From blank at eclipse.ncsc.mil Thu Aug 20 11:34:24 2015
Content-Type: multipart/mixed; boundary="===============7937219346145356549=="
MIME-Version: 1.0
From: Jeffrey Blank <blank at eclipse.ncsc.mil>
To: scap-security-guide at lists.fedorahosted.org
Subject: Re: [PATCH] A check and fix pam_cracklib.so minclass=X in system-auth
Date: Mon, 01 Jul 2013 23:26:52 -0400
Message-ID: <CALjtS7+BJT2rO8=17oBwLRGUFj5W061mp+39xGWb2gosPJQbBQ@mail.gmail.com>
In-Reply-To: 1372425323-26049-2-git-send-email-bmillett@gmail.com

--===============7937219346145356549==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Okay, this is helpful, but two things:
- by convention the Defintion ID should be the same as the filename
- the fix script isn't parameterized

There is support for parameters in fix scripts, per a recent patch:
https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-June/0034=
29.html




On Fri, Jun 28, 2013 at 9:15 AM, Brian Millett <bmillett(a)gmail.com> wrote:

>
> Signed-off-by: Brian Millett <bmillett(a)gmail.com>
> ---
>  .../accounts_password_minclass_login_defs.xml      | 43
> ++++++++++++++++++++++
>  .../fixes/bash/password_require_minimun_class.sh   |  6 +++
>  2 files changed, 49 insertions(+)
>  create mode 100644
> RHEL6/input/checks/accounts_password_minclass_login_defs.xml
>  create mode 100644
> RHEL6/input/fixes/bash/password_require_minimun_class.sh
>
> diff --git a/RHEL6/input/checks/accounts_password_minclass_login_defs.xml
> b/RHEL6/input/checks/accounts_password_minclass_login_defs.xml
> new file mode 100644
> index 0000000..539164b
> --- /dev/null
> +++ b/RHEL6/input/checks/accounts_password_minclass_login_defs.xml
> @@ -0,0 +1,43 @@
> +<def-group>
> +  <definition class=3D"compliance"
> id=3D"accounts_password_pam_cracklib_minclass" version=3D"1">
> +    <metadata>
> +      <title>Set Password minclass Requirements</title>
> +      <affected family=3D"unix">
> +        <platform>Red Hat Enterprise Linux 6</platform>
> +      </affected>
> +      <description>The password minclass should meet minimum
> +      requirements using pam_cracklib</description>
