This addresses multiple issues with OVAL checks and XCCDF content not supporting Values to adjust their requirements for settings in /etc/login.defs.
Some remaining issues exist, such as the prose not being quite good yet, and I believe we will also break apart the OVAL check for minimum length to separately cover the settings in login.defs and pam_cracklib. But not today.
Jeffrey Blank (3): updated OVAL checks which inspect login.defs to support Values (variables) updated refine-value names for password items, removed defunct/commented profile items updated guidance to permit adjustment of password warning period, min/max age, length * also added to test profile, for your testing pleasure
.../checks/accounts_maximum_age_login_defs.xml | 26 ++++++--- .../checks/accounts_minimum_age_login_defs.xml | 31 +++++++---- .../checks/accounts_password_minlen_login_defs.xml | 17 +++---- .../accounts_password_warn_age_login_defs.xml | 32 +++++++----- rhel6/src/input/profiles/common.xml | 29 ++--------- rhel6/src/input/profiles/test.xml | 17 ++++++ .../accounts/restrictions/password_expiration.xml | 56 +++++++++++++------- 7 files changed, 121 insertions(+), 87 deletions(-)
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- .../checks/accounts_maximum_age_login_defs.xml | 26 ++++++++++----- .../checks/accounts_minimum_age_login_defs.xml | 31 ++++++++++++------- .../checks/accounts_password_minlen_login_defs.xml | 17 ++++------ .../accounts_password_warn_age_login_defs.xml | 32 ++++++++++++-------- 4 files changed, 63 insertions(+), 43 deletions(-)
diff --git a/rhel6/src/input/checks/accounts_maximum_age_login_defs.xml b/rhel6/src/input/checks/accounts_maximum_age_login_defs.xml index c6333d1..10bc279 100644 --- a/rhel6/src/input/checks/accounts_maximum_age_login_defs.xml +++ b/rhel6/src/input/checks/accounts_maximum_age_login_defs.xml @@ -6,21 +6,29 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <reference ref_id="CCE-4092-3" source="CCE" /> - <description>The "maximum password age" policy should meet - minimum requirements. This particular check looks for a - maximum password age of 60 days.</description> + <description>The maximum password age policy should meet + minimum requirements.</description> </metadata> - <criteria comment="the value PASS_MAX_DAYS should be set to 60 in /etc/login.defs"> - <criterion test_ref="test_pass_max_days_sixty" /> + <criteria comment="the value PASS_MAX_DAYS should be set appropriately in /etc/login.defs"> + <criterion test_ref="test_pass_max_days" /> </criteria> </definition> - <ind:textfilecontent54_test check="all" comment="the value PASS_MAX_DAYS should be set to 60 in /etc/login.defs" id="test_pass_max_days_sixty" version="1"> + + <ind:textfilecontent54_test check="all" comment="the value PASS_MAX_DAYS should be set appropriately in /etc/login.defs" id="test_pass_max_days" version="1"> <ind:object object_ref="object_etc_login_defs_pass_max" /> + <ind:state state_ref="state_password_max_age" /> </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_etc_login_defs_pass_max" version="1"> - ind:path/etc</ind:path> - ind:filenamelogin.defs</ind:filename> - <ind:pattern operation="pattern match">^[\s]*PASS_MAX_DAYS[\s]+60$</ind:pattern> + ind:filepath/etc/login.defs</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*PASS_MAX_DAYS[\s]+(\d+)\s*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> + + <ind:textfilecontent54_state id="state_password_max_age" version="1"> + <ind:subexpression operation="less than or equal" var_ref="var_password_max_age" /> + </ind:textfilecontent54_state> + + <external_variable comment="maximum password age" datatype="int" id="var_password_max_age" version="1" /> + </def-group> diff --git a/rhel6/src/input/checks/accounts_minimum_age_login_defs.xml b/rhel6/src/input/checks/accounts_minimum_age_login_defs.xml index f5a89ce..0afa38b 100644 --- a/rhel6/src/input/checks/accounts_minimum_age_login_defs.xml +++ b/rhel6/src/input/checks/accounts_minimum_age_login_defs.xml @@ -6,21 +6,30 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <reference ref_id="CCE-4180-6" source="CCE" /> - <description>The "minimum password age" policy should meet - minimum requirements. This particular check looks for a - minimum password age of 7 days.</description> + <description>The minimum password age policy should be set appropriately.