From da0a661b8a5754feecab58a577783faa918172bd Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>

Date: Fri, 4 Sep 2020 12:04:27 +0200

Subject: [PATCH 1/3] Replace XCCDF value substitution code by a macro.

The macro hides the actual implementation of the substitution,

it "just works", and it opens ways how to support variables

even outside of the SCAP content, where there is no scanner

to do the acutal substitution.

Renamed the macro to xccdf_value, kept the old one for backward compatibility.

---

 .../rule.yml                                     |  8 ++++----

 .../rule.yml                                     |  2 +-

 .../keystone/keystone_lockout_duration/rule.yml  |  2 +-

 .../keystone_lockout_failure_attempts/rule.yml   |  2 +-

 .../rule.yml                                     |  2 +-

 .../container_keystone_lockout_duration/rule.yml |  2 +-

 .../rule.yml                                     |  2 +-

 .../rule.yml                                     |  4 ++--

 .../httpd_enable_loglevel/rule.yml               |  4 ++--

 .../postfix_client_configure_mail_alias/rule.yml |  2 +-

 .../postfix_client_configure_relayhost/rule.yml  |  4 ++--

 .../postfix_network_listening_disabled/rule.yml  |  4 ++--

 .../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml     |  6 +++---

 .../ssh_server/sshd_disable_compression/rule.yml |  2 +-

 .../ssh/ssh_server/sshd_rekey_limit/rule.yml     |  4 ++--

 .../ssh_server/sshd_set_idle_timeout/rule.yml    |  4 ++--

 .../ssh/ssh_server/sshd_set_keepalive/rule.yml   |  4 ++--

 .../ssh_server/sshd_set_max_auth_tries/rule.yml  |  4 ++--

 .../ssh_server/sshd_set_max_sessions/rule.yml    |  4 ++--

 .../sshd_use_approved_ciphers/rule.yml           |  2 +-

 .../ssh_server/sshd_use_approved_macs/rule.yml   |  2 +-

 .../ssh_server/sshd_use_priv_separation/rule.yml |  4 ++--

 .../services/sssd/sssd_memcache_timeout/rule.yml |  8 ++++----

 .../sssd/sssd_ssh_known_hosts_timeout/rule.yml   |  8 ++++----

 .../accounts_password_pam_unix_remember/rule.yml |  8 ++++----

 .../rule.yml                                     |  6 +++---

 .../rule.yml                                     |  4 ++--

 .../rule.yml                                     |  6 +++---

 .../rule.yml                                     |  4 ++--

 .../rule.yml                                     |  2 +-

 .../rule.yml                                     |  6 +++---

 .../rule.yml                                     |  4 ++--

 .../rule.yml                                     |  4 ++--

 .../rule.yml                                     |  2 +-

 .../rule.yml                                     |  2 +-

 .../accounts_password_pam_difok/rule.yml         |  2 +-

 .../rule.yml                                     |  4 ++--

 .../accounts_password_pam_maxrepeat/rule.yml     |  4 ++--

 .../accounts_password_pam_minclass/rule.yml      |  2 +-

 .../accounts_password_pam_minlen/rule.yml        |  4 ++--

 .../accounts_password_pam_ocredit/rule.yml       |  2 +-

 .../accounts_password_pam_retry/rule.yml         |  2 +-

 .../configure_opensc_card_drivers/rule.yml       |  8 ++++----

 .../force_opensc_card_drivers/rule.yml           |  8 ++++----

 .../account_disable_post_pw_expiration/rule.yml  |  6 +++---

 .../accounts_maximum_age_login_defs/rule.yml     |  4 ++--

 .../accounts_minimum_age_login_defs/rule.yml     |  4 ++--

 .../accounts_password_minlen_login_defs/rule.yml |  4 ++--

 .../rule.yml                                     |  4 ++--

 .../accounts_logon_fail_delay/rule.yml           |  4 ++--

 .../rule.yml                                     |  4 ++--

 .../accounts-session/accounts_tmout/rule.yml     |  4 ++--

 .../accounts_umask_etc_bashrc/rule.yml           |  6 +++---

 .../accounts_umask_etc_csh_cshrc/rule.yml        |  4 ++--

 .../accounts_umask_etc_login_defs/rule.yml       |  4 ++--

 .../accounts_umask_etc_profile/rule.yml          |  4 ++--

 .../rule.yml                                     |  4 ++--

 .../rule.yml                                     |  4 ++--

 .../auditd_data_retention_flush/rule.yml         |  2 +-

 .../auditd_data_retention_max_log_file/rule.yml  |  2 +-

 .../auditd_data_retention_num_logs/rule.yml      |  2 +-

 .../rsyslog_files_groupownership/rule.yml        |  8 ++++----

 .../rsyslog_files_ownership/rule.yml             |  8 ++++----

