>From 7bf11ec3ecc556b25899efd35ddbec3d24f1d20f Mon Sep 17 00:00:00 2001
From: Shawn Wells <shawn@redhat.com>
Date: Tue, 24 Dec 2013 03:05:25 -0500
Subject: [PATCH 04/31] Renamed password_require_lowercases to
 accounts_password_pam_cracklib_lcredit, added to shared/

- Updated XCCDF name to reflect granular configuration setting vs broad requirement

- Tested on RHEL7, moved to shared/, updated symlinks
---
 RHEL/6/input/auxiliary/stig_overlay.xml            |  2 +-
 .../accounts_password_pam_cracklib_lcredit.xml     | 44 +---------------------
 RHEL/6/input/profiles/CS2.xml                      |  2 +-
 RHEL/6/input/profiles/common.xml                   |  2 +-
 .../6/input/profiles/fisma-medium-rhel6-server.xml |  2 +-
 RHEL/6/input/profiles/rht-ccp.xml                  |  2 +-
 RHEL/6/input/profiles/usgcb-rhel6-server.xml       |  2 +-
 RHEL/6/input/system/accounts/pam.xml               |  2 +-
 .../accounts_password_pam_cracklib_lcredit.xml     |  1 +
 RHEL/7/input/profiles/.gitignore                   |  1 +
 RHEL/7/input/profiles/rht-ccp.xml                  |  8 ++--
 .../accounts_password_pam_cracklib_lcredit.xml     | 44 ++++++++++++++++++++++
 12 files changed, 57 insertions(+), 55 deletions(-)
 mode change 100644 => 120000 RHEL/6/input/checks/accounts_password_pam_cracklib_lcredit.xml
 create mode 120000 RHEL/7/input/checks/accounts_password_pam_cracklib_lcredit.xml
 create mode 100644 RHEL/7/input/profiles/.gitignore
 create mode 100644 shared/oval/accounts_password_pam_cracklib_lcredit.xml

diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml
index b2416cc..d89720c 100644
--- a/RHEL/6/input/auxiliary/stig_overlay.xml
+++ b/RHEL/6/input/auxiliary/stig_overlay.xml
@@ -180,7 +180,7 @@
 		<VMSinfo VKey="38570" SVKey="50371" VRelease="1" />
 		<title>The system must require passwords to contain at least one special character.</title>
 	</overlay>
-	<overlay owner="disastig" ruleid="password_require_lowercases" ownerid="RHEL-06-000059" disa="193" severity="low">
+	<overlay owner="disastig" ruleid="accounts_password_pam_cracklib_lcredit" ownerid="RHEL-06-000059" disa="193" severity="low">
 		<VMSinfo VKey="38571" SVKey="50372" VRelease="1" />
 		<title>The system must require passwords to contain at least one lowercase alphabetic character.</title>
 	</overlay>
diff --git a/RHEL/6/input/checks/accounts_password_pam_cracklib_lcredit.xml b/RHEL/6/input/checks/accounts_password_pam_cracklib_lcredit.xml
deleted file mode 100644
index 47306ec..0000000
--- a/RHEL/6/input/checks/accounts_password_pam_cracklib_lcredit.xml
+++ /dev/null
@@ -1,43 +0,0 @@
-<def-group>
-  <definition class="compliance" id="accounts_password_pam_cracklib_lcredit" version="1">
-    <metadata>
-      <title>Set Password lcredit Requirements</title>
-      <affected family="unix">
-        <platform>Red Hat Enterprise Linux 6</platform>
-      </affected>
-      <description>The password lcredit should meet minimum
-      requirements using pam_cracklib</description>
-      <reference source="DS" ref_id="20131011" ref_url="test_attestation" />
-    </metadata>
-    <criteria>
-      <criterion comment="Conditions for lcredit are satisfied"
-      test_ref="test_password_pam_cracklib_lcredit" />
-    </criteria>
-  </definition>
-
-  <ind:textfilecontent54_test check="all"
-  comment="check the configuration of /etc/pam.d/system-auth"
-  id="test_password_pam_cracklib_lcredit" version="1">
-    <ind:object object_ref="obj_password_pam_cracklib_lcredit" />
-    <ind:state state_ref="state_password_pam_cracklib_lcredit" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_state id="state_password_pam_cracklib_lcredit"
-  version="1">
-    <ind:instance datatype="int">1</ind:instance>
-    <ind:subexpression datatype="int"
-    operation="less than or equal"
-    var_ref="var_password_pam_cracklib_lcredit" />
-  </ind:textfilecontent54_state>
-
-  <external_variable comment="External variable for pam_cracklib lcredit"
-  datatype="int" id="var_password_pam_cracklib_lcredit"
-  version="1" />
-
-  <ind:textfilecontent54_object id="obj_password_pam_cracklib_lcredit"
-  version="1">
-    <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]lcredit=(-?\d+)(?:[\s]|$)</ind:pattern>
-    <ind:instance datatype="int" operation="less than or equal">1</ind:instance>
-  </ind:textfilecontent54_object>
-</def-group>
diff --git a/RHEL/6/input/checks/accounts_password_pam_cracklib_lcredit.xml b/RHEL/6/input/checks/accounts_password_pam_cracklib_lcredit.xml
