On 6/2/14, 6:48 AM, Rui Pedro Bernardino wrote:
The proposed patch replaces the constants found in XCCDF descriptions
by the profile values.
Using this patch, generated guides and reports will reflect the
profile specific values, eg, PASS_MIN_LEN description in rule
accounts_password_minlen_login_defs will reflect profile’s
var_accounts_password_minlen_login_defs and not the default ‘14’.
Rui Bernardino (1):
Replaced profile dependent constants by references to profile values
RHEL/6/input/services/ssh.xml | 4 +-
RHEL/6/input/system/accounts/pam.xml | 36
++++++++++----------
RHEL/6/input/system/accounts/physical.xml | 4 +-
.../accounts/restrictions/account_expiration.xml | 8 ++---
.../accounts/restrictions/password_expiration.xml | 15 ++++----
RHEL/6/input/system/accounts/session.xml | 20 +++++-----
RHEL/6/input/system/auditing.xml | 23 +++++-------
RHEL/6/input/system/permissions/execution.xml | 7 ++--
RHEL/6/input/system/selinux.xml | 12 +++---
9 files changed, 62 insertions(+), 67 deletions(-)
--
Patch generates some whitespace errors:
$ git apply /tmp/rui1.patch
/tmp/rui1.patch:156: trailing whitespace.
module. In the file <tt>/etc/pam.d/system-auth</tt>, append
<tt>remember=<sub idref="var_password_history_retain_limit"
/></tt> to the
/tmp/rui1.patch:382: trailing whitespace.
Set this to <tt><sub
idref="var_auditd_space_left_action"/></tt>
(instead of the default which is <tt>suspend</tt>)
warning: 2 lines add whitespace errors.
<snip>
diff --git a/RHEL/6/input/services/ssh.xml b/RHEL/6/input/services/ssh.xml
index 695418a..e603834 100644
--- a/RHEL/6/input/services/ssh.xml
+++ b/RHEL/6/input/services/ssh.xml
@@ -150,7 +150,7 @@ automatically logged out.
<br /><br />
To set an idle timeout interval, edit the following line in
<tt>/etc/ssh/sshd_config</tt> as
follows:
-<pre>ClientAliveInterval <b>interval</b></pre>
+<pre>ClientAliveInterval <b><sub
idref="sshd_idle_timeout_value"/></b></pre>
verified the variable is expressed here, but yet.....
The timeout <b>interval</b> is given in seconds. To have
a timeout
of 15 minutes, set <b>interval</b> to 900.
<br /><br />
@@ -163,7 +163,7 @@ from correctly detecting that the user is idle.
Run the following command to see what the timeout interval is:
<pre># grep ClientAliveInterval /etc/ssh/sshd_config</pre>
If properly configured, the output should be:
-<pre>ClientAliveInterval 900</pre>
+<pre>ClientAliveInterval <sub
idref="sshd_idle_timeout_value"/></pre>
..... the XCCD variable does not get populated here.
and, <snip>
diff --git a/RHEL/6/input/system/accounts/pam.xml
b/RHEL/6/input/system/accounts/pam.xml
index feddbb6..2c58d54 100644
--- a/RHEL/6/input/system/accounts/pam.xml
+++ b/RHEL/6/input/system/accounts/pam.xml
@@ -225,7 +225,7 @@ operator="equals" interactive="0">
<description>To configure the number of retry prompts that are
permitted per-session:
<br /><br />
Edit the <tt>pam_cracklib.so</tt> statement in
<tt>/etc/pam.d/system-auth</tt> to
-show <tt>retry=3</tt>, or a lower value if site policy is more
restrictive.
+show <tt>retry=<sub
idref="var_password_pam_cracklib_retry"/></tt>,
or a lower value if site policy is more restrictive.
The XCCD variable does not get populated here either.
And... <snip>
<br /><br />
The DoD requirement is a maximum of 3 prompts per session.
</description>
@@ -273,14 +273,14 @@ Passwords with excessive repeating characters
may be more vulnerable to password
usage of digits in a password. When set to a negative number, any
password will be required to
contain that many digits. When set to a positive number, pam_cracklib
will grant +1 additional
length credit for each digit.
-Add <tt>dcredit=-1</tt> after pam_cracklib.so to require use of a
digit in passwords.
+Add <tt>dcredit=<sub
idref="var_password_pam_cracklib_dcredit"/></tt>
after pam_cracklib.so to require use of a digit in passwords.
The XCCD variable does not get populated here either.
I'm using:
$ rpm -qa openscap openscap-utils
openscap-utils-1.0.8-1.el6_5.x86_64
openscap-1.0.8-1.el6_5.x86_64
Did these substitutions work for you?