Hello Maura, ----- Original Message ----- > From: "Maura Dailey" <[email protected]> > Subject: [PATCH] Shared check was missing RHEL 7 platform line > > Other pam_cracklib shared checks had the required platform field, but the > check for difok appears to have been inadvertently skipped.
I would say instead of storing RHEL-7 as platform into shared pam_cracklib oval checks, we should create a RHEL-7 specific / own pam_pwquality oriented ones. In RHEL-7 pam_cracklib has been replaced with pam_pwquality (man pw_quality) and while the checks still work, their names: accounts_password_pam_cracklib_difok.xml accounts_password_pam_cracklib_lcredit.xml etc. might be misleading. Under my opinion we have two options how to proceed: * either rename the rules (remove the pam_cracklib string from them) and make them universal (IOW able to handle both of pam_cracklib & pam_pwquality cases). Particular rule names in shared/ would become: accounts_password_pam_difok.xml accounts_password_pam_lcredit.xml etc. and in the /etc/pam.d/system-auth pattern operation pattern match section there would be just (pam_cracklib | pam_pwquality) options listed as to be allowed after the required / requisite password section, * or we can keep RHEL-6 pam_cracklib rules intact (as they are now), and create new pam_pwquality RHEL-7 specific ones. Leaving the wider mailing list opinion / thoughts to decide (make a decision) which way (yet some other from the two ones proposed above?) we want to pursue. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > - Maura Dailey > > Signed-off-by: Maura Dailey <[email protected]> > --- > .../oval/accounts_password_pam_cracklib_difok.xml | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > > diff --git a/shared/oval/accounts_password_pam_cracklib_difok.xml > b/shared/oval/accounts_password_pam_cracklib_difok.xml > index 80fd21e..62a535a 100644 > --- a/shared/oval/accounts_password_pam_cracklib_difok.xml > +++ b/shared/oval/accounts_password_pam_cracklib_difok.xml > @@ -4,6 +4,7 @@ > <title>Set Password difok Requirements</title> > <affected family="unix"> > <platform>Red Hat Enterprise Linux 6</platform> > + <platform>Red Hat Enterprise Linux 7</platform> > </affected> > <description>The password difok should meet minimum > requirements using pam_cracklib</description> > -- > 1.7.1 > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
