And actually attach the patch too (has hit the Send button too quickly. Sorry for doubled post :().
Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team ----- Original Message ----- > From: "Jan Lieskovsky" <[email protected]> > To: [email protected] > Sent: Tuesday, November 19, 2013 5:51:39 PM > Subject: [PATCH] [Fedora] Include remediations for login.defs' based > password minimum, maximum and warning age rules > > > This patch adds remediation rules for /etc/login.defs based > XCCDF rules for password minimum, maximum, and warning age. > > Passed basic regression testing. > > Please review. > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >
From 5b18bfa5a318b663e02a529846cc356f7ee8da8a Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Tue, 19 Nov 2013 17:46:40 +0100 Subject: [PATCH] [Fedora] Include remediations for login.defs' based password minimum, maximum and warning age rules Signed-off-by: Jan Lieskovsky <[email protected]> --- Fedora/input/fixes/bash/accounts_maximum_age_login_defs.sh | 9 +++++++++ Fedora/input/fixes/bash/accounts_minimum_age_login_defs.sh | 9 +++++++++ Fedora/input/fixes/bash/accounts_password_warn_age_login_defs.sh | 9 +++++++++ Fedora/input/profiles/common.xml | 5 ++++- Fedora/scap-security-guide.spec | 6 +++++- 5 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 Fedora/input/fixes/bash/accounts_maximum_age_login_defs.sh create mode 100644 Fedora/input/fixes/bash/accounts_minimum_age_login_defs.sh create mode 100644 Fedora/input/fixes/bash/accounts_password_warn_age_login_defs.sh diff --git a/Fedora/input/fixes/bash/accounts_maximum_age_login_defs.sh b/Fedora/input/fixes/bash/accounts_maximum_age_login_defs.sh new file mode 100644 index 0000000..9232e32 --- /dev/null +++ b/Fedora/input/fixes/bash/accounts_maximum_age_login_defs.sh @@ -0,0 +1,9 @@ +source ./templates/support.sh +populate var_accounts_maximum_age_login_defs + +grep -q ^PASS_MAX_DAYS /etc/login.defs && \ +sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs/g" /etc/login.defs +if ! [ $? -eq 0 ] +then + echo -e "PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs" >> /etc/login.defs +fi diff --git a/Fedora/input/fixes/bash/accounts_minimum_age_login_defs.sh b/Fedora/input/fixes/bash/accounts_minimum_age_login_defs.sh new file mode 100644 index 0000000..adc6545 --- /dev/null +++ b/Fedora/input/fixes/bash/accounts_minimum_age_login_defs.sh @@ -0,0 +1,9 @@ +source ./templates/support.sh +populate var_accounts_minimum_age_login_defs + +grep -q ^PASS_MIN_DAYS /etc/login.defs && \ +sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs/g" /etc/login.defs +if ! [ $? -eq 0 ] +then + echo -e "PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs" >> /etc/login.defs +fi diff --git a/Fedora/input/fixes/bash/accounts_password_warn_age_login_defs.sh b/Fedora/input/fixes/bash/accounts_password_warn_age_login_defs.sh new file mode 100644 index 0000000..fac21ec --- /dev/null +++ b/Fedora/input/fixes/bash/accounts_password_warn_age_login_defs.sh @@ -0,0 +1,9 @@ +source ./templates/support.sh +populate var_accounts_password_warn_age_login_defs + +grep -q ^PASS_WARN_AGE /etc/login.defs && \ +sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs +if ! [ $? -eq 0 ] +then + echo -e "PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs" >> /etc/login.defs +fi diff --git a/Fedora/input/profiles/common.xml b/Fedora/input/profiles/common.xml index e7d7d25..a1d7f53 100644 --- a/Fedora/input/profiles/common.xml +++ b/Fedora/input/profiles/common.xml @@ -23,10 +23,13 @@ <select idref="gid_passwd_group_same" selected="true"/> <select idref="no_netrc_files" selected="true"/> <!-- Set Password Expiration Parameters section rules --> - <select idref="accounts_password_minlen_login_defs" selected="true"/> <refine-value idref="var_accounts_password_minlen_login_defs" selector="12" /> + <select idref="accounts_password_minlen_login_defs" selected="true"/> + <refine-value idref="var_accounts_minimum_age_login_defs" selector="7"/> <select idref="accounts_minimum_age_login_defs" selected="true"/> + <refine-value idref="var_accounts_maximum_age_login_defs" selector="90"/> <select idref="accounts_maximum_age_login_defs" selected="true"/> + <refine-value idref="var_accounts_password_warn_age_login_defs" selector="7"/> <select idref="accounts_password_warn_age_login_defs" selected="true"/> </Profile> diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec index c418b93..3c88ddd 100644 --- a/Fedora/scap-security-guide.spec +++ b/Fedora/scap-security-guide.spec @@ -5,7 +5,7 @@ # file one level up - in the main scap-security-guide directory (instead of # this one). -%global fedorassgversion 4.rc1 +%global fedorassgversion 4.rc2 Name: scap-security-guide Version: 0.1.%{fedorassgversion} @@ -53,6 +53,10 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man %doc Fedora/LICENSE Fedora/output/ssg-fedora-guide.html %changelog +* Tue Nov 19 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc2-1 +- Include remediations for login.defs' based password minimum, maximum and + warning age rules + * Mon Nov 18 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc1-1 - Include directory structure to support remediations - Add SCAP "replace or append pattern value in text file based on variable" -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
