Blob Blame History Raw
From d2666b534c38bfc3bbd7308c4db4ef887cae6e0b Mon Sep 17 00:00:00 2001
From: Gabe <redhatrises@gmail.com>
Date: Wed, 11 Nov 2020 15:14:51 -0700
Subject: [PATCH] Add new pwquality.conf and faillock.conf rules

- Add rule for enforcing password complexity for root
- Add rules for enforcing pwquality and faillock for local users only
- Enable SSH client for STIG
- Part of #4978
- Fixes #2706
- Fixes #2174
---
 .../ansible/shared.yml                        | 12 ++++++
 .../bash/shared.sh                            |  9 ++++
 .../oval/shared.xml                           | 21 ++++++++++
 .../rule.yml                                  | 42 +++++++++++++++++++
 .../ansible/shared.yml                        | 12 ++++++
 .../bash/shared.sh                            |  9 ++++
 .../oval/shared.xml                           | 21 ++++++++++
 .../rule.yml                                  | 42 +++++++++++++++++++
 .../ansible/shared.yml                        | 12 ++++++
 .../bash/shared.sh                            |  9 ++++
 .../oval/shared.xml                           | 21 ++++++++++
 .../rule.yml                                  | 39 +++++++++++++++++
 rhel8/profiles/stig.profile                   |  4 +-
 .../oval/accounts_password_pam_faillock.xml   | 26 ++++++++++++
 .../data/profile_stability/rhel8/stig.profile |  4 ++
 16 files changed, 282 insertions(+), 4 deletions(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
 create mode 100644 shared/checks/oval/accounts_password_pam_faillock.xml

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml
new file mode 100644
index 0000000000..6ead01fab5
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml
@@ -0,0 +1,12 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Ensure failed password attempts lockout only for local users
+  lineinfile:
+    create: yes
+    dest: "/etc/security/faillock.conf"
+    regexp: '^#?\s*local_users_only'
+    line: "local_users_only"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh
new file mode 100644
index 0000000000..8c43a8bb82
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+if ! grep -q "^local_users_only" /etc/security/faillock.conf; then
+	sed "s/# local_users_only/local_users_only/g" -i /etc/security/faillock.conf
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml
new file mode 100644
index 0000000000..8e8ce134b0
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml
@@ -0,0 +1,21 @@
+<def-group>
+  <definition class="compliance" id="accounts_passwords_pam_faillock_enforce_local" version="1">
+    {{{ oval_metadata("Failed password attempts are enforced for local users only.") }}}
+    <criteria operator="AND" comment="conditions for accounts_passwords_pam_faillock_enforce_local are satisfied">
+      <extend_definition comment="faillock.so exists in system-auth" definition_ref="accounts_password_pam_faillock" />
+      <criterion comment="faillock.conf" test_ref="test_accounts_passwords_pam_faillock_enforce_local" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all"
+  comment="check the configuration of /etc/security/faillock.conf"
+  id="test_accounts_passwords_pam_faillock_enforce_local" version="1">
+    <ind:object object_ref="obj_accounts_passwords_pam_faillock_enforce_local" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_accounts_passwords_pam_faillock_enforce_local" version="1">
+    <ind:filepath>/etc/security/faillock.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*local_users_only[\s]*$</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml
new file mode 100644
index 0000000000..a189ac68ec
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml
@@ -0,0 +1,42 @@
+documentation_complete: true
+
+prodtype: fedora,rhel8
+
+title: 'Enforce pam_faillock for Local Accounts Only'
+
+description: |-
+    The pam_faillock module's <tt>local_users_only</tt> parameter controls requirements for
+    enforcing failed lockout attempts only for local user accounts and ignoring
+    centralized user account management failed attempt configurations. Enable the <tt>local_users_only</tt>
+    setting in <tt>/etc/security/faillock.conf</tt> to require failed password attempts
+    for only local user accounts.
+
+rationale: |-
+    The operating system must provide automated mechanisms for supporting account management
+    functions. Enterprise environments make application account management challenging and
+    complex. A manual process for account management functions adds the risk of a potential
+    oversight or other error.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-83401-0
+
+references:
+    disa: CCI-000015
+    nist: AC-2(1)
+    srg: SRG-OS-000001-GPOS-00001
+
+ocil_clause: 'local_users_only is not uncommented or configured correctly'
+
+ocil: |-
+    To check if root user is required to use complex passwords, run the following command:
+    <pre>$ grep local_users_only /etc/security/faillock.conf</pre>
+    The output should return <tt>local_users_only</tt> uncommented.
