Hello Steve, Shawn, folks,
----- Original Message -----
> From: "Steve Grubb" <[email protected]>
> To: "Jan Lieskovsky" <[email protected]>
> Cc: "SCAP Security Guide" <[email protected]>,
> "Shawn Wells" <[email protected]>
> Sent: Tuesday, March 25, 2014 1:41:07 PM
> Subject: Re: Minimum Password Length ...
>
> On Friday, March 21, 2014 12:40:40 PM Jan Lieskovsky wrote:
> > > But because both the RHEL6 SSG and RHEL6 STIG require this functionality
> > > to be configured only in /etc/login.defs as opposed to
> > > /etc/pam.d/system-auth, it was questionable.
> > >
> > > While system certifications simply require checking that a system is
> > > configured in accordance with a published STIG, DSS will actually check
> > > to
> > > see that the intended requirements are actually enforced (i.e. actually
> > > attempt a non-compliant password as opposed to checking for applied
> > > settings).
> > >
> > > So if we are all in agreement, could the SSG check and fix for this
> > > please
> > > be changed to include the setting that gets enforced (minlen=14 in
> > > /etc/pam.d/system-auth)?
> >
> > You are truly right that on Red Hat Enterprise Linux 5 the rule checks both
> > conditions:
> >
> > http://ovaldb.altx-soft.ru/Definition.aspx?id=oval:gov.nist.usgcb.rhel:def:
> > 20071
> >
> > while in SSG content for Red Hat Enterprise Linux 6 just /etc/login.defs
> > condition:
> > https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/shared/oval/
> > accounts_password_minlen_login_defs.xml
> >
> > But (slight) uncertainty comes from the following:
> > * in RHEL-5 the rule is titled "CCE-4541-1: Set password minimum length"
> > (thus somehow implying this should be system-wide check). While
> > * on RHEL-6 it is titled "2.4.1.3.a. Set Password Minimum Length in
> > login.defs (CCE-27002-5)" (thus somehow implying it should be checking just
> > login.defs file due the login.defs being emphasized in the title).
> >
> > This makes me believe the original intention when creating RHEL-6 content
> > was to have just login.defs specific rule,
>
> I strongly suspect that this is entirely a misunderstanding. Login.defs is
> intended for use with shadow-utils. It provides a number of utilities that we
> do not use at all. They are deleted in the build stage. Those same utilities
> are provided by other packages such at util-linux. The other utilities not
> being part of shadow-utils have no integration with that file except when the
> upstream decided to use it. It is for this reason we labelled the setting as
> "has no effect".
Has had further look into this and mainly based on:
[1]
http://h20331.www2.hp.com/enterprise/downloads/RHEL5-CC-EAL4-HP-Configuration-Guide.pdf
(sections "3.14 Configuring default account properties" and
"3.13.1 /etc/pam.d/system-auth" of it)
(now) I understand what you meant when referring to /etc/login.defs setting as
"having no effect".
Attached is the patch introducing accounts_password_pam_cracklib_minlen OVAL
check
for existing accounts password requirements check. The existing login.defs has
been
kept there (due to results from testing I will speak further about below), but
it's
title was changed to explicitly mention it changes only future account's
password
requirements (and explicit bold paragraph stating it was added too). Please
review.
Performed also wider (RHEL-6) testing and noticed the following:
* /etc/login.defs settings are honoured by tools like useradd or
system-config-users
(when creating new users) - so keeping the /etc/login.defs checks seems to
make sense
at least from the PoV of administrators accustomed to manage user accounts
via these tools,
* kuser tool from the kdeadmin package seems to load the warning_age / min_age
/ max_age
values from /etc/default/useradd file. So probably we should add yet another
rule
checking /etc/default/useradd settings to have the kuser use case covered too?
Opinion on this appreciated.
* didn't look / test the behaviour / configuration of libuser tools (luseradd,
lpasswd etc.)
tools yet. This needs to be done yet.
>
>
> > and then add a pam_cracklib
> > specific rule into / under: "Set Password Quality Requirements" subsection
> > of "Protect Accounts by Configuring PAM" section (maybe to have login.defs
> > and PAM rules separated into sections?) But looks the second part (adding
> > "minlen" check for PAM case) wasn't realized later.
> >
> > The summary being -- you are correct, the PAM minlen check should be added
> > to the current form of RHEL-6 SSG content. The question is where we want to
> > have this check being added -- if into minimum password length login.defs
> > rule (like it's done on RHEL-5) or under the PAM section (where it might
> > seem to be more logical to belong to).
