Enable ansible macro for faillock

[alanmcanonical]

Description:

• Enable ansible macro for faillock for Ubuntu
• Use macro ansible_pam_faillock_parameter_value and bash_pam_faillock_parameter_value for rule accounts_passwords_pam_faillock_silent
• Append authsucc to pam_faillock.so authfail in both ansible and bash macro
• In oval, allow requisite control type pass
• Fix faillock_silent tests for Ubuntu using pam-auth-update

Rationale:

• Be more consistent with other faillock rules
• Append authsucc:

here (oval belongs to the faillock_silent rule)

content/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/oval/ubuntu.xml

Line 60 in aeb495e

<value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc</value>

and here (for reference)

content/shared/templates/pam_account_password_faillock/oval.template

Line 126 in aeb495e

<value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc</value>

all match the authsucc at the end of regex

[openshift-ci]

Hi @alanmcanonical. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
@@ -93,8 +93,8 @@
 else
     for pam_file in "${AUTH_FILES[@]}"
     do
-        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*audit' "$pam_file"; then
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ audit/' "$pam_file"
+        if ! grep -qE '^\s*auth.*pam_faillock\.so\s+(preauth|authfail).*audit' "$pam_file"; then
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*/ s/$/ audit/' "$pam_file"
         fi
     done
 fi

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
@@ -95,8 +95,8 @@
 else
     for pam_file in "${AUTH_FILES[@]}"
     do
-        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*audit' "$pam_file"; then
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ audit/' "$pam_file"
+        if ! grep -qE '^\s*auth.*pam_faillock\.so\s+(preauth|authfail).*audit' "$pam_file"; then
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*/ s/$/ audit/' "$pam_file"
         fi
     done
 fi

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -100,12 +100,12 @@
 else
     for pam_file in "${AUTH_FILES[@]}"
     do
-        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' "$pam_file"; then
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
+        if ! grep -qE '^\s*auth.*pam_faillock\.so\s+(preauth|authfail).*deny' "$pam_file"; then
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
             sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
         else
-            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
-            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
+            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*\)\('"deny"'=\)\S\+\b\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
+            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"deny"'=\)\S\+\b\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
         fi
     done
 fi

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
@@ -95,8 +95,8 @@
 else
     for pam_file in "${AUTH_FILES[@]}"
     do
-        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root' "$pam_file"; then
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ even_deny_root/' "$pam_file"
+        if ! grep -qE '^\s*auth.*pam_faillock\.so\s+(preauth|authfail).*even_deny_root' "$pam_file"; then
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*/ s/$/ even_deny_root/' "$pam_file"
             sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ even_deny_root/' "$pam_file"
         fi
     done

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
@@ -100,12 +100,12 @@
 else
     for pam_file in "${AUTH_FILES[@]}"
     do
-        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*dir' "$pam_file"; then
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ dir='"$var_accounts_passwords_pam_faillock_dir"'/' "$pam_file"
+        if ! grep -qE '^\s*auth.*pam_faillock\.so\s+(preauth|authfail).*dir' "$pam_file"; then
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*/ s/$/ dir='"$var_accounts_passwords_pam_faillock_dir"'/' "$pam_file"
             sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ dir='"$var_accounts_passwords_pam_faillock_dir"'/' "$pam_file"
         else
-            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_dir"'\3/' "$pam_file"
-            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_dir"'\3/' "$pam_file"
+            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*\)\('"dir"'=\)\S\+\b\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_dir"'\3/' "$pam_file"
+            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"dir"'=\)\S\+\b\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_dir"'\3/' "$pam_file"
         fi
     done
 fi

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
@@ -95,8 +95,8 @@
 else
     for pam_file in "${AUTH_FILES[@]}"
     do
-        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*local_users_only' "$pam_file"; then
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ local_users_only/' "$pam_file"
+        if ! grep -qE '^\s*auth.*pam_faillock\.so\s+(preauth|authfail).*local_users_only' "$pam_file"; then
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*/ s/$/ local_users_only/' "$pam_file"
             sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ local_users_only/' "$pam_file"
         fi
     done

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
@@ -100,12 +100,12 @@
 else
     for pam_file in "${AUTH_FILES[@]}"
     do
-        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*fail_interval' "$pam_file"; then
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
+        if ! grep -qE '^\s*auth.*pam_faillock\.so\s+(preauth|authfail).*fail_interval' "$pam_file"; then
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
             sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
         else
-            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
-            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
+            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*\)\('"fail_interval"'=\)\S\+\b\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
+            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"fail_interval"'=\)\S\+\b\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
         fi
     done
 fi

OVAL for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent' differs.
--- oval:ssg-accounts_passwords_pam_faillock_silent:def:1
+++ oval:ssg-accounts_passwords_pam_faillock_silent:def:1
@@ -2,6 +2,7 @@
 criteria AND
 criterion oval:ssg-test_pam_faillock_silent_parameter_system_auth:tst:1
 criterion oval:ssg-test_pam_faillock_silent_parameter_password_auth:tst:1
+criterion oval:ssg-test_pam_faillock_silent_parameter_no_faillock_conf:tst:1
 criteria AND
 criterion oval:ssg-test_pam_faillock_silent_parameter_no_pamd_system:tst:1
 criterion oval:ssg-test_pam_faillock_silent_parameter_no_pamd_password:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent
@@ -28,20 +28,75 @@
 