+
+platform: pam
+
+warnings:
+    - management: |-
+        Using this rule bypasses pam_faillock's functionality and should be used in cases
+        where centralized management such as LDAP or Active Directory is in use.
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml
new file mode 100644
index 0000000000..cebb406ad7
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml
@@ -0,0 +1,12 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Ensure password complexity only for local users
+  lineinfile:
+    create: yes
+    dest: "/etc/security/pwquality.conf"
+    regexp: '^#?\s*local_users_only'
+    line: "local_users_only"
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh
new file mode 100644
index 0000000000..4049539796
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+if ! grep -q "^local_users_only" /etc/security/pwquality.conf; then
+	sed "s/# local_users_only/local_users_only/g" -i /etc/security/pwquality.conf
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml
new file mode 100644
index 0000000000..794344e635
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml
@@ -0,0 +1,21 @@
+<def-group>
+  <definition class="compliance" id="accounts_password_pam_pwquality_enforce_local" version="1">
+    {{{ oval_metadata("The password complexity requirements are enforced for local users only.") }}}
+    <criteria operator="AND" comment="conditions for enforce_local are satisfied">
+      <extend_definition comment="pwquality.so exists in system-auth" definition_ref="accounts_password_pam_pwquality" />
+      <criterion comment="pwquality.conf" test_ref="test_accounts_password_pam_pwquality_enforce_local" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all"
+  comment="check the configuration of /etc/security/pwquality.conf"
+  id="test_accounts_password_pam_pwquality_enforce_local" version="1">
+    <ind:object object_ref="obj_accounts_password_pam_pwquality_enforce_local" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_accounts_password_pam_pwquality_enforce_local" version="1">
+    <ind:filepath>/etc/security/pwquality.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*local_users_only[\s]*$</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
new file mode 100644
index 0000000000..37f89b75b5
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
@@ -0,0 +1,42 @@
+documentation_complete: true
+
+prodtype: fedora,rhel8
+
+title: 'Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only'
+
+description: |-
+    The pam_pwquality module's <tt>local_users_only</tt> parameter controls requirements for
+    enforcing password complexity by pam_pwquality only for local user accounts and ignoring
+    centralized user account management password complexity configurations. Enable the <tt>local_users_only</tt>
+    setting in <tt>/etc/security/pwquality.conf</tt> to require password complexity enforcement
+    for only local user accounts.
+
+rationale: |-
+    The operating system must provide automated mechanisms for supporting account management
+    functions. Enterprise environments make application account management challenging and
+    complex. A manual process for account management functions adds the risk of a potential
+    oversight or other error.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-83364-0
+
+references:
+    disa: CCI-000015
+    nist: AC-2(1)
+    srg: SRG-OS-000001-GPOS-00001
+
+ocil_clause: 'local_users_only is not uncommented or configured correctly'
+
+ocil: |-
+    To verify if password complexities are only enforce on local users, run the following command:
+    <pre>$ grep local_users_only /etc/security/pwquality.conf</pre>
+    The output should return <tt>local_users_only</tt> uncommented.
+
+platform: pam
+
+warnings:
+    - management: |-
+        Using this rule bypasses pam_faillock's functionality and should be used in cases
+        where centralized management such as LDAP or Active Directory is in use.
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml
new file mode 100644
index 0000000000..516c5c1ae6
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml
@@ -0,0 +1,12 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Ensure password complexity for root user
+  lineinfile:
+    create: yes
+    dest: "/etc/security/pwquality.conf"
+    regexp: '^#?\s*enforce_for_root'
+    line: "enforce_for_root"
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh
new file mode 100644
index 0000000000..97f45c6259
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+if ! grep -q "^enforce_for_root" /etc/security/pwquality.conf; then
+	sed "s/# enforce_for_root/enforce_for_root/g" -i /etc/security/pwquality.conf
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml
new file mode 100644
index 0000000000..fccf5fd00e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml
@@ -0,0 +1,21 @@
+<def-group>
+  <definition class="compliance" id="accounts_password_pam_pwquality_enforce_root" version="1">
+    {{{ oval_metadata("The password complexity requirements are enforced for root.") }}}
+    <criteria operator="AND" comment="conditions for enforce_root are satisfied">
+      <extend_definition comment="pwquality.so exists in system-auth" definition_ref="accounts_password_pam_pwquality" />
+      <criterion comment="pwquality.conf" test_ref="test_accounts_password_pam_pwquality_enforce_root" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all"
+  comment="check the configuration of /etc/security/pwquality.conf"
+  id="test_accounts_password_pam_pwquality_enforce_root" version="1">
+    <ind:object object_ref="obj_accounts_password_pam_pwquality_enforce_root" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_accounts_password_pam_pwquality_enforce_root" version="1">
+    <ind:filepath>/etc/security/pwquality.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*enforce_for_root[\s]*$</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
new file mode 100644
index 0000000000..6aa1876e03
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
@@ -0,0 +1,39 @@
+documentation_complete: true
+
+prodtype: fedora,rhel8
+
+title: 'Ensure PAM Enforces Password Requirements - Enforce for root User'
+
+description: |-
+    The pam_pwquality module's <tt>enforce_for_root</tt> parameter controls requirements for
+    enforcing password complexity for the root user. Enable the <tt>enforce_for_root</tt>
+    setting in <tt>/etc/security/pwquality.conf</tt> to require the <tt>root</tt> user
+    to use complex passwords.