>
> There should be no check of login.defs for minlen. You also have to
> understand, there has been no engineering check of the validity of SSG
> settings from top to bottom to compare against what we _designed_ as the
> lockdown settings for common criteria. Common Criteria is the starting point
> for the locking don of the system because that is where we had to demonstrate
> everything to a third party lab assessing the security.
FWIW regarding that CC document -- maybe we could create a new common_criteria
profile for RHEL-6 content and within that review the instructions from that
document
section by section to ensure they are reflected in RHEL-6's SCAP content (IOW
adding the rules to the proposed common_criteria profile only in moment the
relevant
section from that document has been reviewed and particular test as implemented
in
the profile to comply with the behaviour described in the document).
SSG mailing list opinion on this point would be appreciated too (I can do that,
we just need to define priority of it and include it into some of the upcoming
sprints for our team).
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
P.S.: Couple of margin notes to the patch itself yet:
* the check was intentionally placed under RHEL/6/input/checks directory
(rather than into shared/oval one). The reason being different modules
(pam_cracklib in RHEL-6 vs pam_pwquality in Fedora and RHEL-7. While
pam_pwquality
functionality / options look / work similar to those from pam_cracklib, it
didn't
look correct to me merge the checks (and possibly introduce yet more
confusion)
* the patch testing uncovered some invalid sysctl selectors (typos in the names)
in OpenStack / RHEVM3 profiles => the patch fixes these too
* the RHEL/6/input/profiles/CS2.xml profile has also invalid selectors (typos
s/acount/account/ and the three sysctl ones), but besides that it contains
some whitespace noise yet, so will create a dedicated / specific patch just
for this case (not to mix unrelated things)
* it has been tested on RHEL-6 and seems to be working properly. But review /
testing
appreciated as always.
>
> -Steve
>
> > I can come with a patch proposal, just first need someone on the list to
> > clarify the expected rule location. Shawn, can you possibly hint on this?
> >
> > Thank you && Regards, Jan.
> > --
> > Jan iankko Lieskovsky / Red Hat Security Technologies Team
> >
> > > Thanks!
> > >
> > > Best regards,
> > >
> > >
> > > Trey Henefield, CISSP
> > > Senior IAVA Engineer
> > >
> > > Ultra Electronics
> > > Advanced Tactical Systems, Inc.
> > > 4101 Smith School Road
> > > Building IV, Suite 100
> > > Austin, TX 78744 USA
> > >
> > > [email protected]
> > > Tel: +1 512 327 6795 ext. 647
> > > Fax: +1 512 327 8043
> > > Mobile: +1 512 541 6450
> > >
> > > www.ultra-ats.com
> > >
> > > -----Original Message-----
> > > From: Steve Grubb [mailto:[email protected]]
> > > Sent: Thursday, March 20, 2014 7:59 AM
> > > To: [email protected]
> > > Cc: Trey Henefield
> > > Subject: Re: Minimum Password Length ...
> > >
> > > On Thursday, March 20, 2014 07:28:34 AM Trey Henefield wrote:
> > > > Nobody has seemed to respond to this. But this is an issue.
> > > >
> > > > In /etc/login.defs, I have PASS_MIN_LEN set to 14, yet as a user, I
> > > > can set the following password 56tyghbn%^TY which only has 12
> > > > characters via the passwd command.
> > >
> > > In our common criteria setup, we have annotated the login.defs file with
> > > the following:
> > >
> > > # The evaluated configuration constraints are:
> > > # PASS_MAX_DAYS MAY be changed, must be <= 60 # PASS_MAX_DAYS MAY be
> > > changed, 0 < PASS_MIN_DAYS < PASS_MAX_DAYS # PASS_MIN_LEN has no effect
> > > in the evaluated configuration # PASS_WARN_AGE MAY be changed
> > >
> > >
> > > Note...has no effect...
> > >
> > > The intended way can be seen in system-auth:
> > >
> > > password requisite pam_cracklib.so try_first_pass retry=3 type=
> > > password sufficient pam_unix.so sha512 shadow nullok try_first_pass
> > > use_authtok
> > > password required pam_deny.so
> > >
> > > Of these, cracklib is responsible for enforcing password policy. Checking
> > > its man page, it has something called minlen. Looking at the RHEL5 USGCB
> > > settings, this is in fact how it's set:
> > >
> > > sed -i "/pam_cracklib.so/s/retry=3/retry=3 minlen=12 dcredit=-1
> > > ucredit=-1
> > > ocredit=-1 lcredit=-1 difok=3/" /etc/pam.d/system-auth
> > >
> > > So, to have 14, alter the above settings to correct it.