> +    </metadata>
> +    <criteria>
> +      <criterion comment=3D"Conditions for minclass are satisfied"
> +                 test_ref=3D"test_password_pam_cracklib_minclass" />
> +    </criteria>
> +  </definition>
> +
> +  <ind:textfilecontent54_test check=3D"all"
> +                              comment=3D"check the configuration of
> /etc/pam.d/system-auth"
> +                              id=3D"test_password_pam_cracklib_minclass"
> version=3D"1">
> +    <ind:object object_ref=3D"obj_password_pam_cracklib_minclass" />
> +    <ind:state state_ref=3D"state_password_pam_cracklib_minclass" />
> +  </ind:textfilecontent54_test>
> +
> +  <ind:textfilecontent54_state id=3D"state_password_pam_cracklib_minclas=
s"
> +                               version=3D"1">
> +    <ind:instance datatype=3D"int">1</ind:instance>
> +    <ind:subexpression datatype=3D"int"
> +                       operation=3D"less than or equal"
> +                       var_ref=3D"var_password_pam_cracklib_minclass" />
> +  </ind:textfilecontent54_state>
> +
> +  <external_variable comment=3D"External variable for pam_cracklib mincl=
ass"
> +                     datatype=3D"int"
> id=3D"var_password_pam_cracklib_minclass"
> +                     version=3D"1" />
> +
> +  <ind:textfilecontent54_object id=3D"obj_password_pam_cracklib_minclass"
> +                                version=3D"1">
> +    <ind:path>/etc/pam.d</ind:path>
> +    <ind:filename>system-auth</ind:filename>
> +    <ind:pattern operation=3D"pattern
> match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=3D\=
s]+[\s]minclass=3D(-?\d+)(?:[\s]|$)</ind:pattern>
> +    <ind:instance datatype=3D"int" operation=3D"less than or
> equal">1</ind:instance>
> +  </ind:textfilecontent54_object>
> +</def-group>
> diff --git a/RHEL6/input/fixes/bash/password_require_minimun_class.sh
> b/RHEL6/input/fixes/bash/password_require_minimun_class.sh
> new file mode 100644
> index 0000000..127c004
> --- /dev/null
> +++ b/RHEL6/input/fixes/bash/password_require_minimun_class.sh
> @@ -0,0 +1,6 @@
> +grep -q minclass /etc/pam.d/system-auth
