Blame SOURCES/scap-security-guide-0.1.54-pwquality_update-PR_6370.patch

f8899d
From d2666b534c38bfc3bbd7308c4db4ef887cae6e0b Mon Sep 17 00:00:00 2001
f8899d
From: Gabe <redhatrises@gmail.com>
f8899d
Date: Wed, 11 Nov 2020 15:14:51 -0700
f8899d
Subject: [PATCH] Add new pwquality.conf and faillock.conf rules
f8899d
f8899d
- Add rule for enforcing password complexity for root
f8899d
- Add rules for enforcing pwquality and faillock for local users only
f8899d
- Enable SSH client for STIG
f8899d
- Part of #4978
f8899d
- Fixes #2706
f8899d
- Fixes #2174
f8899d
---
f8899d
 .../ansible/shared.yml                        | 12 ++++++
f8899d
 .../bash/shared.sh                            |  9 ++++
f8899d
 .../oval/shared.xml                           | 21 ++++++++++
f8899d
 .../rule.yml                                  | 42 +++++++++++++++++++
f8899d
 .../ansible/shared.yml                        | 12 ++++++
f8899d
 .../bash/shared.sh                            |  9 ++++
f8899d
 .../oval/shared.xml                           | 21 ++++++++++
f8899d
 .../rule.yml                                  | 42 +++++++++++++++++++
f8899d
 .../ansible/shared.yml                        | 12 ++++++
f8899d
 .../bash/shared.sh                            |  9 ++++
f8899d
 .../oval/shared.xml                           | 21 ++++++++++
f8899d
 .../rule.yml                                  | 39 +++++++++++++++++
f8899d
 rhel8/profiles/stig.profile                   |  4 +-
f8899d
 .../oval/accounts_password_pam_faillock.xml   | 26 ++++++++++++
f8899d
 .../data/profile_stability/rhel8/stig.profile |  4 ++
f8899d
 16 files changed, 282 insertions(+), 4 deletions(-)
f8899d
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml
f8899d
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh
f8899d
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml
f8899d
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml
f8899d
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml
f8899d
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh
f8899d
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml
f8899d
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
f8899d
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml
f8899d
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh
f8899d
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml
f8899d
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
f8899d
 create mode 100644 shared/checks/oval/accounts_password_pam_faillock.xml
f8899d
f8899d
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml
f8899d
new file mode 100644
f8899d
index 0000000000..6ead01fab5
f8899d
--- /dev/null
f8899d
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml
f8899d
@@ -0,0 +1,12 @@
f8899d
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
f8899d
+# reboot = false
f8899d
+# strategy = restrict
f8899d
+# complexity = low
f8899d
+# disruption = low
f8899d
+
f8899d
+- name: Ensure failed password attempts lockout only for local users
f8899d
+  lineinfile:
f8899d
+    create: yes
f8899d
+    dest: "/etc/security/faillock.conf"
f8899d
+    regexp: '^#?\s*local_users_only'
f8899d
+    line: "local_users_only"
f8899d
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh
f8899d
new file mode 100644
f8899d
index 0000000000..8c43a8bb82
f8899d
--- /dev/null
f8899d
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh
f8899d
@@ -0,0 +1,9 @@
f8899d
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
f8899d
+# reboot = false
f8899d
+# strategy = restrict
f8899d
+# complexity = low
f8899d
+# disruption = low
f8899d
+
f8899d
+if ! grep -q "^local_users_only" /etc/security/faillock.conf; then
f8899d
+	sed "s/# local_users_only/local_users_only/g" -i /etc/security/faillock.conf