> > >
> > > -Steve
> > >
> > >
> > >
> > >
> > > Disclaimer
> > > The information contained in this communication from
> > > [email protected] sent at 2014-03-20 09:09:38 is private and
> > > may
> > > be legally privileged or export controlled. It is intended solely for use
> > > by [email protected] and others authorized to
> > > receive it. If you are not [email protected] you
> > > are hereby notified that any disclosure, copying, distribution or taking
> > > action in reliance of the contents of this information is strictly
> > > prohibited and may be unlawful.
> > >
> > >
> > > _______________________________________________
> > > scap-security-guide mailing list
> > > [email protected]
> > > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guideFrom 60def65686a7663806c3940f60c65cf32448a868 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Wed, 26 Mar 2014 17:07:40 +0100
Subject: [PATCH] [RHEL/6] Introduce accounts_password_pam_cracklib_minlen OVAL
check (enforcing user's password minimum length requirements for existing
user accounts according to CC). Also make a note in the
accounts_password_minlen_login_defs description to make it clear the
/etc/login.defs setting is honoured only for newly added user accounts (but
still used by tools like useradd or system-config-users).
Also fix couple of typos (undefined selectors warning message) in
OpenStack's / RHEVM3's stig-rhevm3 profile that arose during patch testing.
Signed-off-by: Jan Lieskovsky <[email protected]>
---
OpenStack/input/profiles/stig-rhevm3.xml | 6 +--
.../accounts_password_pam_cracklib_minlen.xml | 35 ++++++++++++++++
RHEL/6/input/profiles/common.xml | 7 ++--
.../6/input/profiles/fisma-medium-rhel6-server.xml | 4 +-
RHEL/6/input/profiles/rht-ccp.xml | 2 +
RHEL/6/input/profiles/usgcb-rhel6-server.xml | 2 +
RHEL/6/input/system/accounts/pam.xml | 48 ++++++++++++++++++----
.../accounts/restrictions/password_expiration.xml | 27 ++++++------
RHEVM3/input/profiles/stig-rhevm3.xml | 6 +--
9 files changed, 105 insertions(+), 32 deletions(-)
create mode 100644 RHEL/6/input/checks/accounts_password_pam_cracklib_minlen.xml
diff --git a/OpenStack/input/profiles/stig-rhevm3.xml b/OpenStack/input/profiles/stig-rhevm3.xml
index d80e69a..3e0aa53 100644
--- a/OpenStack/input/profiles/stig-rhevm3.xml
+++ b/OpenStack/input/profiles/stig-rhevm3.xml
@@ -74,9 +74,9 @@
<select idref="enable_randomize_va_space" selected="true"/>
<select idref="enable_execshield" selected="true"/>
-<select idref="disable_sysctl_ipv4_default_send_redirects" selected="true"/>
-<select idref="disable_sysctl_ipv4_all_send_redirects" selected="true"/>
-<select idref="disable_sysctl_ipv4_ip_forward" selected="true"/>
+<select idref="sysctl_net_ipv4_conf_default_send_redirects" selected="true"/>
+<select idref="sysctl_ipv4_all_send_redirects" selected="true"/>
+<select idref="sysctl_ipv4_ip_forward" selected="true"/>
<select idref="set_sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/>
<select idref="set_sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/>
<select idref="set_sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/>
diff --git a/RHEL/6/input/checks/accounts_password_pam_cracklib_minlen.xml b/RHEL/6/input/checks/accounts_password_pam_cracklib_minlen.xml
new file mode 100644
index 0000000..a27df4a
--- /dev/null
+++ b/RHEL/6/input/checks/accounts_password_pam_cracklib_minlen.xml
@@ -0,0 +1,35 @@
+<def-group>
+
+ <definition class="compliance" id="accounts_password_pam_cracklib_minlen" version="1">
+ <metadata>
+ <title>Set Password minlen Requirements</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <description>The password minlen should meet minimum requirements using pam_cracklib</description>
+ <reference source="JL" ref_id="20140326" ref_url="test_attestation" />
+ </metadata>
+ <criteria>
+ <criterion comment="Conditions for pam_cracklib's minlen are satisfied" test_ref="test_password_pam_cracklib_minlen" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="test_password_pam_cracklib_minlen" version="1">
+ <ind:object object_ref="obj_password_pam_cracklib_minlen" />