 .../rsyslog_remote_loghost/rule.yml              | 16 ++++++++--------

 .../rule.yml                                     |  4 ++--

 .../daemon_umask/umask_for_daemons/rule.yml      |  4 ++--

 .../system/selinux/selinux_policytype/rule.yml   |  6 +++---

 .../guide/system/selinux/selinux_state/rule.yml  |  6 +++---

 .../dconf_gnome_screensaver_idle_delay/rule.yml  |  2 +-

 .../dconf_gnome_screensaver_lock_delay/rule.yml  |  6 +++---

 .../gconf_gnome_screensaver_idle_delay/rule.yml  |  6 +++---

 .../rule.yml                                     |  6 +++---

 .../crypto/configure_crypto_policy/rule.yml      |  6 +++---

 .../crypto/ssh_client_rekey_limit/rule.yml       |  6 +++---

 shared/macros.jinja                              |  7 ++++++-

 75 files changed, 168 insertions(+), 163 deletions(-)

diff --git a/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml b/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml

index 74da1f4c8b..91bd3ab560 100644

--- a/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml

+++ b/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml

@@ -11,13 +11,13 @@ description: |-

 {{%- if product == "ocp4" %}}

     file <tt>/etc/kubernetes/kubernetes.conf</tt>

     on the kubelet node(s) and set the below parameter:

-    
streamingConnectionIdleTimeout: <sub idref="var_streaming_connection_timeouts"/>

+    
streamingConnectionIdleTimeout: {{{ xccdf_value("var_streaming_connection_timeouts") }}}

 {{% else %}}

     file <tt>/etc/origin/node/node-config.yaml</tt>

     on the kubelet node(s) and set the below parameter:

     
kubeletArguments:

       streaming-connection-idle-timeout:

-      - '<sub idref="var_streaming_connection_timeouts"/>'

+      - '{{{ xccdf_value("var_streaming_connection_timeouts") }}}'

 {{%- endif %}}

 rationale: |-

@@ -33,10 +33,10 @@ ocil: |-

     Run the following command on the kubelet node(s):

 {{%- if product == "ocp4" %}}

     
$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubernetes.conf

-    The output should return <tt><sub idref="var_streaming_connection_timeouts"/></tt>.

+    The output should return <tt>{{{ xccdf_value("var_streaming_connection_timeouts") }}}</tt>.

 {{% else %}}

     
$ sudo grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml

-    The output should return <tt><sub idref="var_streaming_connection_timeouts"/></tt>.

+    The output should return <tt>{{{ xccdf_value("var_streaming_connection_timeouts") }}}</tt>.

 {{%- endif %}}

 identifiers:

diff --git a/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml b/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml

index 6f8a7c9474..5a06f2984f 100644

--- a/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml

+++ b/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml

@@ -32,4 +32,4 @@ ocil: |-

     
$ grep disable_user_account_days_inactive /etc/keystone/keystone.conf

     If properly configured, the output should be:

-    
disable_user_account_days_inactive = <sub idref="var_keystone_disable_user_account_days_inactive" />

+    
disable_user_account_days_inactive = {{{ xccdf_value("var_keystone_disable_user_account_days_inactive") }}}

diff --git a/applications/openstack/keystone/keystone_lockout_duration/rule.yml b/applications/openstack/keystone/keystone_lockout_duration/rule.yml

index 30a823e0fe..50057c14d1 100644

--- a/applications/openstack/keystone/keystone_lockout_duration/rule.yml

+++ b/applications/openstack/keystone/keystone_lockout_duration/rule.yml

@@ -38,4 +38,4 @@ ocil: |-

     
$ grep lockout_duration /etc/keystone/keystone.conf

     If properly configured, the output should be:

-    
lockout_duration=<sub idref="var_keystone_lockout_failure_duration" />

+    
lockout_duration={{{ xccdf_value("var_keystone_lockout_failure_duration") }}}

diff --git a/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml b/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml

index e77fb2d0c1..4927fb0abe 100644

--- a/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml

+++ b/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml

@@ -33,4 +33,4 @@ ocil: |-

     
$ grep lockout_failure_attempts /etc/keystone/keystone.conf

     If properly configured, the output should be:

-    
lockout_failure_attempts=<sub idref="var_keystone_lockout_failure_attempts" />

