistory.so remember=0 use_authtok enforce_for_root
+
+password    [success=1 default=ignore]    pam_unix.so obscure yescrypt
+# here's the fallback if no module succeeds
+password    requisite            pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password    required            pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config

tests/passw_hardening/sample/passw_hardening_min_len/common-password

@@ -0,0 +1,39 @@
+#THIS IS AN AUTO-GENERATED FILE
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+# The "yescrypt" option enables
+#hashed passwords using the yescrypt algorithm, introduced in Debian
+#11.  Without this option, the default is Unix crypt.  Prior releases
+#used the option "sha512"; if a shadow password hash will be shared
+#between Debian 11 and older releases replace "yescrypt" with "sha512"
+#for compatibility .  The "obscure" option replaces the old
+#`OBSCURE_CHECKS_ENAB' option in login.defs.  See the pam_unix manpage
+#for other options.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+
+password    requisite      pam_cracklib.so retry=3 maxrepeat=0 minlen=8 ucredit=0 lcredit=0 dcredit=-1 ocredit=0  enforce_for_root
+
+password    required       pam_pwhistory.so remember=1 use_authtok enforce_for_root
+
+password    [success=1 default=ignore]    pam_unix.so obscure yescrypt
+# here's the fallback if no module succeeds
+password    requisite            pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password    required            pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config

tests/passw_hardening/sample/passw_hardening_reject_user_passw_match/common-password

@@ -0,0 +1,39 @@
+#THIS IS AN AUTO-GENERATED FILE
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+# The "yescrypt" option enables
+#hashed passwords using the yescrypt algorithm, introduced in Debian
+#11.  Without this option, the default is Unix crypt.  Prior releases
+#used the option "sha512"; if a shadow password hash will be shared
+#between Debian 11 and older releases replace "yescrypt" with "sha512"
+#for compatibility .  The "obscure" option replaces the old
+#`OBSCURE_CHECKS_ENAB' option in login.defs.  See the pam_unix manpage
+#for other options.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+
+password    requisite      pam_cracklib.so retry=3 maxrepeat=0 minlen=1 ucredit=0 lcredit=0 dcredit=0 ocredit=0 reject_username enforce_for_root
+
+password    required       pam_pwhistory.so remember=0 use_authtok enforce_for_root
+
+password    [success=1 default=ignore]    pam_unix.so obscure yescrypt
+# here's the fallback if no module succeeds
+password    requisite            pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password    required            pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config

tests/passw_hardening/sample/passw_hardening_special_letter/common-password

@@ -0,0 +1,39 @@
+#THIS IS AN AUTO-GENERATED FILE
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+# The "yescrypt" option enables
+#hashed passwords using the yescrypt algorithm, introduced in Debian
+#11.  Without this option, the default is Unix crypt.  Prior releases
+#used the option "sha512"; if a shadow password hash will be shared
+#between Debian 11 and older releases replace "yescrypt" with "sha512"
+#for compatibility .  The "obscure" option replaces the old
+#`OBSCURE_CHECKS_ENAB' option in login.defs.  See the pam_unix manpage
+#for other options.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+
+password    requisite      pam_cracklib.so retry=3 maxrepeat=0 minlen=1 ucredit=0 lcredit=0 dcredit=0 ocredit=-1  enforce_for_root
+
+password    required       pam_pwhistory.so remember=0 use_authtok enforce_for_root
+
+password    [success=1 default=ignore]    pam_unix.so obscure yescrypt
+# here's the fallback if no module succeeds
+password    requisite            pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password    required            pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config