+ <ind:state state_ref="state_password_pam_cracklib_minlen" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_password_pam_cracklib_minlen" version="1">
+ <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]minlen=(\d+)(?:[\s]|$)</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_password_pam_cracklib_minlen" version="1">
+ <ind:instance datatype="int">1</ind:instance>
+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="var_password_pam_cracklib_minlen" />
+ </ind:textfilecontent54_state>
+
+ <external_variable comment="External variable for pam_cracklib minlen" datatype="int" id="var_password_pam_cracklib_minlen" version="1" />
+
+</def-group>
diff --git a/RHEL/6/input/profiles/common.xml b/RHEL/6/input/profiles/common.xml
index e96823f..c023308 100644
--- a/RHEL/6/input/profiles/common.xml
+++ b/RHEL/6/input/profiles/common.xml
@@ -51,6 +51,7 @@
<select idref="accounts_minimum_age_login_defs" selected="true"/>
<select idref="accounts_maximum_age_login_defs" selected="true"/>
<select idref="accounts_password_warn_age_login_defs" selected="true"/>
+<select idref="accounts_password_pam_cracklib_minlen" selected="true"/>
<select idref="accounts_password_pam_cracklib_retry" selected="true"/>
<select idref="accounts_password_pam_cracklib_dcredit" selected="true"/>
<select idref="accounts_password_pam_cracklib_ucredit" selected="true"/>
@@ -229,17 +230,17 @@ these should likely be moved out of common.
<refine-value idref="var_umask_for_daemons" selector="027"/>
<!-- daemon umask -->
<refine-value idref="var_accounts_password_minlen_login_defs" selector="14"/>
-<!-- password minimum length -->
+<!-- Future passwords minimum length -->
<refine-value idref="var_accounts_maximum_age_login_defs" selector="90"/>
<!-- maximum password age -->
<refine-value idref="var_accounts_minimum_age_login_defs" selector="7"/>
<!-- minimum password age -->
<refine-value idref="var_accounts_password_warn_age_login_defs" selector="7"/>
<!-- password warn age -->
-<refine-value idref="var_password_pam_cracklib_retry" selector="3"/>
-<!-- Number of retry attempts before erroring out -->
<refine-value idref="var_password_pam_cracklib_minlen" selector="14"/>
<!-- Minimum number of characters in password -->
+<refine-value idref="var_password_pam_cracklib_retry" selector="3"/>
+<!-- Number of retry attempts before erroring out -->
<refine-value idref="var_password_pam_cracklib_dcredit" selector="1"/>
<!-- Minimum number of digits in password -->
<refine-value idref="var_password_pam_cracklib_ucredit" selector="2"/>
diff --git a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
index 07e9ba9..502e497 100644
--- a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
+++ b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
@@ -1,5 +1,5 @@
<Profile id="fisma-medium-rhel6-server">
-<title>FISAMA Medium for Red Hat Enterprise Linux 6</title>
+<title>FISMA Medium for Red Hat Enterprise Linux 6</title>
<description>FISMA Medium for Red Hat Enterprise Linux 6</description>
<!-- ACCESS CONTROL (AC) -->
@@ -276,6 +276,8 @@
<select idref="bootloader_password" selected="true" />
<!-- IA-5 -->
+<refine-value idref="var_password_pam_cracklib_minlen" selector="12" />
+<select idref="accounts_password_pam_cracklib_minlen" selected="true" />
<select idref="accounts_password_pam_cracklib_retry" selected="true" />
<select idref="password_require_consecrepeat" selected="true" />
<select idref="accounts_password_pam_cracklib_ucredit" selected="true" />
diff --git a/RHEL/6/input/profiles/rht-ccp.xml b/RHEL/6/input/profiles/rht-ccp.xml
index 505965a..5e84193 100644
--- a/RHEL/6/input/profiles/rht-ccp.xml
+++ b/RHEL/6/input/profiles/rht-ccp.xml
@@ -12,6 +12,7 @@
<refine-value idref="var_accounts_minimum_age_login_defs" selector="7"/>
<refine-value idref="var_accounts_passwords_pam_faillock_deny" selector="5" />
<refine-value idref="var_accounts_password_warn_age_login_defs" selector="7"/>
+<refine-value idref="var_password_pam_cracklib_minlen" selector="6"/>
<refine-value idref="var_password_pam_cracklib_retry" selector="3"/>
<refine-value idref="var_password_pam_cracklib_dcredit" selector="1"/>