+    
lockout_failure_attempts={{{ xccdf_value("var_keystone_lockout_failure_attempts") }}}

diff --git a/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml b/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml

index 9f98073edc..8bd564e66a 100644

--- a/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml

+++ b/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml

@@ -31,4 +31,4 @@ ocil: |-

     
$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf

     If properly configured, the output should be:

-    
disable_user_account_days_inactive = <sub idref="var_keystone_disable_user_account_days_inactive" />

+    
disable_user_account_days_inactive = {{{ xccdf_value("var_keystone_disable_user_account_days_inactive") }}}

diff --git a/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml b/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml

index 98f33106c0..1c469e3e4f 100644

--- a/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml

+++ b/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml

@@ -37,4 +37,4 @@ ocil: |-

     
$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf

     If properly configured, the output should be:

-    
lockout_duration=<sub idref="var_keystone_lockout_failure_duration" />

+    
lockout_duration={{{ xccdf_value("var_keystone_lockout_failure_duration") }}}

diff --git a/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml b/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml

index d9de1aebf6..8d48304685 100644

--- a/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml

+++ b/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml

@@ -32,4 +32,4 @@ ocil: |-

     
$ grep lockout_failure_attempts /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf

     If properly configured, the output should be:

-    
lockout_failure_attempts=<sub idref="var_keystone_lockout_failure_attempts" />

+    
lockout_failure_attempts={{{ xccdf_value("var_keystone_lockout_failure_attempts") }}}

diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml

index aaf7e21583..3a9b317b75 100644

--- a/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml

+++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml

@@ -6,9 +6,9 @@ title: 'Configure The Number of Allowed Simultaneous Requests'

 description: |-

     The <tt>MaxKeepAliveRequests</tt> directive should be set and configured to

-    <sub idref="var_max_keepalive_requests" /> or greater by setting the following

+    {{{ xccdf_value("var_max_keepalive_requests") }}} or greater by setting the following

     in <tt>/etc/httpd/conf/httpd.conf</tt>:

-    
MaxKeepAliveRequests <sub idref="var_max_keepalive_requests" />

+    
MaxKeepAliveRequests {{{ xccdf_value("var_max_keepalive_requests") }}}

 rationale: |-

     Resource exhaustion can occur when an unlimited number of concurrent requests

diff --git a/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml

index 112039a2d8..e8bb96b214 100644

--- a/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml

+++ b/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml

@@ -5,9 +5,9 @@ prodtype: rhel7,rhel8

 title: 'Enable HTTPD LogLevel'

 description: |-

-    <tt>LogLevel</tt> should be enabled and set to <sub idref="var_httpd_loglevel" />.

+    <tt>LogLevel</tt> should be enabled and set to {{{ xccdf_value("var_httpd_loglevel") }}}.

     Add or edit the following in <tt>/etc/httpd/conf/httpd.conf</tt>:

-    
LogLevel <sub idref="var_httpd_loglevel" />

+    
LogLevel {{{ xccdf_value("var_httpd_loglevel") }}}

 rationale: |-

     The server error logs are invaluable because they can also be used to identify

diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml

index 0650606bad..b86f6e7c98 100644

--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml

+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml

@@ -4,7 +4,7 @@ title: 'Configure System to Forward All Mail For The Root Account'

 description: |-

     Set up an alias for root that forwards to a monitored email address:

-    
$ sudo echo "root: <sub idref="var_postfix_root_mail_alias" />" >> /etc/aliases

+    
$ sudo echo "root: {{{ xccdf_value("var_postfix_root_mail_alias") }}}" >> /etc/aliases

     $ sudo newaliases

 rationale: |-

diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml

index 0b4e2d2322..0faafeb0c2 100644

--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml

+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml

@@ -6,7 +6,7 @@ description: |-

     Set up a relay host that will act as a gateway for all outbound email.

     Edit the file <tt>/etc/postfix/main.cf</tt> to ensure that only the following

     <tt>relayhost</tt> line appears:

-    
relayhost = <sub idref="var_postfix_relayhost" />

+    
relayhost = {{{ xccdf_value("var_postfix_relayhost") }}}

 rationale: |-

     A central outbound email location ensures messages sent from any network host

@@ -20,4 +20,4 @@ ocil_clause: 'it is not'

 ocil: |-

     Run the following command to ensure postfix routes mail to this system:

     
$ grep relayhost /etc/postfix/main.cf

-    If properly configured, the output should show only <tt><sub idref="var_postfix_relayhost" /></tt>.

