Check Configuration of password remember

and set default to 60

see Telekom 2021.07-01 SoC 3.01 Req 25 and SoC 3.65 Req46

Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>

Author: m41kc0d3

controls/os_spec.rb

@@ -282,3 +282,25 @@
     end
   end
 end
+
+control 'os-14' do
+  impact 1.0
+  title 'Check pam config - RedHat specific'
+  desc 'Check config of files in /etc/pam.d.'
+
+  pam_files = ['/etc/pam.d/system-auth', '/etc/pam.d/password-auth']
+
+  pam_files.each do |pam_file|
+    describe file(pam_file) do
+      it { should exist }
+      it { should be_owned_by 'root' }
+      its('group') { should eq 'root' }
+      its(:content) { should match /^password    requisite     pam_pwhistory.so remember=60 use_authtok$/ }
+      its(:content) { should match /^password    requisite     pam_pwquality.so try_first_pass retry=3 authtok_type=$/ }
+      its(:content) { should match /^auth        required      pam_faillock.so preauth silent audit even_deny_root deny=5 unlock_time=15$/ }
+      its(:content) { should match /^auth        required      pam_faillock.so authfail audit even_deny_root deny=5 unlock_time=15$/ }
+      its(:content) { should match /^account     required      pam_faillock.so$/ }
+    end
+  end
+  only_if { os.redhat? }
+end