----- Original Message ----- > From: "Shawn Wells" <[email protected]> > To: [email protected] > Sent: Thursday, July 3, 2014 6:29:55 PM > Subject: Re: [PATCH] [RHEL/6] accounts_password_pam_cracklib_minclass XCCDF > rule: * rename the remediation script to > proper name * start using value of particular variable instead of > hardcoded value of '3' > > > On 7/3/14, 11:15 AM, Jan Lieskovsky wrote: > > > > Rename original remediation script (password_require_minimum_class.sh) > from: > https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=a38ece26a85f210b7edc6db2d91c438ef78f5add > to it's proper name (so remediation would actually perform the fix). > > Besides that replace the hardcoded value of '3' with evaluated value of > $var_password_pam_cracklib_minclass variable (which can be actually set > up to something different according to custom preferences). Also make > the remediation fix implementation to complain / align more with actual > requirements for the remediation fixes (include templates/support.sh etc.) > > Testing report: > --------------- > Change has been tested on RHEL-6 for both cases: > * minclass already present in /etc/pam.d/system-auth, but having different > value than expected / required, > * minclass not present in /etc/pam.d/system-auth file > > and works properly. > > Please review. > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > 0001-RHEL-6-accounts_password_pam_cracklib_minclass-XCCDF.patch > From 2728223b695f7901c8b58b5696100273ccfa5993 Mon Sep 17 00:00:00 2001 > From: Jan Lieskovsky <[email protected]> Date: Thu, 3 Jul 2014 16:51:42 > +0200 > Subject: [PATCH] [RHEL/6] accounts_password_pam_cracklib_minclass XCCDF rule: > * rename remediation fix to proper name, * update its implementation not to > use the hardcoded value of '3', but rather actual evaluated value of > var_password_pam_cracklib_minclass variable. > > Signed-off-by: Jan Lieskovsky <[email protected]> --- > .../input/fixes/bash/accounts_password_pam_cracklib_minclass.sh | 9 > +++++++++ > RHEL/6/input/fixes/bash/password_require_minimum_class.sh | 6 ------ > 2 files changed, 9 insertions(+), 6 deletions(-) > create mode 100644 > RHEL/6/input/fixes/bash/accounts_password_pam_cracklib_minclass.sh > delete mode 100644 RHEL/6/input/fixes/bash/password_require_minimum_class.sh > > diff --git > a/RHEL/6/input/fixes/bash/accounts_password_pam_cracklib_minclass.sh > b/RHEL/6/input/fixes/bash/accounts_password_pam_cracklib_minclass.sh > new file mode 100644 > index 0000000..c710009 > --- /dev/null > +++ b/RHEL/6/input/fixes/bash/accounts_password_pam_cracklib_minclass.sh > @@ -0,0 +1,9 @@ > +source ./templates/support.sh > +populate var_password_pam_cracklib_minclass > + > +grep -q minclass /etc/pam.d/system-auth > +if [ $? = "0" ]; then > + sed -i " / > pam_cracklib.so/s/minclass=[0-$var_password_pam_cracklib_minclass]/minclass=$var_password_pam_cracklib_minclass > / " /etc/pam.d/system-auth > +else > + sed -i "/pam_cracklib.so/s/pam_cracklib.so /pam_cracklib.so > minclass=$var_password_pam_cracklib_minclass /" /etc/pam.d/system-auth > +fi > diff --git a/RHEL/6/input/fixes/bash/password_require_minimum_class.sh > b/RHEL/6/input/fixes/bash/password_require_minimum_class.sh > deleted file mode 100644 > index 127c004..0000000 > > needs a slightl change: since /etc/pam.d/system-auth is (generally) a symlink > to system-auth-ac, `sed --follow-symlinks should be used`
Thanks, Shawn. Right, good catch (was wondering why the --folow-symlinks bit was necessary in the previous version.. It's clear now). > > once change is made, ack Applied the patch, added --follow-symlinks option, squashed into previous commit, retested & pushed: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=41973eabf428467f12a6389244e11bda36f4acac Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > > > > > --- a/RHEL/6/input/fixes/bash/password_require_minimum_class.sh > +++ /dev/null > @@ -1,6 +0,0 @@ > -grep -q minclass /etc/pam.d/system-auth > -if [ $? = "0" ]; then > - sed --follow-symlinks -i "/pam_cracklib.so/s/minclass=[0-4]/minclass=3/" > /etc/pam.d/system-auth > -else > - sed --follow-symlinks -i "/pam_cracklib.so/s/pam_cracklib.so > /pam_cracklib.so minclass=3 /" /etc/pam.d/system-auth > -fi > -- > 1.8.3.1 > > > -- > SCAP Security Guide mailing list [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ > > -- > Shawn Wells > Director, Innovation Programs [email protected] | 443.534.0130 > @shawndwells > > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