<refine-value idref="var_password_pam_cracklib_ucredit" selector="2"/>
@@ -54,6 +55,7 @@
<select idref="accounts_minimum_age_login_defs" selected="true"/>
<select idref="accounts_maximum_age_login_defs" selected="true"/>
<select idref="accounts_password_warn_age_login_defs" selected="true"/>
+<select idref="accounts_password_pam_cracklib_minlen" selected="true"/>
<select idref="accounts_password_pam_cracklib_retry" selected="true"/>
<select idref="accounts_password_pam_cracklib_dcredit" selected="true"/>
<select idref="accounts_password_pam_cracklib_ucredit" selected="true"/>
diff --git a/RHEL/6/input/profiles/usgcb-rhel6-server.xml b/RHEL/6/input/profiles/usgcb-rhel6-server.xml
index 1716e73..96aea42 100644
--- a/RHEL/6/input/profiles/usgcb-rhel6-server.xml
+++ b/RHEL/6/input/profiles/usgcb-rhel6-server.xml
@@ -70,6 +70,8 @@
<select idref="accounts_maximum_age_login_defs" selected="true" />
<refine-value idref="var_accounts_password_minlen_login_defs" selector="12" />
<select idref="accounts_password_minlen_login_defs" selected="true" />
+<refine-value idref="var_password_pam_cracklib_minlen" selector="12" />
+<select idref="accounts_password_pam_cracklib_minlen" selected="true" />
<refine-value idref="var_password_pam_cracklib_retry" selector="3" />
<select idref="accounts_password_pam_cracklib_retry" selected="true" />
<refine-value idref="var_password_pam_cracklib_dcredit" selector="1" />
diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml
index aacab89..a61b578 100644
--- a/RHEL/6/input/system/accounts/pam.xml
+++ b/RHEL/6/input/system/accounts/pam.xml
@@ -116,15 +116,6 @@ your organization's security policy. Discussion of each parameter follows.
requirements are not enforced for the root account for some
reason.</warning>
-<Value id="var_password_pam_cracklib_retry" type="number" operator="equals" interactive="0">
-<title>retry</title>
-<description>Number of retry attempts before erroring out</description>
-<value selector="">3</value>
-<value selector="1">1</value>
-<value selector="2">2</value>
-<value selector="3">3</value>
-</Value>
-
<Value id="var_password_pam_cracklib_minlen" type="number"
operator="equals" interactive="0">
<title>minlen</title>
@@ -138,6 +129,16 @@ operator="equals" interactive="0">
<value selector="14">14</value>
<value selector="15">15</value>
</Value>
+
+<Value id="var_password_pam_cracklib_retry" type="number" operator="equals" interactive="0">
+<title>retry</title>
+<description>Number of retry attempts before erroring out</description>
+<value selector="">3</value>
+<value selector="1">1</value>
+<value selector="2">2</value>
+<value selector="3">3</value>
+</Value>
+
<Value id="var_password_pam_cracklib_dcredit" type="number"
operator="equals" interactive="0">
<title>dcredit</title>
@@ -220,6 +221,35 @@ operator="equals" interactive="0">
<value selector="100000000">100000000</value> <!-- 3.16 years -->
</Value>
+<Rule id="accounts_password_pam_cracklib_minlen">
+<title>Set Password Minimum Length For Existing User Accounts</title>
+<description>To specify password length requirements for existing user accounts:
+<br /><br />
+Edit the <tt>pam_cracklib.so</tt> statement in <tt>/etc/pam.d/system-auth</tt> file
+to show <tt>minlen=14</tt>, or a greater value if site policy is more restrictive.
+<br /><br />
+The DoD requirement is the password needs to be at least <tt>14</tt> characters long.
+The FISMA requirement is the password needs to be at least <tt>12</tt> characters long.
+</description>
+<ocil clause="it is not the required value">
+To check the minimum password length requirement for existing user accounts, run
+the following command:
+<pre>$ grep pam_cracklib /etc/pam.d/system-auth</pre>
+The <tt>minlen</tt> parameter will indicate the required minimum password length
+(in characters). The DoD requirement is the passwords needs to be at least <tt>14</tt>
+characters long. The FISMA requirement is the password needs to be at least <tt>12</tt>
+characters long. This would appear as <tt>minlen=14</tt> (DoD), <tt>minlen=12</tt>
+(FISMA), or a greater value.