</description> </metadata> - <criteria comment="the value PASS_MIN_DAYS should be set to 7 in /etc/login.defs"> - <criterion test_ref="test_pass_min_days_seven" /> + <criteria comment="the value PASS_MIN_DAYS should be set appropriately in /etc/login.defs"> + <criterion test_ref="test_pass_min_days" /> </criteria> </definition> - <ind:textfilecontent54_test check="all" comment="the value PASS_MIN_DAYS should be set to 7 in /etc/login.defs" id="test_pass_min_days_seven" version="1"> - <ind:object object_ref="object_etc_login_defs_pass_min" /> + + <ind:textfilecontent54_test check="all" + comment="Tests the value of PASS_MIN_DAYS in /etc/login.defs" + id="test_pass_min_days" version="1"> + <ind:object object_ref="object_etc_login_defs_pass_min_age" /> + <ind:state state_ref="state_etc_login_defs_pass_min_age" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_etc_login_defs_pass_min" version="1"> - ind:path/etc</ind:path> - ind:filenamelogin.defs</ind:filename> - <ind:pattern operation="pattern match">^[\s]*PASS_MIN_DAYS[\s]+7$</ind:pattern> + + <ind:textfilecontent54_object id="object_etc_login_defs_pass_min_age" version="1"> + ind:filepath/etc/login.defs</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*PASS_MIN_DAYS[\s]+(\d+)\s*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> + + <ind:textfilecontent54_state id="state_etc_login_defs_pass_min_age" version="1"> + <ind:subexpression operation="greater than or equal" var_ref="var_password_min_age" /> + </ind:textfilecontent54_state> + + <external_variable comment="minimum password age in days" datatype="int" id="var_password_min_age" version="1" /> + </def-group> diff --git a/rhel6/src/input/checks/accounts_password_minlen_login_defs.xml b/rhel6/src/input/checks/accounts_password_minlen_login_defs.xml index 4f8ccdc..e8cd30b 100644 --- a/rhel6/src/input/checks/accounts_password_minlen_login_defs.xml +++ b/rhel6/src/input/checks/accounts_password_minlen_login_defs.xml @@ -7,8 +7,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <reference ref_id="CCE-4154-1" source="CCE" /> - <description>The password minimum length should be set - appropriately</description> + <description>The password minimum length should be set appropriately.</description> </metadata> <criteria operator="AND"> <criterion test_ref="test_pam_minlen_set" /> @@ -27,23 +26,21 @@ </ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_pam_minlen_set" version="1"> - ind:path/etc/pam.d</ind:path> - ind:filenamesystem-auth</ind:filename> - <ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_cracklib.so.*minlen=([0-9]*).*$</ind:pattern> + ind:filepath/etc/pam.d/system-auth</ind:filepath> + <ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_cracklib.so.*minlen=(\d+).*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
<ind:textfilecontent54_object id="object_etc_login_defs" version="1"> - ind:path/etc</ind:path> - ind:filenamelogin.defs</ind:filename> - <ind:pattern operation="pattern match">^PASS_MIN_LEN\s+([0-9]*)$</ind:pattern> + ind:filepath/etc/login.defs</ind:filepath> + <ind:pattern operation="pattern match">^PASS_MIN_LEN\s+(\d+)\s*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
<ind:textfilecontent54_state id="state_password_min_len" version="1"> - <ind:subexpression operation="equals" var_check="all" var_ref="var_password_min_len" /> + <ind:subexpression operation="greater than or equal" var_ref="var_password_min_len" /> </ind:textfilecontent54_state>
- <external_variable comment="password minimum length" datatype="string" id="var_password_min_len" version="1" /> + <external_variable comment="password minimum length" datatype="int" id="var_password_min_len" version="1" />
</def-group> diff --git a/rhel6/src/input/checks/accounts_password_warn_age_login_defs.xml b/rhel6/src/input/checks/accounts_password_warn_age_login_defs.xml index bea68d2..1c6a24d 100644 --- a/rhel6/src/input/checks/accounts_password_warn_age_login_defs.xml +++ b/rhel6/src/input/checks/accounts_password_warn_age_login_defs.xml @@ -1,30 +1,36 @@ <def-group> - <definition class="compliance" - id="accounts_password_warn_age_login_defs" version="1"> + <definition class="compliance" id="accounts_password_warn_age_login_defs" version="1"> <metadata> <title>Set Password Expiration Parameters</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> <reference ref_id="CCE-4097-2" source="CCE" /> - <description>The password warn age should be set - appropriately</description> + <description>The password expiration warning age should be set appropriately.