f8899d
+fi
f8899d
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml
f8899d
new file mode 100644
f8899d
index 0000000000..8e8ce134b0
f8899d
--- /dev/null
f8899d
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml
f8899d
@@ -0,0 +1,21 @@
f8899d
+<def-group>
f8899d
+  <definition class="compliance" id="accounts_passwords_pam_faillock_enforce_local" version="1">
f8899d
+    {{{ oval_metadata("Failed password attempts are enforced for local users only.") }}}
f8899d
+    <criteria operator="AND" comment="conditions for accounts_passwords_pam_faillock_enforce_local are satisfied">
f8899d
+      <extend_definition comment="faillock.so exists in system-auth" definition_ref="accounts_password_pam_faillock" />
f8899d
+      <criterion comment="faillock.conf" test_ref="test_accounts_passwords_pam_faillock_enforce_local" />
f8899d
+    </criteria>
f8899d
+  </definition>
f8899d
+
f8899d
+  
f8899d
+  comment="check the configuration of /etc/security/faillock.conf"
f8899d
+  id="test_accounts_passwords_pam_faillock_enforce_local" version="1">
f8899d
+    <ind:object object_ref="obj_accounts_passwords_pam_faillock_enforce_local" />
f8899d
+  </ind:textfilecontent54_test>
f8899d
+
f8899d
+  <ind:textfilecontent54_object id="obj_accounts_passwords_pam_faillock_enforce_local" version="1">
f8899d
+    <ind:filepath>/etc/security/faillock.conf</ind:filepath>
f8899d
+    <ind:pattern operation="pattern match">^[\s]*local_users_only[\s]*$</ind:pattern>
f8899d
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
f8899d
+  </ind:textfilecontent54_object>
f8899d
+</def-group>
f8899d
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml
f8899d
new file mode 100644
f8899d
index 0000000000..a189ac68ec
f8899d
--- /dev/null
f8899d
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml
f8899d
@@ -0,0 +1,42 @@
f8899d
+documentation_complete: true
f8899d
+
f8899d
+prodtype: fedora,rhel8
f8899d
+
f8899d
+title: 'Enforce pam_faillock for Local Accounts Only'
f8899d
+
f8899d
+description: |-
f8899d
+    The pam_faillock module's <tt>local_users_only</tt> parameter controls requirements for
f8899d
+    enforcing failed lockout attempts only for local user accounts and ignoring
f8899d
+    centralized user account management failed attempt configurations. Enable the <tt>local_users_only</tt>
f8899d
+    setting in <tt>/etc/security/faillock.conf</tt> to require failed password attempts
f8899d
+    for only local user accounts.
f8899d
+
f8899d
+rationale: |-
f8899d
+    The operating system must provide automated mechanisms for supporting account management
f8899d
+    functions. Enterprise environments make application account management challenging and
f8899d
+    complex. A manual process for account management functions adds the risk of a potential
f8899d
+    oversight or other error.
f8899d
+
f8899d
+severity: medium
f8899d
+
f8899d
+identifiers:
f8899d
+    cce@rhel8: CCE-83401-0
f8899d
+
f8899d
+references:
f8899d
+    disa: CCI-000015
f8899d
+    nist: AC-2(1)
f8899d
+    srg: SRG-OS-000001-GPOS-00001
f8899d
+
f8899d
+ocil_clause: 'local_users_only is not uncommented or configured correctly'
f8899d
+
f8899d
+ocil: |-
f8899d
+    To check if root user is required to use complex passwords, run the following command:
f8899d
+    
$ grep local_users_only /etc/security/faillock.conf
f8899d
+    The output should return <tt>local_users_only</tt> uncommented.
f8899d
+
f8899d
+platform: pam
f8899d
+
f8899d
+warnings:
f8899d
+    - management: |-
f8899d
+        Using this rule bypasses pam_faillock's functionality and should be used in cases
f8899d
+        where centralized management such as LDAP or Active Directory is in use.