+</ocil>
+<rationale>
+Requiring a minimum password length makes password cracking attacks more
+difficult by ensuring a larger search space. However, any security benefit
+from an onerous requirement must be carefully weighed against usability
+problems, support costs, or counterproductive behavior that may result.
+</rationale>
+<oval id="accounts_password_pam_cracklib_minlen" value="var_password_pam_cracklib_minlen"/>
+</Rule>
+
<Rule id="accounts_password_pam_cracklib_retry">
<title>Set Password Retry Prompts Permitted Per-Session</title>
<description>To configure the number of retry prompts that are permitted per-session:
diff --git a/RHEL/6/input/system/accounts/restrictions/password_expiration.xml b/RHEL/6/input/system/accounts/restrictions/password_expiration.xml
index ce8a082..5dda88e 100644
--- a/RHEL/6/input/system/accounts/restrictions/password_expiration.xml
+++ b/RHEL/6/input/system/accounts/restrictions/password_expiration.xml
@@ -77,30 +77,31 @@ age, and 7 day warning period with the following command:
</Value>
<Rule id="accounts_password_minlen_login_defs" severity="medium">
-<title>Set Password Minimum Length in login.defs</title>
+<title>Set Password Minimum Length For User Accounts Created in the Future</title>
<description>To specify password length requirements for new accounts,
edit the file <tt>/etc/login.defs</tt> and add or correct the following
lines:
<pre>PASS_MIN_LEN 14<!-- <sub idref="var_accounts_password_minlen_login_defs"> --></pre>
<br/><br/>
-The DoD requirement is <tt>14</tt>.
+The DoD requirement is <tt>14</tt>.
The FISMA requirement is <tt>12</tt>.
-If a program consults <tt>/etc/login.defs</tt> and also another PAM module
-(such as <tt>pam_cracklib</tt>) during a password change operation,
-then the most restrictive must be satisfied. See PAM section
-for more information about enforcing password quality requirements.
+<br/><br/>
+<b>Please note this setting will check minimum password length requirements
+for newly created user accounts only. To enforce minimum password length
+policy requirements also for already existing user accounts, refer to the
+<tt>Set Password Minimum Length For Existing User Accounts</tt> section
+of this guide.</b>
</description>
<ocil clause="it is not set to the required value">
-To check the minimum password length, run the command:
+To check the minimum password length for user accounts created in the future, run the command:
<pre>$ grep PASS_MIN_LEN /etc/login.defs</pre>
-The DoD requirement is <tt>14</tt>.
+The DoD requirement is <tt>14</tt>.
</ocil>
<rationale>
-Requiring a minimum password length makes password
-cracking attacks more difficult by ensuring a larger
-search space. However, any security benefit from an onerous requirement
-must be carefully weighed against usability problems, support costs, or counterproductive
-behavior that may result.
+Requiring a minimum password length makes password cracking attacks more
+difficult by ensuring a larger search space. However, any security benefit
+from an onerous requirement must be carefully weighed against usability
+problems, support costs, or counterproductive behavior that may result.
</rationale>
<ident cce="27002-5" />
<oval id="accounts_password_minlen_login_defs" value="var_accounts_password_minlen_login_defs"/>
diff --git a/RHEVM3/input/profiles/stig-rhevm3.xml b/RHEVM3/input/profiles/stig-rhevm3.xml
index d80e69a..3e0aa53 100644
--- a/RHEVM3/input/profiles/stig-rhevm3.xml
+++ b/RHEVM3/input/profiles/stig-rhevm3.xml
@@ -74,9 +74,9 @@
<select idref="enable_randomize_va_space" selected="true"/>
<select idref="enable_execshield" selected="true"/>
-<select idref="disable_sysctl_ipv4_default_send_redirects" selected="true"/>
-<select idref="disable_sysctl_ipv4_all_send_redirects" selected="true"/>
-<select idref="disable_sysctl_ipv4_ip_forward" selected="true"/>
+<select idref="sysctl_net_ipv4_conf_default_send_redirects" selected="true"/>
+<select idref="sysctl_ipv4_all_send_redirects" selected="true"/>
+<select idref="sysctl_ipv4_ip_forward" selected="true"/>
<select idref="set_sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/>
<select idref="set_sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/>
<select idref="set_sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/>
--
1.8.3.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