</description> </metadata> <criteria> - <criterion test_ref="test_20074" /> + <criterion test_ref="test_pass_warn_age" /> </criteria> </definition> + <ind:textfilecontent54_test check="all" - check_existence="all_exist" - comment="Tests the value of the PASS_WARN_AGE[\s]*=[\s]*(.*) expression in the /etc/login.defs file" - id="test_20074" version="1"> - <ind:object object_ref="obj_20074" /> + comment="Tests the value of PASS_WARN_AGE in /etc/login.defs" + id="test_pass_warn_age" version="1"> + <ind:object object_ref="object_etc_login_defs_pass_warn_age" /> + <ind:state state_ref="state_etc_login_defs_pass_warn_age" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="obj_20074" + + <ind:textfilecontent54_object id="object_etc_login_defs_pass_warn_age" version="1"> - ind:path/etc</ind:path> - ind:filenamelogin.defs</ind:filename> - <ind:pattern operation="pattern match">^[\s]*PASS_WARN_AGE[\s]*14$</ind:pattern> + ind:filepath/etc/login.defs</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*PASS_WARN_AGE[\s]*(\d+)\s*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> + + <ind:textfilecontent54_state id="state_etc_login_defs_pass_warn_age" version="1"> + <ind:subexpression operation="greater than or equal" var_ref="var_password_warn_age" /> + </ind:textfilecontent54_state> + + <external_variable comment="password expiration warning age in days" datatype="int" id="var_password_warn_age" version="1" /> + </def-group>
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- rhel6/src/input/profiles/common.xml | 29 ++++------------------------- 1 files changed, 4 insertions(+), 25 deletions(-)
diff --git a/rhel6/src/input/profiles/common.xml b/rhel6/src/input/profiles/common.xml index 80c6d68..aba7c92 100644 --- a/rhel6/src/input/profiles/common.xml +++ b/rhel6/src/input/profiles/common.xml @@ -79,7 +79,6 @@ <select idref="groupowner_rsyslog_files" selected="true"/> <select idref="rsyslog_file_permissions" selected="true"/> <select idref="rsyslog_send_messages_to_logserver" selected="true"/> -<!-- <select idref="rsyslog_accept_remote_messages" selected="true"/> --> <select idref="ensure_logrotate_activated" selected="true"/> <select idref="enable_auditd_service" selected="true"/> <select idref="enable_auditd_bootloader" selected="true"/> @@ -90,18 +89,10 @@ <select idref="configure_auditd_admin_space_left_action" selected="true"/> <select idref="configure_auditd_max_log_file_action" selected="true"/>
-<!--Too much variation to be in profile -<select idref="configure_logwatch_hostlimit" selected="true"/> -<select idref="configure_logwatch_splithosts" selected="true"/> - -<select idref="disable_logwatch_for_logserver" selected="true"/>--> - <select idref="audit_time_rules" selected="true"/> <select idref="audit_account_changes" selected="true"/> <select idref="audit_network_modifications" selected="true"/> <select idref="audit_mac_changes" selected="true"/> -<select idref="audit_manual_logon_edits" selected="true" /> -<select idref="audit_manual_session_edits" selected="true" /> <select idref="audit_dac_actions" selected="true"/> <select idref="audit_file_access" selected="true"/> <select idref="audit_privileged_commands" selected="true"/> @@ -123,19 +114,6 @@ <select idref="uninstall_tftp-server" selected="true"/> <select idref="disable_tftp" selected="true"/> <select idref="enable_cron" selected="true"/> -<!-- FILE PERMISSIONS <select idref="file_user_owner_etc_crontab" selected="true"/> --> -<!-- FILE PERMISSIONS <select idref="file_group_owner_etc_crontab" selected="true"/> --> -<!-- FILE PERMISSIONS <select idref="file_mode_etc_crontab" selected="true"/> --> -<!-- DBG-DOES-NOT-EXIST <select idref="groupowner_cron.hourly" selected="true"/> --> -<!-- DBG-DOES-NOT-EXIST <select idref="groupowner_cron.daily" selected="true"/> --> -<!-- DBG-DOES-NOT-EXIST <select idref="groupowner_cron.weekly" selected="true"/> --> -<!-- DBG-DOES-NOT-EXIST <select idref="groupowner_cron.monthly" selected="true"/> --> -<!-- DBG-DOES-NOT-EXIST <select idref="groupowner_cron.d" selected="true"/> --> -<!-- DBG-DOES-NOT-EXIST <select idref="userowner_cron.hourly" selected="true"/> --> -<!-- DBG-DOES-NOT-EXIST <select idref="userowner_cron.daily" selected="true"/> --> -<!