f8899d
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml
f8899d
new file mode 100644
f8899d
index 0000000000..cebb406ad7
f8899d
--- /dev/null
f8899d
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml
f8899d
@@ -0,0 +1,12 @@
f8899d
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
f8899d
+# reboot = false
f8899d
+# strategy = restrict
f8899d
+# complexity = low
f8899d
+# disruption = low
f8899d
+
f8899d
+- name: Ensure password complexity only for local users
f8899d
+  lineinfile:
f8899d
+    create: yes
f8899d
+    dest: "/etc/security/pwquality.conf"
f8899d
+    regexp: '^#?\s*local_users_only'
f8899d
+    line: "local_users_only"
f8899d
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh
f8899d
new file mode 100644
f8899d
index 0000000000..4049539796
f8899d
--- /dev/null
f8899d
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh
f8899d
@@ -0,0 +1,9 @@
f8899d
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
f8899d
+# reboot = false
f8899d
+# strategy = restrict
f8899d
+# complexity = low
f8899d
+# disruption = low
f8899d
+
f8899d
+if ! grep -q "^local_users_only" /etc/security/pwquality.conf; then
f8899d
+	sed "s/# local_users_only/local_users_only/g" -i /etc/security/pwquality.conf
f8899d
+fi
f8899d
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml
f8899d
new file mode 100644
f8899d
index 0000000000..794344e635
f8899d
--- /dev/null
f8899d
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml
f8899d
@@ -0,0 +1,21 @@
f8899d
+<def-group>
f8899d
+  <definition class="compliance" id="accounts_password_pam_pwquality_enforce_local" version="1">
f8899d
+    {{{ oval_metadata("The password complexity requirements are enforced for local users only.") }}}
f8899d
+    <criteria operator="AND" comment="conditions for enforce_local are satisfied">
f8899d
+      <extend_definition comment="pwquality.so exists in system-auth" definition_ref="accounts_password_pam_pwquality" />
f8899d
+      <criterion comment="pwquality.conf" test_ref="test_accounts_password_pam_pwquality_enforce_local" />
f8899d
+    </criteria>
f8899d
+  </definition>
f8899d
+
f8899d
+  
f8899d
+  comment="check the configuration of /etc/security/pwquality.conf"
f8899d
+  id="test_accounts_password_pam_pwquality_enforce_local" version="1">
f8899d
+    <ind:object object_ref="obj_accounts_password_pam_pwquality_enforce_local" />
f8899d
+  </ind:textfilecontent54_test>
f8899d
+
f8899d
+  <ind:textfilecontent54_object id="obj_accounts_password_pam_pwquality_enforce_local" version="1">
f8899d
+    <ind:filepath>/etc/security/pwquality.conf</ind:filepath>
f8899d
+    <ind:pattern operation="pattern match">^[\s]*local_users_only[\s]*$</ind:pattern>
f8899d
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
f8899d
+  </ind:textfilecontent54_object>
f8899d
+</def-group>
f8899d
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
f8899d
new file mode 100644
f8899d
index 0000000000..37f89b75b5
f8899d
--- /dev/null
f8899d
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
f8899d
@@ -0,0 +1,42 @@
f8899d
+documentation_complete: true
f8899d
+
f8899d
+prodtype: fedora,rhel8
f8899d
+
f8899d
+title: 'Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only'
f8899d
+
f8899d
+description: |-
f8899d
+    The pam_pwquality module's <tt>local_users_only</tt> parameter controls requirements for
f8899d
+    enforcing password complexity by pam_pwquality only for local user accounts and ignoring
f8899d
+    centralized user account management password complexity configurations. Enable the <tt>local_users_only</tt>
f8899d
+    setting in <tt>/etc/security/pwquality.conf</tt> to require password complexity enforcement
f8899d
+    for only local user accounts.
f8899d
+
f8899d
+rationale: |-
f8899d
+    The operating system must provide automated mechanisms for supporting account management
f8899d
+    functions. Enterprise environments make application account management challenging and
f8899d
+    complex. A manual process for account management functions adds the risk of a potential
f8899d
+    oversight or other error.
f8899d
+
f8899d
+severity: medium
f8899d
+
f8899d
+identifiers:
f8899d
+    cce@rhel8: CCE-83364-0
f8899d
+
f8899d
+references:
f8899d
+    disa: CCI-000015
f8899d
+    nist: AC-2(1)
f8899d
+    srg: SRG-OS-000001-GPOS-00001
f8899d
+
f8899d
+ocil_clause: 'local_users_only is not uncommented or configured correctly'
f8899d
+
f8899d
+ocil: |-
f8899d
+    To verify if password complexities are only enforce on local users, run the following command:
f8899d
+    
$ grep local_users_only /etc/security/pwquality.conf
f8899d
+    The output should return <tt>local_users_only</tt> uncommented.
f8899d
+
f8899d
+platform: pam
f8899d
+
f8899d
+warnings:
f8899d
+    - management: |-
f8899d
+        Using this rule bypasses pam_faillock's functionality and should be used in cases
f8899d
+        where centralized management such as LDAP or Active Directory is in use.
