----- Original Message ----- > From: "Shawn Wells" <[email protected]> > To: [email protected] > Sent: Thursday, June 26, 2014 8:24:45 PM > Subject: Re: [PATCH] [RHEL/6] Fix implementation of > accounts_password_pam_cracklib_minclass OVAL check. Provide > corresponding XCCDF definition & start using the rule. > > > On 6/26/14, 12:14 PM, Jan Lieskovsky wrote: > > > > The following patch: > [1] > > https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=a38ece26a85f210b7edc6db2d91c438ef78f5add > added support for accounts_password_pam_cracklib_minclass OVAL check & > corresponding remediation script. > > But it got never used due to missing XCCDF definition. Therefore: > 1) fix the accounts_password_pam_cracklib_minclass actual OVAL check > implementation so it > would be more aligned with existing accounts_password_* OVAL checks, > 2) provide corresponding XCCDF definition for it & start using it. > > Testing status: > --------------- > The change has been tested on RHEL-6 & works as expected (=> added the > test_attestation timestamp into > OVAL definition). > > Please review. > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > P.S.: Will have a look at the corresponding remediation script yet to see if > any updates are needed. > > Thanks for doing this! The STIG profile explicitly calls out character > classes so this rule has been neglected for some time. Very small changes > outlined below: > > > > > > 0001-RHEL-6-Fix-implementation-of-accounts_password_pam_c.patch > From 06d6c866797d9021c375e56ad83ea8cbb0db0956 Mon Sep 17 00:00:00 2001 > From: Jan Lieskovsky <[email protected]> Date: Thu, 26 Jun 2014 18:03:55 > +0200 > Subject: [PATCH] [RHEL/6] Fix implementation of > accounts_password_pam_cracklib_minclass OVAL check. Provide corresponding > XCCDF definition & start using the rule. > > Signed-off-by: Jan Lieskovsky <[email protected]> --- > .../accounts_password_pam_cracklib_minclass.xml | 45 > ++++++++++----------- > RHEL/6/input/system/accounts/pam.xml | 46 > ++++++++++++++++++++++ > 2 files changed, 69 insertions(+), 22 deletions(-) > > diff --git a/RHEL/6/input/checks/accounts_password_pam_cracklib_minclass.xml > b/RHEL/6/input/checks/accounts_password_pam_cracklib_minclass.xml > index 539164b..100a2ae 100644 > --- a/RHEL/6/input/checks/accounts_password_pam_cracklib_minclass.xml > +++ b/RHEL/6/input/checks/accounts_password_pam_cracklib_minclass.xml > @@ -1,43 +1,44 @@ > <def-group> > - <definition class="compliance" > id="accounts_password_pam_cracklib_minclass" version="1"> > + <definition class="compliance" > id="accounts_password_pam_cracklib_minclass" > + version="2"> > <metadata> > <title>Set Password minclass Requirements</title> > <affected family="unix"> > <platform>Red Hat Enterprise Linux 6</platform> > </affected> > - <description>The password minclass should meet minimum > - requirements using pam_cracklib</description> > + <description>The password minclass should meet the minimum > requirements > + using pam_cracklib</description> > + <reference source="JL" ref_id="20140626" ref_url="test_attestation" /> > </metadata> > <criteria> > <criterion comment="Conditions for minclass are satisfied" > - test_ref="test_password_pam_cracklib_minclass" /> > + test_ref="test_password_pam_cracklib_minclass" /> > </criteria> > </definition> > > <ind:textfilecontent54_test check="all" > - comment="check the configuration of > /etc/pam.d/system-auth" > - id="test_password_pam_cracklib_minclass" > version="1"> > - <ind:object object_ref="obj_password_pam_cracklib_minclass" /> > + comment="check the configuration of /etc/pam.d/system-auth" > + id="test_password_pam_cracklib_minclass" version="1"> > + <ind:object object_ref="object_password_pam_cracklib_minclass" /> > <ind:state state_ref="state_password_pam_cracklib_minclass" /> > </ind:textfilecontent54_test> > > + <external_variable comment="External variable for pam_cracklib minclass" > + datatype="int" id="var_password_pam_cracklib_minclass" version="1" /> > + > + <ind:textfilecontent54_object id="object_password_pam_cracklib_minclass" > + version="1"> > + <ind:filepath>/etc/pam.d/system-auth</ind:filepath> > + <ind:pattern operation="pattern > match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]minclass=(\d+)(?:[\s]|$)</ind:pattern> > + <ind:instance datatype="int" > + operation="greater than or equal">1</ind:instance> > + </ind:textfilecontent54_object> > + > <ind:textfilecontent54_state id="state_password_pam_cracklib_minclass" > - version="1"> > + version="1"> > <ind:instance datatype="int">1</ind:instance> > - <ind:subexpression datatype="int" > - operation="less than or equal" > - var_ref="var_password_pam_cracklib_minclass" /> > + <ind:subexpression datatype="int" operation="greater than or equal" > + var_ref="var_password_pam_cracklib_minclass" /> > </ind:textfilecontent54_state> > > - <external_variable comment="External variable for pam_cracklib minclass" > - datatype="int" id="var_password_pam_cracklib_minclass" > - version="1" /> > - > - <ind:textfilecontent54_object id="obj_password_pam_cracklib_minclass" > - version="1"> > - <ind:path>/etc/pam.d</ind:path> > - <ind:filename>system-auth</ind:filename> > - <ind:pattern operation="pattern > match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]minclass=(-?