new file mode 120000
index 0000000..7e6ba85
--- /dev/null
+++ b/RHEL/6/input/checks/accounts_password_pam_cracklib_lcredit.xml
@@ -0,0 +1 @@
+../../../../shared/oval/accounts_password_pam_cracklib_lcredit.xml
\ No newline at end of file
diff --git a/RHEL/6/input/profiles/CS2.xml b/RHEL/6/input/profiles/CS2.xml
index b615f09..fc348ae 100644
--- a/RHEL/6/input/profiles/CS2.xml
+++ b/RHEL/6/input/profiles/CS2.xml
@@ -11,7 +11,7 @@
 <select idref="accounts_password_pam_cracklib_dcredit" selected="true"/>
 <select idref="accounts_password_pam_cracklib_ucredit" selected="true"/>
 <select idref="accounts_password_pam_cracklib_ocredit" selected="true"/>
-<select idref="password_require_lowercases" selected="true"/>
+<select idref="accounts_password_pam_cracklib_lcredit" selected="true"/>
 <select idref="password_require_diffchars" selected="true"/>
 <select idref="accounts_password_reuse_limit" selected="true"/>
 <refine-value idref="var_password_history_retain_limit" selector="10"/>
diff --git a/RHEL/6/input/profiles/common.xml b/RHEL/6/input/profiles/common.xml
index e6987ff..01ad314 100644
--- a/RHEL/6/input/profiles/common.xml
+++ b/RHEL/6/input/profiles/common.xml
@@ -55,7 +55,7 @@
 <select idref="accounts_password_pam_cracklib_dcredit" selected="true"/>
 <select idref="accounts_password_pam_cracklib_ucredit" selected="true"/>
 <select idref="accounts_password_pam_cracklib_ocredit" selected="true"/>
-<select idref="password_require_lowercases" selected="true"/>
+<select idref="accounts_password_pam_cracklib_lcredit" selected="true"/>
 <select idref="password_require_diffchars" selected="true"/>
 <select idref="deny_password_attempts" selected="true"/>
 <select idref="set_password_hashing_algorithm_systemauth" selected="true"/>
diff --git a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
index b5d860d..7522ca2 100644
--- a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
+++ b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
@@ -280,7 +280,7 @@
 <select idref="password_require_consecrepeat" selected="true" />
 <select idref="accounts_password_pam_cracklib_ucredit" selected="true" />
 <select idref="accounts_password_pam_cracklib_ocredit" selected="true" />
-<select idref="password_require_lowercases" selected="true" />
+<select idref="accounts_password_pam_cracklib_lcredit" selected="true" />
 <select idref="password_require_diffchars" selected="true" />
 <refine-value idref="var_password_history_retain_limit" selector="24" />
 <select idref="accounts_password_reuse_limit" selected="true" />
diff --git a/RHEL/6/input/profiles/rht-ccp.xml b/RHEL/6/input/profiles/rht-ccp.xml
index ef14e6d..d5f983a 100644
--- a/RHEL/6/input/profiles/rht-ccp.xml
+++ b/RHEL/6/input/profiles/rht-ccp.xml
@@ -57,7 +57,7 @@
 <select idref="accounts_password_pam_cracklib_dcredit" selected="true"/>
 <select idref="accounts_password_pam_cracklib_ucredit" selected="true"/>
 <select idref="accounts_password_pam_cracklib_ocredit" selected="true"/>
-<select idref="password_require_lowercases" selected="true"/>
+<select idref="accounts_password_pam_cracklib_lcredit" selected="true"/>
 <select idref="password_require_diffchars" selected="true"/>
 <select idref="deny_password_attempts" selected="true"/>
 <select idref="set_password_hashing_algorithm_systemauth" selected="true"/>
diff --git a/RHEL/6/input/profiles/usgcb-rhel6-server.xml b/RHEL/6/input/profiles/usgcb-rhel6-server.xml
index e323b38..704aa62 100644
--- a/RHEL/6/input/profiles/usgcb-rhel6-server.xml
+++ b/RHEL/6/input/profiles/usgcb-rhel6-server.xml
@@ -77,7 +77,7 @@
 <refine-value idref="var_password_pam_cracklib_ucredit" selector="1" />
 <select idref="accounts_password_pam_cracklib_ucredit" selected="true" />
 <refine-value idref="var_password_pam_cracklib_lcredit" selector="1" />
-<select idref="password_require_lowercases" selected="true" />
+<select idref="accounts_password_pam_cracklib_lcredit" selected="true" />
 <refine-value idref="var_password_pam_cracklib_ocredit" selector="1" />
 <select idref="accounts_password_pam_cracklib_ocredit" selected="true" />
 <refine-value idref="var_password_pam_cracklib_difok" selector="3" />
diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml
index aeecc28..fb3a72e 100644
--- a/RHEL/6/input/system/accounts/pam.xml
+++ b/RHEL/6/input/system/accounts/pam.xml
@@ -342,7 +342,7 @@ more difficult by ensuring a larger search space.