f8899d
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml
f8899d
new file mode 100644
f8899d
index 0000000000..516c5c1ae6
f8899d
--- /dev/null
f8899d
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml
f8899d
@@ -0,0 +1,12 @@
f8899d
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
f8899d
+# reboot = false
f8899d
+# strategy = restrict
f8899d
+# complexity = low
f8899d
+# disruption = low
f8899d
+
f8899d
+- name: Ensure password complexity for root user
f8899d
+  lineinfile:
f8899d
+    create: yes
f8899d
+    dest: "/etc/security/pwquality.conf"
f8899d
+    regexp: '^#?\s*enforce_for_root'
f8899d
+    line: "enforce_for_root"
f8899d
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh
f8899d
new file mode 100644
f8899d
index 0000000000..97f45c6259
f8899d
--- /dev/null
f8899d
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh
f8899d
@@ -0,0 +1,9 @@
f8899d
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
f8899d
+# reboot = false
f8899d
+# strategy = restrict
f8899d
+# complexity = low
f8899d
+# disruption = low
f8899d
+
f8899d
+if ! grep -q "^enforce_for_root" /etc/security/pwquality.conf; then
f8899d
+	sed "s/# enforce_for_root/enforce_for_root/g" -i /etc/security/pwquality.conf
f8899d
+fi
f8899d
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml
f8899d
new file mode 100644
f8899d
index 0000000000..fccf5fd00e
f8899d
--- /dev/null
f8899d
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml
f8899d
@@ -0,0 +1,21 @@
f8899d
+<def-group>
f8899d
+  <definition class="compliance" id="accounts_password_pam_pwquality_enforce_root" version="1">
f8899d
+    {{{ oval_metadata("The password complexity requirements are enforced for root.") }}}
f8899d
+    <criteria operator="AND" comment="conditions for enforce_root are satisfied">
f8899d
+      <extend_definition comment="pwquality.so exists in system-auth" definition_ref="accounts_password_pam_pwquality" />
f8899d
+      <criterion comment="pwquality.conf" test_ref="test_accounts_password_pam_pwquality_enforce_root" />
f8899d
+    </criteria>
f8899d
+  </definition>
f8899d
+
f8899d
+  
f8899d
+  comment="check the configuration of /etc/security/pwquality.conf"
f8899d
+  id="test_accounts_password_pam_pwquality_enforce_root" version="1">
f8899d
+    <ind:object object_ref="obj_accounts_password_pam_pwquality_enforce_root" />
f8899d
+  </ind:textfilecontent54_test>
f8899d
+
f8899d
+  <ind:textfilecontent54_object id="obj_accounts_password_pam_pwquality_enforce_root" version="1">
f8899d
+    <ind:filepath>/etc/security/pwquality.conf</ind:filepath>
f8899d
+    <ind:pattern operation="pattern match">^[\s]*enforce_for_root[\s]*$</ind:pattern>
f8899d
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
f8899d
+  </ind:textfilecontent54_object>
f8899d
+</def-group>
f8899d
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
f8899d
new file mode 100644
f8899d
index 0000000000..6aa1876e03
f8899d
--- /dev/null
f8899d
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
f8899d
@@ -0,0 +1,39 @@
f8899d
+documentation_complete: true
f8899d
+
f8899d
+prodtype: fedora,rhel8
f8899d
+
f8899d
+title: 'Ensure PAM Enforces Password Requirements - Enforce for root User'
f8899d
+
f8899d
+description: |-
f8899d
+    The pam_pwquality module's <tt>enforce_for_root</tt> parameter controls requirements for
f8899d
+    enforcing password complexity for the root user. Enable the <tt>enforce_for_root</tt>
f8899d
+    setting in <tt>/etc/security/pwquality.conf</tt> to require the <tt>root</tt> user
f8899d
+    to use complex passwords.
f8899d
+
f8899d
+rationale: |-
f8899d
+    Use of a complex password helps to increase the time and resources required to compromise
f8899d
+    the password. Password complexity, or strength, is a measure of the effectiveness of a
f8899d
+    password in resisting attempts at guessing and brute-force attacks.
f8899d
+    
f8899d
+    Password complexity is one factor of several that determines how long it takes to crack a
f8899d
+    password. The more complex the password, the greater the number of possible combinations
f8899d
+    that need to be tested before the password is compromised.
