On 4/26/12 8:06 PM, Willy Santos wrote:
CCI-000196 requires enforcing password encryption for storage. no_hashes_outside_shadow meets this requirement.
Signed-off-by: Willy Santoswsantos@redhat.com
.../accounts/restrictions/password_storage.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/accounts/restrictions/password_storage.xml b/rhel6/src/input/system/accounts/restrictions/password_storage.xml index 30a6f52..e989bd5 100644 --- a/rhel6/src/input/system/accounts/restrictions/password_storage.xml +++ b/rhel6/src/input/system/accounts/restrictions/password_storage.xml @@ -49,6 +49,7 @@ which is readable by all users.
<ident cce="14300-8" /> <oval id="accounts_password_all_shadowed" /> <ref nist="IA-5" /> +<ident cci="CCI-000196" /> </Rule> </Group>
Ack
Note that DISA's description of CCI-000196 only says passwords must be encrypted in storage (aka /etc/shadow), however the NIST IA-5 (1)(c) control this maps back to also specifically adds passwords must be encrypted in /transmission/ as well. I'd like to map this back to the requirement to disable telnet too. I created ticket #45 to remind us to do that.