\d+)(?:[\s]|$)</ind:pattern> > - <ind:instance datatype="int" operation="less than or > equal">1</ind:instance> > - </ind:textfilecontent54_object> > </def-group> > diff --git a/RHEL/6/input/system/accounts/pam.xml > b/RHEL/6/input/system/accounts/pam.xml > index feddbb6..e13a19c 100644 > --- a/RHEL/6/input/system/accounts/pam.xml > +++ b/RHEL/6/input/system/accounts/pam.xml > @@ -188,6 +188,17 @@ passwords</warning> > <value selector="4">4</value> > <value selector="5">5</value> > </Value> > + > +<Value id="var_password_pam_cracklib_minclass" type="number" > operator="equals" interactive="0"> > +<title>minclass</title> > +<description>Minimum number of categories of characters that must exist in a > password</description> > +<value selector="">3</value> > +<value selector="1">1</value> > +<value selector="2">2</value> > +<value selector="3">3</value> > +<value selector="4">4</value> > +</Value> > + > <Value id="var_accounts_passwords_pam_faillock_deny" type="number" > operator="equals" interactive="0"> > <title>fail_deny</title> > @@ -392,6 +403,41 @@ Note that passwords which are changed on compromised > systems will still be compr > <ref nist="IA-5(b),IA-5(c),IA-5(1)(b)" disa="195"/> > <tested by="DS" on="20121024"/> > </Rule> > + > +<Rule id="accounts_password_pam_cracklib_minclass"> > +<title>Set Password Strength Minimum Different Categories</title> > +<description>The pam_cracklib module's <tt>minclass</tt> parameter controls > requirements for > +usage of different character classes, or types, of character that must exist > in a password > +before it is considered valid. For example, setting this value to three (3) > requires that > +any password must have characters from at least three different categories > in order to be > +approved. The default value is zero (0), meaning there are no required > classes. There are > +four categories available: > +<pre> > +* Upper-case characters > +* Lower-case characters > +* Digits > +* Special characters (for example, punctuation) > +</pre> > +Add <tt>minclass=<i>NUM</i></tt> after pam_cracklib.so to require differing > categories of > +characters when changing passwords, substituting <i>NUM</i> appropriately > (for example to > +require at least three character classes to be used in password, use > <tt>minclass=3</tt>). > +</description> > > The description should be updated to reflect the value should be placed in > /etc/pam.d/system-auth
Thank you. Updated & pushed via: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=929cbf31f6f82f27a66d1a2d26c306f3c99475dc > > > > > +<ocil clause="minclass is not found or not set to the required value"> > +To check how many categories of characters must be used in password during a > password change, > +run the following command: > +<pre>$ grep pam_cracklib /etc/pam.d/system-auth</pre> > +The <tt>minclass</tt> parameter will indicate how many character classes > must be used. If > +the requirement was password to contain characters from three different > categories, then this > +would appear as <tt>minclass=3</tt>. > > Nitpick: > "requirement was password to..." --> "requirement was for the password to..." Fixed via: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=929cbf31f6f82f27a66d1a2d26c306f3c99475dc > > > > > +</ocil> > +<rationale> > +Requiring a minimum number of character categories makes password guessing > attacks > +more difficult by ensuring a larger search space. > +</rationale> > +<ident cce="" /> > > It makes sense to assign a CCE for this (take one out of > shared/references/cce-rhel6-avail.txt and place here). Took CCE-27115-5 via: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=731d99b3f19d435193100846078633d51ad6ba76 and updated particular entry via: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=929cbf31f6f82f27a66d1a2d26c306f3c99475dc > > > > > > +<oval id="accounts_password_pam_cracklib_minclass" > value="var_password_pam_cracklib_minclass"/> > +<tested by="JL" on="20140626"/> > +</Rule> > </Group> > </Group> > Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