> +if [ $? =3D "0" ]; then
> +    sed --follow-symlinks -i "/
> pam_cracklib.so/s/minclass=3D[0-4]/minclass=3D3/" /etc/pam.d/system-auth
> +else
> +    sed --follow-symlinks -i "/pam_cracklib.so/s/pam_cracklib.so/pam_cra=
cklib.so minclass=3D3 /" /etc/pam.d/system-auth
> +fi
> --
> 1.8.2.1
>
> _______________________________________________
> scap-security-guide mailing list
> scap-security-guide(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
>

--===============7937219346145356549==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGRpdiBkaXI9Imx0ciI+T2theSwgdGhpcyBpcyBoZWxwZnVsLCBidXQgdHdvIHRoaW5nczqgPGRp
dj4tIGJ5IGNvbnZlbnRpb24gdGhlIERlZmludGlvbiBJRCBzaG91bGQgYmUgdGhlIHNhbWUgYXMg
dGhlIGZpbGVuYW1lPC9kaXY+PGRpdiBzdHlsZT4tIHRoZSBmaXggc2NyaXB0IGlzbiYjMzk7dCBw
YXJhbWV0ZXJpemVkPC9kaXY+PGRpdiBzdHlsZT48YnI+PC9kaXY+PGRpdiBzdHlsZT5UaGVyZSBp
cyBzdXBwb3J0IGZvciBwYXJhbWV0ZXJzIGluIGZpeCBzY3JpcHRzLCBwZXIgYSByZWNlbnQgcGF0
Y2g6PC9kaXY+CjxkaXYgc3R5bGU+PGEgaHJlZj0iaHR0cHM6Ly9saXN0cy5mZWRvcmFob3N0ZWQu
b3JnL3BpcGVybWFpbC9zY2FwLXNlY3VyaXR5LWd1aWRlLzIwMTMtSnVuZS8wMDM0MjkuaHRtbCI+
aHR0cHM6Ly9saXN0cy5mZWRvcmFob3N0ZWQub3JnL3BpcGVybWFpbC9zY2FwLXNlY3VyaXR5LWd1
aWRlLzIwMTMtSnVuZS8wMDM0MjkuaHRtbDwvYT48YnI+PC9kaXY+PGRpdiBzdHlsZT48YnI+PC9k
aXY+CjxkaXYgc3R5bGU+PGJyPjwvZGl2PjwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2V4dHJhIj48
YnI+PGJyPjxkaXYgY2xhc3M9ImdtYWlsX3F1b3RlIj5PbiBGcmksIEp1biAyOCwgMjAxMyBhdCA5
OjE1IEFNLCBCcmlhbiBNaWxsZXR0IDxzcGFuIGRpcj0ibHRyIj4mbHQ7PGEgaHJlZj0ibWFpbHRv
OmJtaWxsZXR0QGdtYWlsLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPmJtaWxsZXR0QGdtYWlsLmNvbTwv
YT4mZ3Q7PC9zcGFuPiB3cm90ZTo8YnI+CjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIg
c3R5bGU9Im1hcmdpbjowIDAgMCAuOGV4O2JvcmRlci1sZWZ0OjFweCAjY2NjIHNvbGlkO3BhZGRp
bmctbGVmdDoxZXgiPjxicj4KU2lnbmVkLW9mZi1ieTogQnJpYW4gTWlsbGV0dCAmbHQ7PGEgaHJl
Zj0ibWFpbHRvOmJtaWxsZXR0QGdtYWlsLmNvbSI+Ym1pbGxldHRAZ21haWwuY29tPC9hPiZndDs8
YnI+Ci0tLTxicj4KoC4uLi9hY2NvdW50c19wYXNzd29yZF9taW5jbGFzc19sb2dpbl9kZWZzLnht
bCCgIKAgoHwgNDMgKysrKysrKysrKysrKysrKysrKysrKzxicj4KoC4uLi9maXhlcy9iYXNoL3Bh
