On 7/3/14, 11:15 AM, Jan Lieskovsky wrote:
Rename original remediation script (password_require_minimum_class.sh)
from:
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=a38ece26a85f210b7edc6db2d91c438ef78f5add
to it's proper name (so remediation would actually perform the fix).
Besides that replace the hardcoded value of '3' with evaluated value of
$var_password_pam_cracklib_minclass variable (which can be actually set
up to something different according to custom preferences). Also make
the remediation fix implementation to complain / align more with actual
requirements for the remediation fixes (include templates/support.sh etc.)
Testing report:
---------------
Change has been tested on RHEL-6 for both cases:
* minclass already present in /etc/pam.d/system-auth, but having different
value than expected / required,
* minclass not present in /etc/pam.d/system-auth file
and works properly.
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-RHEL-6-accounts_password_pam_cracklib_minclass-XCCDF.patch
From 2728223b695f7901c8b58b5696100273ccfa5993 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky<[email protected]>
Date: Thu, 3 Jul 2014 16:51:42 +0200
Subject: [PATCH] [RHEL/6] accounts_password_pam_cracklib_minclass XCCDF rule:
* rename remediation fix to proper name, * update its implementation not to
use the hardcoded value of '3', but rather actual evaluated value of
var_password_pam_cracklib_minclass variable.
Signed-off-by: Jan Lieskovsky<[email protected]>
---
.../input/fixes/bash/accounts_password_pam_cracklib_minclass.sh | 9 +++++++++
RHEL/6/input/fixes/bash/password_require_minimum_class.sh | 6 ------
2 files changed, 9 insertions(+), 6 deletions(-)
create mode 100644
RHEL/6/input/fixes/bash/accounts_password_pam_cracklib_minclass.sh
delete mode 100644 RHEL/6/input/fixes/bash/password_require_minimum_class.sh
diff --git a/RHEL/6/input/fixes/bash/accounts_password_pam_cracklib_minclass.sh
b/RHEL/6/input/fixes/bash/accounts_password_pam_cracklib_minclass.sh
new file mode 100644
index 0000000..c710009
--- /dev/null
+++ b/RHEL/6/input/fixes/bash/accounts_password_pam_cracklib_minclass.sh
@@ -0,0 +1,9 @@
+source ./templates/support.sh
+populate var_password_pam_cracklib_minclass
+
+grep -q minclass /etc/pam.d/system-auth
+if [ $? = "0" ]; then
+ sed -i
"/pam_cracklib.so/s/minclass=[0-$var_password_pam_cracklib_minclass]/minclass=$var_password_pam_cracklib_minclass/"
/etc/pam.d/system-auth
+else
+ sed -i "/pam_cracklib.so/s/pam_cracklib.so /pam_cracklib.so
minclass=$var_password_pam_cracklib_minclass /" /etc/pam.d/system-auth
+fi
diff --git a/RHEL/6/input/fixes/bash/password_require_minimum_class.sh
b/RHEL/6/input/fixes/bash/password_require_minimum_class.sh
deleted file mode 100644
index 127c004..0000000
needs a slightl change: since /etc/pam.d/system-auth is (generally) a
symlink to system-auth-ac, `sed --follow-symlinks should be used`
once change is made, ack
--- a/RHEL/6/input/fixes/bash/password_require_minimum_class.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-grep -q minclass /etc/pam.d/system-auth
-if [ $? = "0" ]; then
- sed --follow-symlinks -i "/pam_cracklib.so/s/minclass=[0-4]/minclass=3/"
/etc/pam.d/system-auth
-else
- sed --follow-symlinks -i "/pam_cracklib.so/s/pam_cracklib.so /pam_cracklib.so
minclass=3 /" /etc/pam.d/system-auth
-fi
-- 1.8.3.1
-- SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
--
Shawn Wells
Director, Innovation Programs
[email protected] | 443.534.0130
@shawndwells
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