 <tested by="DS" on="20121024"/>
 </Rule>
 
-<Rule id="password_require_lowercases">
+<Rule id="accounts_password_pam_cracklib_lcredit">
 <title>Set Password Strength Minimum Lowercase Characters</title>
 <description>The pam_cracklib module's <tt>lcredit=</tt> parameter controls requirements for
 usage of lowercase letters in a password. When set to a negative number, any password will be required to
diff --git a/RHEL/7/input/checks/accounts_password_pam_cracklib_lcredit.xml b/RHEL/7/input/checks/accounts_password_pam_cracklib_lcredit.xml
new file mode 120000
index 0000000..7e6ba85
--- /dev/null
+++ b/RHEL/7/input/checks/accounts_password_pam_cracklib_lcredit.xml
@@ -0,0 +1 @@
+../../../../shared/oval/accounts_password_pam_cracklib_lcredit.xml
\ No newline at end of file
diff --git a/RHEL/7/input/profiles/.gitignore b/RHEL/7/input/profiles/.gitignore
new file mode 100644
index 0000000..1377554
--- /dev/null
+++ b/RHEL/7/input/profiles/.gitignore
@@ -0,0 +1 @@
+*.swp
diff --git a/RHEL/7/input/profiles/rht-ccp.xml b/RHEL/7/input/profiles/rht-ccp.xml
index 3424223..fc36e04 100644
--- a/RHEL/7/input/profiles/rht-ccp.xml
+++ b/RHEL/7/input/profiles/rht-ccp.xml
@@ -53,12 +53,10 @@
 <select idref="accounts_minimum_age_login_defs" selected="true"/>
 <select idref="accounts_password_warn_age_login_defs" selected="true"/>
 <select idref="accounts_password_pam_cracklib_retry" selected="true"/>
-<!--
-
 <select idref="accounts_password_pam_cracklib_dcredit" selected="true"/>
-<select idref="password_require_uppercases" selected="true"/>
-<select idref="password_require_specials" selected="true"/>
-<select idref="password_require_lowercases" selected="true"/>
+<select idref="accounts_password_pam_cracklib_ucredit" selected="true"/>
+<select idref="accounts_password_pam_cracklib_ocredit" selected="true"/>
+<select idref="accounts_password_pam_cracklib_lcredit" selected="true"/>
 <select idref="password_require_diffchars" selected="true"/>
 <select idref="deny_password_attempts" selected="true"/>
 <select idref="set_password_hashing_algorithm_systemauth" selected="true"/>
diff --git a/shared/oval/accounts_password_pam_cracklib_lcredit.xml b/shared/oval/accounts_password_pam_cracklib_lcredit.xml
new file mode 100644
index 0000000..bd0bb33
--- /dev/null
+++ b/shared/oval/accounts_password_pam_cracklib_lcredit.xml
@@ -0,0 +1,44 @@
+<def-group>
+  <definition class="compliance" id="accounts_password_pam_cracklib_lcredit" version="1">
+    <metadata>
+      <title>Set Password lcredit Requirements</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 6</platform>
+        <platform>Red Hat Enterprise Linux 7</platform>
+      </affected>
+      <description>The password lcredit should meet minimum
+      requirements using pam_cracklib</description>
+      <reference source="DS" ref_id="20131011" ref_url="test_attestation" />
+    </metadata>
+    <criteria>
+      <criterion comment="Conditions for lcredit are satisfied"
+      test_ref="test_password_pam_cracklib_lcredit" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all"
+  comment="check the configuration of /etc/pam.d/system-auth"
+  id="test_password_pam_cracklib_lcredit" version="1">
+    <ind:object object_ref="obj_password_pam_cracklib_lcredit" />
+    <ind:state state_ref="state_password_pam_cracklib_lcredit" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_state id="state_password_pam_cracklib_lcredit"
+  version="1">
+    <ind:instance datatype="int">1</ind:instance>
+    <ind:subexpression datatype="int"
+    operation="less than or equal"
+    var_ref="var_password_pam_cracklib_lcredit" />
+  </ind:textfilecontent54_state>
+
+  <external_variable comment="External variable for pam_cracklib lcredit"
+  datatype="int" id="var_password_pam_cracklib_lcredit"
+  version="1" />
+
+  <ind:textfilecontent54_object id="obj_password_pam_cracklib_lcredit"
+  version="1">
+    <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]lcredit=(-?\d+)(?:[\s]|$)</ind:pattern>
+    <ind:instance datatype="int" operation="less than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
-- 
1.8.3.1