c3N3b3JkX3JlcXVpcmVfbWluaW11bl9jbGFzcy5zaCCgIHwgoDYgKysrPGJyPgqgMiBmaWxlcyBj
aGFuZ2VkLCA0OSBpbnNlcnRpb25zKCspPGJyPgqgY3JlYXRlIG1vZGUgMTAwNjQ0IFJIRUw2L2lu
cHV0L2NoZWNrcy9hY2NvdW50c19wYXNzd29yZF9taW5jbGFzc19sb2dpbl9kZWZzLnhtbDxicj4K
oGNyZWF0ZSBtb2RlIDEwMDY0NCBSSEVMNi9pbnB1dC9maXhlcy9iYXNoL3Bhc3N3b3JkX3JlcXVp
cmVfbWluaW11bl9jbGFzcy5zaDxicj4KPGJyPgpkaWZmIC0tZ2l0IGEvUkhFTDYvaW5wdXQvY2hl
Y2tzL2FjY291bnRzX3Bhc3N3b3JkX21pbmNsYXNzX2xvZ2luX2RlZnMueG1sIGIvUkhFTDYvaW5w
dXQvY2hlY2tzL2FjY291bnRzX3Bhc3N3b3JkX21pbmNsYXNzX2xvZ2luX2RlZnMueG1sPGJyPgpu
ZXcgZmlsZSBtb2RlIDEwMDY0NDxicj4KaW5kZXggMDAwMDAwMC4uNTM5MTY0Yjxicj4KLS0tIC9k
ZXYvbnVsbDxicj4KKysrIGIvUkhFTDYvaW5wdXQvY2hlY2tzL2FjY291bnRzX3Bhc3N3b3JkX21p
bmNsYXNzX2xvZ2luX2RlZnMueG1sPGJyPgpAQCAtMCwwICsxLDQzIEBAPGJyPgorJmx0O2RlZi1n
cm91cCZndDs8YnI+CisgoCZsdDtkZWZpbml0aW9uIGNsYXNzPSZxdW90O2NvbXBsaWFuY2UmcXVv
dDsgaWQ9JnF1b3Q7YWNjb3VudHNfcGFzc3dvcmRfcGFtX2NyYWNrbGliX21pbmNsYXNzJnF1b3Q7
IHZlcnNpb249JnF1b3Q7MSZxdW90OyZndDs8YnI+CisgoCCgJmx0O21ldGFkYXRhJmd0Ozxicj4K
KyCgIKAgoCZsdDt0aXRsZSZndDtTZXQgUGFzc3dvcmQgbWluY2xhc3MgUmVxdWlyZW1lbnRzJmx0
Oy90aXRsZSZndDs8YnI+CisgoCCgIKAmbHQ7YWZmZWN0ZWQgZmFtaWx5PSZxdW90O3VuaXgmcXVv
dDsmZ3Q7PGJyPgorIKAgoCCgIKAmbHQ7cGxhdGZvcm0mZ3Q7UmVkIEhhdCBFbnRlcnByaXNlIExp
bnV4IDYmbHQ7L3BsYXRmb3JtJmd0Ozxicj4KKyCgIKAgoCZsdDsvYWZmZWN0ZWQmZ3Q7PGJyPgor
IKAgoCCgJmx0O2Rlc2NyaXB0aW9uJmd0O1RoZSBwYXNzd29yZCBtaW5jbGFzcyBzaG91bGQgbWVl
dCBtaW5pbXVtPGJyPgorIKAgoCCgcmVxdWlyZW1lbnRzIHVzaW5nIHBhbV9jcmFja2xpYiZsdDsv
ZGVzY3JpcHRpb24mZ3Q7PGJyPgorIKAgoCZsdDsvbWV0YWRhdGEmZ3Q7PGJyPgorIKAgoCZsdDtj
cml0ZXJpYSZndDs8YnI+CisgoCCgIKAmbHQ7Y3JpdGVyaW9uIGNvbW1lbnQ9JnF1b3Q7Q29uZGl0
aW9ucyBmb3IgbWluY2xhc3MgYXJlIHNhdGlzZmllZCZxdW90Ozxicj4KKyCgIKAgoCCgIKAgoCCg
IKAgdGVzdF9yZWY9JnF1b3Q7dGVzdF9wYXNzd29yZF9wYW1fY3JhY2tsaWJfbWluY2xhc3MmcXVv
dDsgLyZndDs8YnI+CisgoCCgJmx0Oy9jcml0ZXJpYSZndDs8YnI+CisgoCZsdDsvZGVmaW5pdGlv
biZndDs8YnI+Cis8YnI+CisgoCZsdDtpbmQ6dGV4dGZpbGVjb250ZW50NTRfdGVzdCBjaGVjaz0m
cXVvdDthbGwmcXVvdDs8YnI+CisgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKBjb21tZW50
PSZxdW90O2NoZWNrIHRoZSBjb25maWd1cmF0aW9uIG9mIC9ldGMvcGFtLmQvc3lzdGVtLWF1dGgm