f8899d
+
f8899d
+severity: medium
f8899d
+
f8899d
+identifiers:
f8899d
+    cce@rhel8: CCE-83377-2
f8899d
+
f8899d
+references:
f8899d
+    disa: CCI-000194,CCI-000193,CCI-001619,CCI-000205,CCI-000195,CCI-000192,CCI-000366
f8899d
+    nist: IA-5(c),IA-5(1)(a),CM-6(a),IA-5(4)
f8899d
+    srg: SRG-OS-000072-GPOS-00040,SRG-OS-000071-GPOS-00039,SRG-OS-000070-GPOS-00038,SRG-OS-000266-GPOS-00101,SRG-OS-000078-GPOS-00046,SRG-OS-000480-GPOS-00225,SRG-OS-000069-GPOS-00037
f8899d
+
f8899d
+ocil_clause: 'enforce_for_root is not uncommented or configured correctly'
f8899d
+
f8899d
+ocil: |-
f8899d
+    To verify if root user is required to use complex passwords, run the following command:
f8899d
+    
$ grep enforce_for_root /etc/security/pwquality.conf
f8899d
+    The output should return <tt>enforce_for_root</tt> uncommented.
f8899d
+
f8899d
+platform: pam
f8899d
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
f8899d
index 15fe5c5bf9..b23cc05029 100644
f8899d
--- a/rhel8/profiles/stig.profile
f8899d
+++ b/rhel8/profiles/stig.profile
f8899d
@@ -45,13 +45,15 @@ selections:
f8899d
     - package_audispd-plugins_installed
f8899d
     - package_libcap-ng-utils_installed
f8899d
     - auditd_audispd_syslog_plugin_activated
f8899d
+    - accounts_passwords_pam_faillock_enforce_local
f8899d
+    - accounts_password_pam_enforce_local
f8899d
+    - accounts_password_pam_enforce_root
f8899d
 
f8899d
     # Configure TLS for remote logging
f8899d
     - package_rsyslog_installed
f8899d
     - package_rsyslog-gnutls_installed
f8899d
     - rsyslog_remote_tls
f8899d
     - rsyslog_remote_tls_cacert
f8899d
-    - "!ssh_client_rekey_limit"
f8899d
 
f8899d
     # Unselect zIPL rules from OSPP
f8899d
     - "!zipl_bls_entries_only"
f8899d
diff --git a/shared/checks/oval/accounts_password_pam_faillock.xml b/shared/checks/oval/accounts_password_pam_faillock.xml
f8899d
new file mode 100644
f8899d
index 0000000000..c55c143ba5
f8899d
--- /dev/null
f8899d
+++ b/shared/checks/oval/accounts_password_pam_faillock.xml
f8899d
@@ -0,0 +1,26 @@
f8899d
+<def-group>
f8899d
+  <definition class="compliance" id="accounts_password_pam_faillock" version="1">
f8899d
+    <metadata>
f8899d
+      <title>Check pam_faillock Existence in system-auth</title>
f8899d
+      <affected family="unix">
f8899d
+        <platform>multi_platform_all</platform>
f8899d
+      </affected>
f8899d
+      <description>Check that pam_faillock.so exists in system-auth</description>
f8899d
+    </metadata>
f8899d
+    <criteria>
f8899d
+      
f8899d
+      test_ref="test_accounts_password_pam_faillock" />
f8899d
+    </criteria>
f8899d
+  </definition>
f8899d
+
f8899d
+  <ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="test_accounts_password_pam_faillock" version="1">
f8899d
+    <ind:object object_ref="obj_accounts_password_pam_faillock" />
f8899d
+  </ind:textfilecontent54_test>
f8899d
+
f8899d
+  <ind:textfilecontent54_object id="obj_accounts_password_pam_faillock" version="1">
f8899d
+    <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
f8899d
+    <ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_faillock\.so.*$</ind:pattern>
f8899d
+    <ind:instance datatype="int">1</ind:instance>
f8899d
+  </ind:textfilecontent54_object>
f8899d
+
f8899d
+</def-group>
f8899d
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
f8899d
index 569eed6636..5add9d462f 100644
f8899d
--- a/tests/data/profile_stability/rhel8/stig.profile
f8899d
+++ b/tests/data/profile_stability/rhel8/stig.profile
f8899d
@@ -272,4 +272,8 @@ selections:
f8899d
 - grub2_vsyscall_argument.severity=info
f8899d
 - sysctl_user_max_user_namespaces.role=unscored
f8899d
 - sysctl_user_max_user_namespaces.severity=info
f8899d
+- ssh_client_rekey_limit
f8899d
+- accounts_passwords_pam_faillock_enforce_local
f8899d
+- accounts_password_pam_enforce_local
f8899d
+- accounts_password_pam_enforce_root
f8899d
 title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'