-- DBG-DOES-NOT-EXIST <select idref="userowner_cron.weekly" selected="true"/> --> -<!-- DBG-DOES-NOT-EXIST <select idref="userowner_cron.monthly" selected="true"/> --> -<!-- DBG-DOES-NOT-EXIST <select idref="userowner_cron.d" selected="true"/> --> <select idref="disable_at" selected="true"/> <select idref="sshd_allow_only_protocol2" selected="true"/> <select idref="sshd_set_idle_timeout" selected="true"/> @@ -153,7 +131,6 @@ <select idref="uninstall_dhcp_server" selected="true"/> <select idref="enable_ntpd" selected="true"/> <select idref="ntpd_specify_remote_server" selected="true"/> -<!-- <select idref="postfix_package_installation" selected="true"/> --> <select idref="postfix_network_listening" selected="true"/> <select idref="ldap_client_tls_checkpeer" selected="true"/> <select idref="package_openldap-servers_removed" selected="true"/> @@ -187,9 +164,11 @@ <!-- daemon umask --> <refine-value idref="var_password_min_len" selector="14"/> <!-- password minimum length --> -<refine-value idref="password_max_age_login_defs_value" selector="90"/> +<refine-value idref="var_password_max_age" selector="90"/> <!-- maximum password age --> -<refine-value idref="password_warn_age_login_defs_value" selector="7"/> +<refine-value idref="var_password_min_age" selector="7"/> +<!-- minimum password age --> +<refine-value idref="var_password_warn_age" selector="7"/> <!-- password warn age --> <refine-value idref="var_password_pam_cracklib_retry" selector="3"/> <!-- Number of retry attempts before erroring out -->
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- rhel6/src/input/profiles/test.xml | 17 ++++++ .../accounts/restrictions/password_expiration.xml | 56 +++++++++++++------- 2 files changed, 54 insertions(+), 19 deletions(-)
diff --git a/rhel6/src/input/profiles/test.xml b/rhel6/src/input/profiles/test.xml index f341a33..87ad1c3 100644 --- a/rhel6/src/input/profiles/test.xml +++ b/rhel6/src/input/profiles/test.xml @@ -1,6 +1,11 @@ <Profile id="test" xmlns="http://checklists.nist.gov/xccdf/1.1" > <title>test</title> <description>This profile is for testing.</description> + +<select idref="password_min_len" selected="true"/> +<select idref="password_min_age" selected="true"/> +<select idref="password_max_age" selected="true"/> +<select idref="password_warn_age" selected="true"/> <select idref="package_rsyslog_installed" selected="true"/> <select idref="service_rsyslog_enabled" selected="true"/> <select idref="disable_vsftpd" selected="true"/> @@ -21,4 +26,16 @@ <refine-value idref="var_selinux_state_name" selector="enforcing"/> <refine-value idref="var_password_pam_cracklib_dcredit" selector="1"/> <refine-value idref="inactivity_timeout_value" selector="10_minutes"/> + + +<refine-value idref="var_password_min_len" selector="12"/> +<!-- password minimum length --> +<refine-value idref="var_password_max_age" selector="90"/> +<!-- maximum password age --> +<refine-value idref="var_password_min_age" selector="7"/> +<!-- minimum password age --> +<refine-value idref="var_password_warn_age" selector="7"/> +<!-- password warn age --> + + </Profile> diff --git a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml index 81c0d54..43179a4 100644 --- a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml +++ b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml @@ -23,12 +23,13 @@ for an emergency password change in case a new password becomes compromised. The <tt>PASS_WARN_AGE</tt> (<tt>-W</tt>) setting gives users 7 days of warnings at login time that their passwords are about to expire. <br /><br /> -For each existing human user USER , modify the current -expiration settings to match these: +For example, for each existing human user <i>USER</i>, expiration parameters +could be adjusted to a 180 day maximum password age, 7 day minimum password +age, and 7 day warning period with the following command: <pre># chage -M 180 -m 7 -W 7 USER</pre> </description>
-<Value id="var_password_min_len" type="string" operator="equals" interactive="0"> +<Value id="var_password_min_len" type="number" > <title>minimum password length</title> <description>Minimum number of characters in password</description> <warning category="general">This will only check new passwords</warning> @@ -37,11 +38,11 @@ expiration settings to match these: <!-- NIST 800-53 requires 1 in a million using brute force which translates to six numbers --> <value selector="8">8</value> <value selector="10">10</value> +<value selector="12">12</value> <value selector="14">14</value> </Value>