cXVvdDs8YnI+CisgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKBpZD0mcXVvdDt0ZXN0X3Bh
c3N3b3JkX3BhbV9jcmFja2xpYl9taW5jbGFzcyZxdW90OyB2ZXJzaW9uPSZxdW90OzEmcXVvdDsm
Z3Q7PGJyPgorIKAgoCZsdDtpbmQ6b2JqZWN0IG9iamVjdF9yZWY9JnF1b3Q7b2JqX3Bhc3N3b3Jk
X3BhbV9jcmFja2xpYl9taW5jbGFzcyZxdW90OyAvJmd0Ozxicj4KKyCgIKAmbHQ7aW5kOnN0YXRl
IHN0YXRlX3JlZj0mcXVvdDtzdGF0ZV9wYXNzd29yZF9wYW1fY3JhY2tsaWJfbWluY2xhc3MmcXVv
dDsgLyZndDs8YnI+CisgoCZsdDsvaW5kOnRleHRmaWxlY29udGVudDU0X3Rlc3QmZ3Q7PGJyPgor
PGJyPgorIKAmbHQ7aW5kOnRleHRmaWxlY29udGVudDU0X3N0YXRlIGlkPSZxdW90O3N0YXRlX3Bh
c3N3b3JkX3BhbV9jcmFja2xpYl9taW5jbGFzcyZxdW90Ozxicj4KKyCgIKAgoCCgIKAgoCCgIKAg
oCCgIKAgoCCgIKAgoCB2ZXJzaW9uPSZxdW90OzEmcXVvdDsmZ3Q7PGJyPgorIKAgoCZsdDtpbmQ6
aW5zdGFuY2UgZGF0YXR5cGU9JnF1b3Q7aW50JnF1b3Q7Jmd0OzEmbHQ7L2luZDppbnN0YW5jZSZn
dDs8YnI+CisgoCCgJmx0O2luZDpzdWJleHByZXNzaW9uIGRhdGF0eXBlPSZxdW90O2ludCZxdW90
Ozxicj4KKyCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgb3BlcmF0aW9uPSZxdW90O2xlc3MgdGhhbiBv
ciBlcXVhbCZxdW90Ozxicj4KKyCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgdmFyX3JlZj0mcXVvdDt2
YXJfcGFzc3dvcmRfcGFtX2NyYWNrbGliX21pbmNsYXNzJnF1b3Q7IC8mZ3Q7PGJyPgorIKAmbHQ7
L2luZDp0ZXh0ZmlsZWNvbnRlbnQ1NF9zdGF0ZSZndDs8YnI+Cis8YnI+CisgoCZsdDtleHRlcm5h
bF92YXJpYWJsZSBjb21tZW50PSZxdW90O0V4dGVybmFsIHZhcmlhYmxlIGZvciBwYW1fY3JhY2ts
aWIgbWluY2xhc3MmcXVvdDs8YnI+CisgoCCgIKAgoCCgIKAgoCCgIKAgoCBkYXRhdHlwZT0mcXVv
dDtpbnQmcXVvdDsgaWQ9JnF1b3Q7dmFyX3Bhc3N3b3JkX3BhbV9jcmFja2xpYl9taW5jbGFzcyZx
dW90Ozxicj4KKyCgIKAgoCCgIKAgoCCgIKAgoCCgIHZlcnNpb249JnF1b3Q7MSZxdW90OyAvJmd0
Ozxicj4KKzxicj4KKyCgJmx0O2luZDp0ZXh0ZmlsZWNvbnRlbnQ1NF9vYmplY3QgaWQ9JnF1b3Q7
b2JqX3Bhc3N3b3JkX3BhbV9jcmFja2xpYl9taW5jbGFzcyZxdW90Ozxicj4KKyCgIKAgoCCgIKAg
oCCgIKAgoCCgIKAgoCCgIKAgoCCgdmVyc2lvbj0mcXVvdDsxJnF1b3Q7Jmd0Ozxicj4KKyCgIKAm
bHQ7aW5kOnBhdGgmZ3Q7L2V0Yy9wYW0uZCZsdDsvaW5kOnBhdGgmZ3Q7PGJyPgorIKAgoCZsdDtp
bmQ6ZmlsZW5hbWUmZ3Q7c3lzdGVtLWF1dGgmbHQ7L2luZDpmaWxlbmFtZSZndDs8YnI+CisgoCCg
Jmx0O2luZDpwYXR0ZXJuIG9wZXJhdGlvbj0mcXVvdDtwYXR0ZXJuIG1hdGNoJnF1b3Q7Jmd0O15b
XHNdKnBhc3N3b3JkW1xzXSsoPzooPzpyZXF1aXJlZCl8KD86cmVxdWlzaXRlKSlbXHNdK1tcd19c
LlwtPVxzXStbXHNdbWluY2xhc3M9KC0/XGQrKSg/Oltcc118JCkmbHQ7L2luZDpwYXR0ZXJuJmd0
