>From cbb4eabf8a9125406050bf521bc676313369a81e Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Mon, 23 Dec 2013 07:56:21 -0500 Subject: [PATCH 19/25] accounts_password_minlen_login_defs --> shared/ && bugfix to RHEL6 CCP profile
- RHEL6 CCP profile using incorect XCCDF variable for password length, updating to var_accounts_password_minlen_login_defs - Moved accounts_password_minlen_login_defs to shared/ - Added symlinks Signed-off-by: Shawn Wells <[email protected]> --- :100644 120000 2932c62... 1620037... T RHEL/6/input/checks/accounts_password_minlen_login_defs.xml :100644 100644 ae0108a... bee24dd... M RHEL/6/input/profiles/rht-ccp.xml :000000 120000 0000000... 1620037... A RHEL/7/input/checks/accounts_password_minlen_login_defs.xml :100644 100644 26ed7b9... 904bc5d... M scap-security-guide.spec :000000 100644 0000000... 2fc1556... A shared/oval/accounts_password_minlen_login_defs.xml .../checks/accounts_password_minlen_login_defs.xml | 35 +--------------------- RHEL/6/input/profiles/rht-ccp.xml | 3 +- .../checks/accounts_password_minlen_login_defs.xml | 1 + scap-security-guide.spec | 1 + .../oval/accounts_password_minlen_login_defs.xml | 35 ++++++++++++++++++++++ 5 files changed, 39 insertions(+), 36 deletions(-) diff --git a/RHEL/6/input/checks/accounts_password_minlen_login_defs.xml b/RHEL/6/input/checks/accounts_password_minlen_login_defs.xml deleted file mode 100644 index 2932c62..0000000 --- a/RHEL/6/input/checks/accounts_password_minlen_login_defs.xml +++ /dev/null @@ -1,34 +0,0 @@ -<def-group> - - <definition class="compliance" id="accounts_password_minlen_login_defs" version="1"> - <metadata> - <title>Set Password Expiration Parameters</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The password minimum length should be set appropriately.</description> - <reference source="swells" ref_id="20130914" ref_url="test_attestation" /> - </metadata> - <criteria operator="AND"> - <criterion test_ref="test_etc_login_defs" /> - </criteria> - </definition> - - <ind:textfilecontent54_test check="all" comment="check PASS_MIN_LEN in /etc/login.defs" id="test_etc_login_defs" version="1"> - <ind:object object_ref="object_etc_login_defs" /> - <ind:state state_ref="state_accounts_password_minlen_login_defs" /> - </ind:textfilecontent54_test> - - <ind:textfilecontent54_object id="object_etc_login_defs" version="1"> - <ind:filepath>/etc/login.defs</ind:filepath> - <ind:pattern operation="pattern match">^PASS_MIN_LEN\s+(\d+)\s*$</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> - - <ind:textfilecontent54_state id="state_accounts_password_minlen_login_defs" version="1"> - <ind:subexpression operation="greater than or equal" var_ref="var_accounts_password_minlen_login_defs" datatype="int" /> - </ind:textfilecontent54_state> - - <external_variable comment="password minimum length" datatype="int" id="var_accounts_password_minlen_login_defs" version="1" /> - -</def-group> diff --git a/RHEL/6/input/checks/accounts_password_minlen_login_defs.xml b/RHEL/6/input/checks/accounts_password_minlen_login_defs.xml new file mode 120000 index 0000000..1620037 --- /dev/null +++ b/RHEL/6/input/checks/accounts_password_minlen_login_defs.xml @@ -0,0 +1 @@ +../../../../shared/oval/accounts_password_minlen_login_defs.xml \ No newline at end of file diff --git a/RHEL/6/input/profiles/rht-ccp.xml b/RHEL/6/input/profiles/rht-ccp.xml index ae0108a..bee24dd 100644 --- a/RHEL/6/input/profiles/rht-ccp.xml +++ b/RHEL/6/input/profiles/rht-ccp.xml @@ -7,12 +7,11 @@ <refine-value idref="file_owner_logfiles_value" selector="root"/> <refine-value idref="file_groupowner_logfiles_value" selector="root"/> <refine-value idref="sshd_idle_timeout_value" selector="5_minutes"/> -<refine-value idref="var_password_min_len" selector="6"/> +<refine-value idref="var_accounts_password_minlen_login_defs" selector="6"/> <refine-value idref="var_password_max_age" selector="90"/> <refine-value idref="var_password_min_age" selector="7"/> <refine-value idref="var_password_warn_age" selector="7"/> <refine-value idref="var_password_pam_cracklib_retry" selector="3"/> -<refine-value idref="var_password_pam_cracklib_minlen" selector="14"/> <refine-value idref="var_password_pam_cracklib_dcredit" selector="1"/> <refine-value idref="var_password_pam_cracklib_ucredit" selector="2"/> <refine-value idref="var_password_pam_cracklib_ocredit" selector="2"/> diff --git a/RHEL/7/input/checks/accounts_password_minlen_login_defs.xml b/RHEL/7/input/checks/accounts_password_minlen_login_defs.xml new file mode 120000 index 0000000..1620037 --- /dev/null +++ b/RHEL/7/input/checks/accounts_password_minlen_login_defs.xml @@ -0,0 +1 @@ +../../../../shared/oval/accounts_password_minlen_login_defs.xml \ No newline at end of file diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 26ed7b9..904bc5d 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -71,6 +71,7 @@ cp -a RHEL/6/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man - OVAL for no_empty_passwords - OVAL for no_hashes_outside_shadow - OVAL for accounts_no_uid_except_zero +- OVAL for accounts_password_minlen_login_defs * Fri Nov 01 2013 Jan iankko Lieskovsky <[email protected]> 0.1-15 - Version bump diff --git a/shared/oval/accounts_password_minlen_login_defs.xml b/shared/oval/accounts_password_minlen_login_defs.xml new file mode 100644 index 0000000..2fc1556 --- /dev/null +++ b/shared/oval/accounts_password_minlen_login_defs.xml @@ -0,0 +1,35 @@ +<def-group> + + <definition class="compliance" id="accounts_password_minlen_login_defs" version="1"> + <metadata> + <title>Set Password Expiration Parameters</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>The password minimum length should be set appropriately.</description> + <reference source="swells" ref_id="20130914" ref_url="test_attestation" /> + </metadata> + <criteria operator="AND"> + <criterion test_ref="test_etc_login_defs" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" comment="check PASS_MIN_LEN in /etc/login.defs" id="test_etc_login_defs" version="1"> + <ind:object object_ref="object_etc_login_defs" /> + <ind:state state_ref="state_accounts_password_minlen_login_defs" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_etc_login_defs" version="1"> + <ind:filepath>/etc/login.defs</ind:filepath> + <ind:pattern operation="pattern match">^PASS_MIN_LEN\s+(\d+)\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_state id="state_accounts_password_minlen_login_defs" version="1"> + <ind:subexpression operation="greater than or equal" var_ref="var_accounts_password_minlen_login_defs" datatype="int" /> + </ind:textfilecontent54_state> + + <external_variable comment="password minimum length" datatype="int" id="var_accounts_password_minlen_login_defs" version="1" /> + +</def-group> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