-<Value id="password_max_age_login_defs_value" type="string" -operator="equals" interactive="0"> +<Value id="var_password_max_age" type="number" > <title>maximum password age</title> <description>Maximum age of password in days</description> <warning category="general">This will only apply to newly created accounts</warning> @@ -51,13 +52,25 @@ operator="equals" interactive="0"> <value selector="180">180</value> </Value>
+<Value id="var_password_min_age" type="number" > +<title>minimum password age</title> +<description>Minimum age of password in days</description> +<warning category="general">This will only apply to newly created accounts</warning> +<value selector="">7</value> +<value selector="7">7</value> +<value selector="5">5</value> +<value selector="1">1</value> +<value selector="2">2</value> +<value selector="0">0</value> +</Value>
-<Value id="password_warn_age_login_defs_value" type="string" -operator="equals" interactive="0"> + +<Value id="var_password_warn_age" type="number" > <title>warning days before password expires</title> <description>The number of days' warning given before a password expires.</description> <warning category="general">This will only apply to newly created accounts</warning> <value selector="">7</value> +<value selector="0">0</value> <value selector="7">7</value> <value selector="14">14</value> </Value> @@ -93,8 +106,10 @@ behavior that may result. <title>Set Password Minimum Age</title> <description>To specify password minimum age for new accounts, edit the file <tt>/etc/login.defs</tt> -and add or correct the following line: -<pre>PASS_MIN_DAYS=7</pre> +and add or correct the following line, replacing <i>DAYS</i> appropriately: +<pre>PASS_MIN_DAYS=<i>DAYS</i></pre> +A value of 7 days is considered for sufficient for many +environments. </description> <rationale> Setting the minimum password age protects against @@ -102,25 +117,26 @@ users cycling back to a favorite password after satisfying the password reuse requirement. </rationale> <ident cce="4180-6" /> -<oval id="accounts_minimum_age_login_defs" /> +<oval id="accounts_minimum_age_login_defs" value="var_password_min_age"/> <ref nist="CM-6, IA-5" disa="198"/> </Rule>
- <Rule id="password_max_age"> <title>Set Password Maximum Age</title> <description>To specify password maximum age for new accounts, edit the file <tt>/etc/login.defs</tt> -and add or correct the following line: -<pre>PASS_MAX_DAYS=180<!-- <sub idref="password_max_age_login_defs_value" /> --></pre> +and add or correct the following line, replacing <i>DAYS</i> appropriately: +<pre>PASS_MAX_DAYS=<i>DAYS</i><!-- <sub idref="password_max_age_login_defs_value" /> --></pre> +A value of 180 days is considered for sufficient for many +environments. </description> <rationale> -Setting the password warning age enables users to -make the change at a practical time prior to expiration. -</rationale> +Setting the password maximum age ensures that users are required to +periodically change their passwords. This could possibly decrease +the utility of a stolen password.</rationale> <ident cce="4092-3" /> -<oval id="accounts_maximum_age_login_defs" /> +<oval id="accounts_maximum_age_login_defs" value="var_password_max_age"/> <ref nist="CM-6, CM-7, IA-5, AC-3" disa="199"/> </Rule>
@@ -131,7 +147,9 @@ make the change at a practical time prior to expiration. expiration that a warning will be issued to users, edit the file <tt>/etc/login.defs</tt> and add or correct the following line: -<pre>PASS_WARN_AGE=7</pre> +<pre>PASS_WARN_AGE=<i>DAYS</i></pre> +A value of 7 days is considered for appropriate for many +environments. <!-- <sub idref="password_warn_age_login_defs_value" /> --> </description> <rationale> @@ -139,7 +157,7 @@ Setting the password warning age enables users to make the change at a practical time. </rationale> <ident cce="4097-2" /> -<oval id="accounts_password_warn_age_login_defs" /> +<oval id="accounts_password_warn_age_login_defs" value="var_password_warn_age" /> <ref nist="CM-6, CM-7, IA-5, AC-3" /> </Rule> </Group>
Some remaining issues exist, such as the prose not being quite good yet, and I believe we will also break apart the OVAL check for minimum length to separately cover the settings in login.defs and pam_cracklib. But not today.