 fi
 
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+SKIP_FAILLOCK_CHECK=false
 
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
 FAILLOCK_CONF="/etc/security/faillock.conf"
-if [ -f $FAILLOCK_CONF ]; then
+if [ -f $FAILLOCK_CONF ] || [ "$SKIP_FAILLOCK_CHECK" = "true" ]; then
     regex="^\s*silent"
     line="silent"
     if ! grep -q $regex $FAILLOCK_CONF; then
         echo $line >> $FAILLOCK_CONF
     fi
+    
+    for pam_file in "${AUTH_FILES[@]}"
+    do
+        if [ -e "$pam_file" ] ; then
+            PAM_FILE_PATH="$pam_file"
+            if [ -f /usr/bin/authselect ]; then
+                
+                if ! authselect check; then
+                echo "
+                authselect integrity check failed. Remediation aborted!
+                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+                It is not recommended to manually edit the PAM files when authselect tool is available.
+                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+                exit 1
+                fi
+
+                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
+                # If not already in use, a custom profile is created preserving the enabled features.
+                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
+                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
+                    # The "local" profile does not contain essential security features required by multiple Benchmarks.
+                    # If currently used, it is replaced by "sssd", which is the best option in this case.
+                    if [[ $CURRENT_PROFILE == local ]]; then
+                        CURRENT_PROFILE="sssd"
+                    fi
+                    authselect create-profile hardening -b $CURRENT_PROFILE
+                    CURRENT_PROFILE="custom/hardening"
+                    
+                    authselect apply-changes -b --backup=before-hardening-custom-profile
+                    authselect select $CURRENT_PROFILE
+                    for feature in $ENABLED_FEATURES; do
+                        authselect enable-feature $feature;
+                    done
+                    
+                    authselect apply-changes -b --backup=after-hardening-custom-profile
+                fi
+                PAM_FILE_NAME=$(basename "$pam_file")
+                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
+
+                authselect apply-changes -b
+            fi
+            
+        if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\bsilent\b" "$PAM_FILE_PATH"; then
+            sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\bsilent\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
+        fi
+            if [ -f /usr/bin/authselect ]; then
+                
+                authselect apply-changes -b
+            fi
+        else
+            echo "$pam_file was not found" >&2
+        fi
+    done
+    
 else
     for pam_file in "${AUTH_FILES[@]}"
     do
-        if ! grep -qE '^\s*auth.*pam_faillock\.so\s*preauth.*silent' "$pam_file"; then
-            sed -i --follow-symlinks '/^\s*auth.*pam_faillock\.so.*preauth/ s/$/ silent/' "$pam_file"
+        if ! grep -qE '^\s*auth.*pam_faillock\.so\s+(preauth|authfail).*silent' "$pam_file"; then
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*/ s/$/ silent/' "$pam_file"
         fi
     done
 fi

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
@@ -100,12 +100,12 @@
 else
     for pam_file in "${AUTH_FILES[@]}"
     do
-        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*unlock_time' "$pam_file"; then
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
+        if ! grep -qE '^\s*auth.*pam_faillock\.so\s+(preauth|authfail).*unlock_time' "$pam_file"; then
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
             sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
         else
-            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
-            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
+            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*\)\('"unlock_time"'=\)\S\+\b\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
+            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"unlock_time"'=\)\S\+\b\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
         fi
     done
 fi

[Mab879]

Thanks for the PR.

I have a few suggestions based on the project style guide.

[alanmcanonical]

@Mab879 Done. Thanks for the advice.

Requested changes have been made.

[alanmcanonical]

For the failed rhel8, I checked against the master branch with python3 tests/automatus.py rule --remove-platforms --remove-ocp4-only --dontclean --datastream build/ssg-rhel8-ds.xml --remediate-using bash --logdir logs_bash --container ssg_test_suite -- accounts_passwords_pam_faillock_silent,accounts_passwords_pam_faillock_dir here is the result:

Setting console output to log level INFO
INFO - The base image option has been specified, choosing Podman-based test environment.
INFO - Logging into logs_bash-6/test_suite.log
WARNING - Script 'ubuntu_correct_pamd.pass.sh' is not applicable on 'rhel8' target because its platform is 'multi_platform_ubuntu'
WARNING - Script 'ubuntu_missing_pamd.fail.sh' is not applicable on 'rhel8' target because its platform is 'multi_platform_ubuntu'
WARNING - Script 'ubuntu_multiple_pam_unix.fail.sh' is not applicable on 'rhel8' target because its platform is 'multi_platform_ubuntu'
WARNING - Script 'ubuntu_correct.pass.sh' is not applicable on 'rhel8' target because its platform is 'multi_platform_ubuntu'
WARNING - Script 'ubuntu_commented_values.fail.sh' is not applicable on 'rhel8' target because its platform is 'multi_platform_ubuntu'
WARNING - Script 'ubuntu_empty_faillock_conf.fail.sh' is not applicable on 'rhel8' target because its platform is 'multi_platform_ubuntu'
INFO - xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
INFO - Script missing_dir_in_preauth.fail.sh using profile (all) OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage 
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir'.
INFO - Script wrong_pam_files.fail.sh using profile (all) OK
INFO - Script expected_pam_files.pass.sh using profile (all) OK
INFO - Script wrong_faillock_conf.fail.sh using profile (all) OK
INFO - Script missing_dir_in_authfail.fail.sh using profile (all) OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage 
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir'.
INFO - Script conflicting_settings_authselect.fail.sh using profile (all) OK
INFO - Script expected_faillock_conf.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent
ERROR - Script missing_parameter.fail.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in pass, instead of expected fail during initial stage 
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent'.
ERROR - Script missing_parameter_system_auth.fail.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in pass, instead of expected fail during initial stage 
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent'.
INFO - Script expected_pam_files.pass.sh using profile (all) OK
INFO - Script expected_faillock_conf.pass.sh using profile (all) OK
ERROR - Script missing_parameter_password_auth.fail.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in pass, instead of expected fail during initial stage 
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent'.

[codeclimate]

Code Climate has analyzed commit 866abac and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.8% (0.0% change).

View more on Code Climate.