Rename original remediation script (password_require_minimum_class.sh) from: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=a38ece26a85f210b7edc6db2d91c438ef78f5add
to it's proper name (so remediation would actually perform the fix). Besides that replace the hardcoded value of '3' with evaluated value of $var_password_pam_cracklib_minclass variable (which can be actually set up to something different according to custom preferences). Also make the remediation fix implementation to complain / align more with actual requirements for the remediation fixes (include templates/support.sh etc.) Testing report: --------------- Change has been tested on RHEL-6 for both cases: * minclass already present in /etc/pam.d/system-auth, but having different value than expected / required, * minclass not present in /etc/pam.d/system-auth file and works properly. Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 2728223b695f7901c8b58b5696100273ccfa5993 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Thu, 3 Jul 2014 16:51:42 +0200 Subject: [PATCH] [RHEL/6] accounts_password_pam_cracklib_minclass XCCDF rule: * rename remediation fix to proper name, * update its implementation not to use the hardcoded value of '3', but rather actual evaluated value of var_password_pam_cracklib_minclass variable. Signed-off-by: Jan Lieskovsky <[email protected]> --- .../input/fixes/bash/accounts_password_pam_cracklib_minclass.sh | 9 +++++++++ RHEL/6/input/fixes/bash/password_require_minimum_class.sh | 6 ------ 2 files changed, 9 insertions(+), 6 deletions(-) create mode 100644 RHEL/6/input/fixes/bash/accounts_password_pam_cracklib_minclass.sh delete mode 100644 RHEL/6/input/fixes/bash/password_require_minimum_class.sh diff --git a/RHEL/6/input/fixes/bash/accounts_password_pam_cracklib_minclass.sh b/RHEL/6/input/fixes/bash/accounts_password_pam_cracklib_minclass.sh new file mode 100644 index 0000000..c710009 --- /dev/null +++ b/RHEL/6/input/fixes/bash/accounts_password_pam_cracklib_minclass.sh @@ -0,0 +1,9 @@ +source ./templates/support.sh +populate var_password_pam_cracklib_minclass + +grep -q minclass /etc/pam.d/system-auth +if [ $? = "0" ]; then + sed -i "/pam_cracklib.so/s/minclass=[0-$var_password_pam_cracklib_minclass]/minclass=$var_password_pam_cracklib_minclass/" /etc/pam.d/system-auth +else + sed -i "/pam_cracklib.so/s/pam_cracklib.so /pam_cracklib.so minclass=$var_password_pam_cracklib_minclass /" /etc/pam.d/system-auth +fi diff --git a/RHEL/6/input/fixes/bash/password_require_minimum_class.sh b/RHEL/6/input/fixes/bash/password_require_minimum_class.sh deleted file mode 100644 index 127c004..0000000 --- a/RHEL/6/input/fixes/bash/password_require_minimum_class.sh +++ /dev/null @@ -1,6 +0,0 @@ -grep -q minclass /etc/pam.d/system-auth -if [ $? = "0" ]; then - sed --follow-symlinks -i "/pam_cracklib.so/s/minclass=[0-4]/minclass=3/" /etc/pam.d/system-auth -else - sed --follow-symlinks -i "/pam_cracklib.so/s/pam_cracklib.so /pam_cracklib.so minclass=3 /" /etc/pam.d/system-auth -fi -- 1.8.3.1
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