+
+rationale: |-
+    Use of a complex password helps to increase the time and resources required to compromise
+    the password. Password complexity, or strength, is a measure of the effectiveness of a
+    password in resisting attempts at guessing and brute-force attacks.
+    
+    Password complexity is one factor of several that determines how long it takes to crack a
+    password. The more complex the password, the greater the number of possible combinations
+    that need to be tested before the password is compromised.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-83377-2
+
+references:
+    disa: CCI-000194,CCI-000193,CCI-001619,CCI-000205,CCI-000195,CCI-000192,CCI-000366
+    nist: IA-5(c),IA-5(1)(a),CM-6(a),IA-5(4)
+    srg: SRG-OS-000072-GPOS-00040,SRG-OS-000071-GPOS-00039,SRG-OS-000070-GPOS-00038,SRG-OS-000266-GPOS-00101,SRG-OS-000078-GPOS-00046,SRG-OS-000480-GPOS-00225,SRG-OS-000069-GPOS-00037
+
+ocil_clause: 'enforce_for_root is not uncommented or configured correctly'
+
+ocil: |-
+    To verify if root user is required to use complex passwords, run the following command:
+    <pre>$ grep enforce_for_root /etc/security/pwquality.conf</pre>
+    The output should return <tt>enforce_for_root</tt> uncommented.
+
+platform: pam
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 15fe5c5bf9..b23cc05029 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -45,13 +45,15 @@ selections:
     - package_audispd-plugins_installed
     - package_libcap-ng-utils_installed
     - auditd_audispd_syslog_plugin_activated
+    - accounts_passwords_pam_faillock_enforce_local
+    - accounts_password_pam_enforce_local
+    - accounts_password_pam_enforce_root
 
     # Configure TLS for remote logging
     - package_rsyslog_installed
     - package_rsyslog-gnutls_installed
     - rsyslog_remote_tls
     - rsyslog_remote_tls_cacert
-    - "!ssh_client_rekey_limit"
 
     # Unselect zIPL rules from OSPP
     - "!zipl_bls_entries_only"
diff --git a/shared/checks/oval/accounts_password_pam_faillock.xml b/shared/checks/oval/accounts_password_pam_faillock.xml
new file mode 100644
index 0000000000..c55c143ba5
--- /dev/null
+++ b/shared/checks/oval/accounts_password_pam_faillock.xml
@@ -0,0 +1,26 @@
+<def-group>
+  <definition class="compliance" id="accounts_password_pam_faillock" version="1">
+    <metadata>
+      <title>Check pam_faillock Existence in system-auth</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <description>Check that pam_faillock.so exists in system-auth</description>
+    </metadata>
+    <criteria>
+      <criterion comment="Conditions for pam_faillock are satisfied"
+      test_ref="test_accounts_password_pam_faillock" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="test_accounts_password_pam_faillock" version="1">
+    <ind:object object_ref="obj_accounts_password_pam_faillock" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_accounts_password_pam_faillock" version="1">
+    <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_faillock\.so.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 569eed6636..5add9d462f 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -272,4 +272,8 @@ selections:
 - grub2_vsyscall_argument.severity=info
 - sysctl_user_max_user_namespaces.role=unscored
 - sysctl_user_max_user_namespaces.severity=info
+- ssh_client_rekey_limit
+- accounts_passwords_pam_faillock_enforce_local
+- accounts_password_pam_enforce_local
+- accounts_password_pam_enforce_root
 title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'