----- Original Message -----
> From: "Maura Dailey" <[email protected]>
> To: "Jan Lieskovsky" <[email protected]>
> Sent: Tuesday, April 1, 2014 7:35:07 PM
>
> I don't like leaving bugs in place while these decisions are being made.
I can understand this approach (that fixing obvious bugs immediately is
better than wait for overall concept change taking longer time / more massive
patch).
> I'd still like to add the missing platform line in, unless you're
> telling me that the final release of RHEL 7 won't have pam_cracklib.so
> at all or unless you're saying that pam_cracklib.so won't be a supported
> option for users that use the announced upgrade in place option. You or
> Shawn would know better than I, seeing as how both modules were
> apparently written by Redhat.
The problem with the actual state (as far as I got it from the testing)
being the following:
* system administrators are not expected to edit /etc/pam.d/system-auth directly
(from /etc/pam.d/system-auth file:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.)
but rather to use one of authconfig, authconfig-tui, authconfig-gtk utilities.
* new file /etc/security/pwquality.conf has been added to RHEL-7, that should
control / enforce expectations on password attributes like difok, minlen,
dcredit,
ucredit etc.
* the procedure to fine-tune the "additional" pwd requirements on RHEL-7 seems
to be
the following:
1) user runs authconfig / authconfig-tui / authconfig-gtk as root,
2) clicks on the Password Options tab,
3) specifies Length / Character Classes (or some other option from the offer),
4) clicks the "Apply" button,
5) the change / requirements are written into /etc/security/pwquality.conf
file
instead to be written into /etc/pam.d/system-auth directly,
6) when user's password change request is issued, pam's pam_pwquality.so
module
is checking the settings from /etc/security/pwquality.conf, and displaying
"Bad Password" message when the provided password did not meet the expected
criteria (example requesting minlen=12 and providing shorter password shows
message like:
BAD PASSWORD: The password is shorter than 12 characters)
pam_cracklib.so will be in RHEL-7. But direct editing of /etc/pam.d/system-auth
will be unsupported configuration (since users aren't expected to edit
/etc/pam.d/system-auth
directly).
>
> Alternately, I could submit a patch to move all the pam_cracklib.so
> options back to RHEL 6's check directory until this is sorted out, or,
> if a version of Fedora uses pam_cracklib, I could change all the
> platform lines to read Fedora instead of RHEL 7.)
In the light of the further information above, the most reasonable approach
(to me) seems to be the following one:
* move the pam_cracklib.so checks back to RHEL/6 directory,
* create new ones for RHEL/7 use case - these will need to be created in any
case, since they shouldn't be checking the presence of options in
/etc/pam.d/system-auth
file, but rather / instead presence of required values (minlen, difok etc.) in
/etc/security/pwquality.conf file,
* the fact that current rules work also on RHEL-7 is just coincidence
(pam_pwquality.so options being similar to pam_cracklib.so ones). But
it brings more confusion, than actually clarifies things.
>
> pam_pwquality.so is obviously geared to be an easy change for sysadmins,
> seeing as how the option names are currently the same. However, if they
> diverge going forward, a universal check might have unexpected behavior.
Yeah, agree having universal check wouldn't be good (in light of new facts
stated above).
> So I'm leaning a little more towards creating pam_pwquality specific checks.
Agree. Please make a patch moving original pam_cracklib.so ones back to RHEL/6
directory. Then we can create RHEL-7 specific ones honouring / checking settings
in /etc/security/pwquality.conf.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
>
> - Maura Dailey
>
> On 04/01/2014 12:40 PM, Jan Lieskovsky wrote:
> > Hello Maura,
> >
> > ----- Original Message -----
> >> From: "Maura Dailey" <[email protected]>
> >> Subject: [PATCH] Shared check was missing RHEL 7 platform line
> >>
> >> Other pam_cracklib shared checks had the required platform field, but the
> >> check for difok appears to have been inadvertently skipped.
> > I would say instead of storing RHEL-7 as platform into shared pam_cracklib
> > oval checks, we should create a RHEL-7 specific / own pam_pwquality
> > oriented ones.
> >
> > In RHEL-7 pam_cracklib has been replaced with pam_pwquality (man
> > pw_quality)
> > and while the checks still work, their names:
> >
> > accounts_password_pam_cracklib_difok.xml
> > accounts_password_pam_cracklib_lcredit.xml
> > etc.
> >
> > might be misleading. Under my opinion we have two options how to proceed:
> > * either rename the rules (remove the pam_cracklib string from them) and
> > make them universal (IOW able to handle both of pam_cracklib &
> > pam_pwquality cases).
> > Particular rule names in shared/ would become:
> >
> > accounts_password_pam_difok.xml
> > accounts_password_pam_lcredit.xml
> > etc.
> >
> > and in the /etc/pam.d/system-auth pattern operation pattern match
> > section
> > there would be just (pam_cracklib | pam_pwquality) options listed as to
> > be allowed
> > after the required / requisite password section,
> >
> > * or we can keep RHEL-6 pam_cracklib rules intact (as they are now), and
> > create
> > new pam_pwquality RHEL-7 specific ones.
> >
> > Leaving the wider mailing list opinion / thoughts to decide (make a
> > decision)
> > which way (yet some other from the two ones proposed above?) we want to
> > pursue.
> >
> > Thank you && Regards, Jan.
> > --
> > Jan iankko Lieskovsky / Red Hat Security Technologies Team
> >
> >> - Maura Dailey
> >>
> >> Signed-off-by: Maura Dailey <[email protected]>
> >> ---
> >> .../oval/accounts_password_pam_cracklib_difok.xml | 1 +
> >> 1 files changed, 1 insertions(+), 0 deletions(-)
> >>
> >> diff --git a/shared/oval/accounts_password_pam_cracklib_difok.xml
> >> b/shared/oval/accounts_password_pam_cracklib_difok.xml
> >> index 80fd21e..62a535a 100644
> >> --- a/shared/oval/accounts_password_pam_cracklib_difok.xml
> >> +++ b/shared/oval/accounts_password_pam_cracklib_difok.xml
> >> @@ -4,6 +4,7 @@
> >> <title>Set Password difok Requirements</title>
> >> <affected family="unix">
> >> <platform>Red Hat Enterprise Linux 6</platform>
> >> + <platform>Red Hat Enterprise Linux 7</platform>
> >> </affected>
> >> <description>The password difok should meet minimum
> >> requirements using pam_cracklib</description>
> >> --
> >> 1.7.1
> >>
> >> _______________________________________________
> >> scap-security-guide mailing list
> >> [email protected]
> >> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
> >>
>
>
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
