The following patch: [1] https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=a38ece26a85f210b7edc6db2d91c438ef78f5add
added support for accounts_password_pam_cracklib_minclass OVAL check & corresponding remediation script. But it got never used due to missing XCCDF definition. Therefore: 1) fix the accounts_password_pam_cracklib_minclass actual OVAL check implementation so it would be more aligned with existing accounts_password_* OVAL checks, 2) provide corresponding XCCDF definition for it & start using it. Testing status: --------------- The change has been tested on RHEL-6 & works as expected (=> added the test_attestation timestamp into OVAL definition). Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team P.S.: Will have a look at the corresponding remediation script yet to see if any updates are needed.
From 06d6c866797d9021c375e56ad83ea8cbb0db0956 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Thu, 26 Jun 2014 18:03:55 +0200 Subject: [PATCH] [RHEL/6] Fix implementation of accounts_password_pam_cracklib_minclass OVAL check. Provide corresponding XCCDF definition & start using the rule. Signed-off-by: Jan Lieskovsky <[email protected]> --- .../accounts_password_pam_cracklib_minclass.xml | 45 ++++++++++----------- RHEL/6/input/system/accounts/pam.xml | 46 ++++++++++++++++++++++ 2 files changed, 69 insertions(+), 22 deletions(-) diff --git a/RHEL/6/input/checks/accounts_password_pam_cracklib_minclass.xml b/RHEL/6/input/checks/accounts_password_pam_cracklib_minclass.xml index 539164b..100a2ae 100644 --- a/RHEL/6/input/checks/accounts_password_pam_cracklib_minclass.xml +++ b/RHEL/6/input/checks/accounts_password_pam_cracklib_minclass.xml @@ -1,43 +1,44 @@ <def-group> - <definition class="compliance" id="accounts_password_pam_cracklib_minclass" version="1"> + <definition class="compliance" id="accounts_password_pam_cracklib_minclass" + version="2"> <metadata> <title>Set Password minclass Requirements</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>The password minclass should meet minimum - requirements using pam_cracklib</description> + <description>The password minclass should meet the minimum requirements + using pam_cracklib</description> + <reference source="JL" ref_id="20140626" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="Conditions for minclass are satisfied" - test_ref="test_password_pam_cracklib_minclass" /> + test_ref="test_password_pam_cracklib_minclass" /> </criteria> </definition> <ind:textfilecontent54_test check="all" - comment="check the configuration of /etc/pam.d/system-auth" - id="test_password_pam_cracklib_minclass" version="1"> - <ind:object object_ref="obj_password_pam_cracklib_minclass" /> + comment="check the configuration of /etc/pam.d/system-auth" + id="test_password_pam_cracklib_minclass" version="1"> + <ind:object object_ref="object_password_pam_cracklib_minclass" /> <ind:state state_ref="state_password_pam_cracklib_minclass" /> </ind:textfilecontent54_test> + <external_variable comment="External variable for pam_cracklib minclass" + datatype="int" id="var_password_pam_cracklib_minclass" version="1" /> + + <ind:textfilecontent54_object id="object_password_pam_cracklib_minclass" + version="1"> + <ind:filepath>/etc/pam.d/system-auth</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]minclass=(\d+)(?:[\s]|$)</ind:pattern> + <ind:instance datatype="int" + operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_state id="state_password_pam_cracklib_minclass" - version="1"> + version="1"> <ind:instance datatype="int">1</ind:instance> - <ind:subexpression datatype="int" - operation="less than or equal" - var_ref="var_password_pam_cracklib_minclass" /> + <ind:subexpression datatype="int" operation="greater than or equal" + var_ref="var_password_pam_cracklib_minclass" /> </ind:textfilecontent54_state> - <external_variable comment="External variable for pam_cracklib minclass" - datatype="int" id="var_password_pam_cracklib_minclass" - version="1" /> - - <ind:textfilecontent54_object id="obj_password_pam_cracklib_minclass" - version="1"> - <ind:path>/etc/pam.d</ind:path> - <ind:filename>system-auth</ind:filename> - <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]minclass=(-?\d+)(?:[\s]|$)</ind:pattern> - <ind:instance datatype="int" operation="less than or equal">1</ind:instance> - </ind:textfilecontent54_object> </def-group> diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml index feddbb6..e13a19c 100644 --- a/RHEL/6/input/system/accounts/pam.xml +++ b/RHEL/6/input/system/accounts/pam.xml @@ -188,6 +188,17 @@ passwords</warning> <value selector="4">4</value> <value selector="5">5</value> </Value> + +<Value id="var_password_pam_cracklib_minclass" type="number" operator="equals" interactive="0"> +<title>minclass</title> +<description>Minimum number of categories of characters that must exist in a password</description> +<value selector="">3</value> +<value selector="1">1</value> +<value selector="2">2</value> +<value selector="3">3</value> +<value selector="4">4</value> +</Value> + <Value id="var_accounts_passwords_pam_faillock_deny" type="number" operator="equals" interactive="0"> <title>fail_deny</title> @@ -392,6 +403,41 @@ Note that passwords which are changed on compromised systems will still be compr <ref nist="IA-5(b),IA-5(c),IA-5(1)(b)" disa="195"/> <tested by="DS" on="20121024"/> </Rule> + +<Rule id="accounts_password_pam_cracklib_minclass"> +<title>Set Password Strength Minimum Different Categories</title> +<description>The pam_cracklib module's <tt>minclass</tt> parameter controls requirements for +usage of different character classes, or types, of character that must exist in a password +before it is considered valid. For example, setting this value to three (3) requires that +any password must have characters from at least three different categories in order to be +approved. The default value is zero (0), meaning there are no required classes. There are +four categories available: +<pre> +* Upper-case characters +* Lower-case characters +* Digits +* Special characters (for example, punctuation) +</pre> +Add <tt>minclass=<i>NUM</i></tt> after pam_cracklib.so to require differing categories of +characters when changing passwords, substituting <i>NUM</i> appropriately (for example to +require at least three character classes to be used in password, use <tt>minclass=3</tt>). +</description> +<ocil clause="minclass is not found or not set to the required value"> +To check how many categories of characters must be used in password during a password change, +run the following command: +<pre>$ grep pam_cracklib /etc/pam.d/system-auth</pre> +The <tt>minclass</tt> parameter will indicate how many character classes must be used. If +the requirement was password to contain characters from three different categories, then this +would appear as <tt>minclass=3</tt>. +</ocil> +<rationale> +Requiring a minimum number of character categories makes password guessing attacks +more difficult by ensuring a larger search space. +</rationale> +<ident cce="" /> +<oval id="accounts_password_pam_cracklib_minclass" value="var_password_pam_cracklib_minclass"/> +<tested by="JL" on="20140626"/> +</Rule> </Group> </Group> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