Ozxicj4KKyCgIKAmbHQ7aW5kOmluc3RhbmNlIGRhdGF0eXBlPSZxdW90O2ludCZxdW90OyBvcGVy
YXRpb249JnF1b3Q7bGVzcyB0aGFuIG9yIGVxdWFsJnF1b3Q7Jmd0OzEmbHQ7L2luZDppbnN0YW5j
ZSZndDs8YnI+CisgoCZsdDsvaW5kOnRleHRmaWxlY29udGVudDU0X29iamVjdCZndDs8YnI+Cism
bHQ7L2RlZi1ncm91cCZndDs8YnI+CmRpZmYgLS1naXQgYS9SSEVMNi9pbnB1dC9maXhlcy9iYXNo
L3Bhc3N3b3JkX3JlcXVpcmVfbWluaW11bl9jbGFzcy5zaCBiL1JIRUw2L2lucHV0L2ZpeGVzL2Jh
c2gvcGFzc3dvcmRfcmVxdWlyZV9taW5pbXVuX2NsYXNzLnNoPGJyPgpuZXcgZmlsZSBtb2RlIDEw
MDY0NDxicj4KaW5kZXggMDAwMDAwMC4uMTI3YzAwNDxicj4KLS0tIC9kZXYvbnVsbDxicj4KKysr
IGIvUkhFTDYvaW5wdXQvZml4ZXMvYmFzaC9wYXNzd29yZF9yZXF1aXJlX21pbmltdW5fY2xhc3Mu
c2g8YnI+CkBAIC0wLDAgKzEsNiBAQDxicj4KK2dyZXAgLXEgbWluY2xhc3MgL2V0Yy9wYW0uZC9z
eXN0ZW0tYXV0aDxicj4KK2lmIFsgJD8gPSAmcXVvdDswJnF1b3Q7IF07IHRoZW48YnI+CisgoCCg
c2VkIC0tZm9sbG93LXN5bWxpbmtzIC1pICZxdW90Oy88YSBocmVmPSJodHRwOi8vcGFtX2NyYWNr
bGliLnNvL3MvbWluY2xhc3M9WzAtNF0vbWluY2xhc3M9My8iIHRhcmdldD0iX2JsYW5rIj5wYW1f
Y3JhY2tsaWIuc28vcy9taW5jbGFzcz1bMC00XS9taW5jbGFzcz0zLzwvYT4mcXVvdDsgL2V0Yy9w
YW0uZC9zeXN0ZW0tYXV0aDxicj4KK2Vsc2U8YnI+CisgoCCgc2VkIC0tZm9sbG93LXN5bWxpbmtz
IC1pICZxdW90Oy88YSBocmVmPSJodHRwOi8vcGFtX2NyYWNrbGliLnNvL3MvcGFtX2NyYWNrbGli
LnNvIiB0YXJnZXQ9Il9ibGFuayI+cGFtX2NyYWNrbGliLnNvL3MvcGFtX2NyYWNrbGliLnNvPC9h
PiAvcGFtX2NyYWNrbGliLnNvIG1pbmNsYXNzPTMgLyZxdW90OyAvZXRjL3BhbS5kL3N5c3RlbS1h
dXRoPGJyPgorZmk8YnI+CjxzcGFuIGNsYXNzPSJIT0VuWmIiPjxmb250IGNvbG9yPSIjODg4ODg4
Ij4tLTxicj4KMS44LjIuMTxicj4KPGJyPgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fXzxicj4Kc2NhcC1zZWN1cml0eS1ndWlkZSBtYWlsaW5nIGxpc3Q8YnI+
CjxhIGhyZWY9Im1haWx0bzpzY2FwLXNlY3VyaXR5LWd1aWRlQGxpc3RzLmZlZG9yYWhvc3RlZC5v
cmciPnNjYXAtc2VjdXJpdHktZ3VpZGVAbGlzdHMuZmVkb3JhaG9zdGVkLm9yZzwvYT48YnI+Cjxh
IGhyZWY9Imh0dHBzOi8vbGlzdHMuZmVkb3JhaG9zdGVkLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3Nj
YXAtc2VjdXJpdHktZ3VpZGUiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2xpc3RzLmZlZG9yYWhv
c3RlZC5vcmcvbWFpbG1hbi9saXN0aW5mby9zY2FwLXNlY3VyaXR5LWd1aWRlPC9hPjxicj4KPC9m
b250Pjwvc3Bhbj48L2Jsb2NrcXVvdGU+PC9kaXY+PGJyPjwvZGl2Pgo=

--===============7937219346145356549==--