I'm assuming this is one example of prose that needs resolution:
<pre>PASS_MIN_LEN=12 <!-- <sub idref="var_password_min_len"> --></pre>
TODO: More research needed to understand exact interaction: when precisely is this file consulted?
From reading the login.defs and crypt() man-pages, it
appears that PASS_MIN_LEN is used by crypt() in a pretty convoluted fashion.
I'm not sure if ENCRYPT_METHOD affects the functionality, but for the default (DES), it seems that PASS_MIN_LEN needs to be at least 8 characters for the encryption to be effective (crypt takes the lowest 7 bits of the first 8 characters of the password).
For the more applicable MD5 and SHA configurations, the entire key is used, so maybe PASS_MIN_LEN needs to be different for different ENCRYPT_METHOD values? The crypt() man-page says that MD5 encryption uses all 22 bytes of the key, SHA-256 uses 43, and SHA-512 uses 86.
--Mike
On 05/30/2012 04:13 PM, Michael Palmiotto wrote:
Some remaining issues exist, such as the prose not being quite good yet, and I believe we will also break apart the OVAL check for minimum length to separately cover the settings in login.defs and pam_cracklib. But not today.
I'm assuming this is one example of prose that needs resolution:
<pre>PASS_MIN_LEN=12 <!-- <sub idref="var_password_min_len"> --></pre>
TODO: More research needed to understand exact interaction: when precisely is this file consulted?
Yes. And the usage of "<sub idref=" should be supported by the transforms (but currently isn't).
I was calling this out because although I think that my commit is a very significant improvement, it's not completely done yet. I am waiting for an ACK.
For the more applicable MD5 and SHA configurations, the entire key is used, so maybe PASS_MIN_LEN needs to be different for different ENCRYPT_METHOD values?
PASS_MIN_LEN controls what the system will require for minimum password length (at least for the usual programs in the "shadow password suite"). I am unaware of any USG password policy that adjusts its length requirement based on relevant information such as the strength of the underlying algorithm.
On 5/29/12 5:26 PM, Jeffrey Blank wrote:
This addresses multiple issues with OVAL checks and XCCDF content not supporting Values to adjust their requirements for settings in /etc/login.defs.
Some remaining issues exist, such as the prose not being quite good yet, and I believe we will also break apart the OVAL check for minimum length to separately cover the settings in login.defs and pam_cracklib. But not today.
Jeffrey Blank (3): updated OVAL checks which inspect login.defs to support Values (variables) updated refine-value names for password items, removed defunct/commented profile items updated guidance to permit adjustment of password warning period, min/max age, length * also added to test profile, for your testing pleasure
.../checks/accounts_maximum_age_login_defs.xml | 26 ++++++--- .../checks/accounts_minimum_age_login_defs.xml | 31 +++++++---- .../checks/accounts_password_minlen_login_defs.xml | 17 +++---- .../accounts_password_warn_age_login_defs.xml | 32 +++++++----- rhel6/src/input/profiles/common.xml | 29 ++--------- rhel6/src/input/profiles/test.xml | 17 ++++++ .../accounts/restrictions/password_expiration.xml | 56 +++++++++++++------- 7 files changed, 121 insertions(+), 87 deletions(-)
Ack to the set
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Mike Palmiotto -
Shawn Wells