+    If properly configured, the output should show only <tt>{{{ xccdf_value("var_postfix_relayhost") }}}</tt>.

diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml

index 8deb83a2da..cba179b8d7 100644

--- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml

+++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml

@@ -7,7 +7,7 @@ title: 'Disable Postfix Network Listening'

 description: |-

     Edit the file <tt>/etc/postfix/main.cf</tt> to ensure that only the following

     <tt>inet_interfaces</tt> line appears:

-    
inet_interfaces = <sub idref="var_postfix_inet_interfaces" />

+    
inet_interfaces = {{{ xccdf_value("var_postfix_inet_interfaces") }}}

 rationale: |-

@@ -41,4 +41,4 @@ ocil_clause: 'it does not'

 ocil: |-

     Run the following command to ensure postfix accepts mail messages from only the local system:

     
$ grep inet_interfaces /etc/postfix/main.cf

-    If properly configured, the output should show only <tt><sub idref="var_postfix_inet_interfaces" /></tt>.

+    If properly configured, the output should show only <tt>{{{ xccdf_value("var_postfix_inet_interfaces") }}}</tt>.

diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml

index ba3772a5af..d5f8b9125e 100644

--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml

+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml

@@ -6,11 +6,11 @@ title: 'Configure Time Service Maxpoll Interval'

 description: |-

     The <tt>maxpoll</tt> should be configured to

-    <sub idref="var_time_service_set_maxpoll" /> in <tt>/etc/ntp.conf</tt> or

+    {{{ xccdf_value("var_time_service_set_maxpoll") }}} in <tt>/etc/ntp.conf</tt> or

     <tt>/etc/chrony.conf</tt> to continuously poll time servers. To configure

     <tt>maxpoll</tt> in <tt>/etc/ntp.conf</tt> or <tt>/etc/chrony.conf</tt>

     add the following:

-    
maxpoll <sub idref="var_time_service_set_maxpoll" />

+    
maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}

 rationale: |-

     Inaccurate time stamps make it more difficult to correlate

@@ -46,4 +46,4 @@ ocil: |-

     To verify that <tt>maxpoll</tt> has been set properly, perform the following:

     
$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf

     The output should return

-    
maxpoll <sub idref="var_time_service_set_maxpoll" />
.

+    
maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}
.

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml

index e63866bb8b..fe7e67c1c2 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml

@@ -9,7 +9,7 @@ description: |-

     it should be disabled. To disable compression or delay compression until after

     a user has successfully authenticated, add or correct the following line in the

     <tt>/etc/ssh/sshd_config</tt> file:

-    
Compression <sub idref="var_sshd_disable_compression"/>

+    
Compression {{{ xccdf_value("var_sshd_disable_compression") }}}

 rationale: |-

     If compression is allowed in an SSH connection prior to authentication,

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml

index ce191e48e7..d7941f9c0e 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml

@@ -7,7 +7,7 @@ description: |-

     the session key of the is renegotiated, both in terms of

     amount of data that may be transmitted and the time

     elapsed. To decrease the default limits, put line

-    <tt>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.

+    <tt>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.

 rationale: |-

     By decreasing the limit based on the amount of data and enabling

@@ -30,4 +30,4 @@ ocil: |-

     following command:

     
$ sudo grep RekeyLimit /etc/ssh/sshd_config

     If configured properly, output should be

-    
RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}

+    
RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml

index 250addfe2f..5149de069d 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml

@@ -8,7 +8,7 @@ description: |-

     To set an idle timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as

     follows:

-    
ClientAliveInterval <sub idref="sshd_idle_timeout_value" />

+    
ClientAliveInterval {{{ xccdf_value("sshd_idle_timeout_value") }}}

     The timeout interval is given in seconds. For example, have a timeout

     of 10 minutes, set interval to 600.

@@ -61,4 +61,4 @@ ocil: |-

     Run the following command to see what the timeout interval is:

     
$ sudo grep ClientAliveInterval /etc/ssh/sshd_config

     If properly configured, the output should be:

-    
ClientAliveInterval <sub idref="sshd_idle_timeout_value" />

+    
ClientAliveInterval {{{ xccdf_value("sshd_idle_timeout_value") }}}

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml

index 95628aac85..5354ff5b0c 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml

@@ -5,7 +5,7 @@ title: 'Set SSH Client Alive Max Count'

 description: |-

     To ensure the SSH idle timeout occurs precisely when the <tt>ClientAliveInterval</tt> is set,

     edit <tt>/etc/ssh/sshd_config</tt> as follows:

-    
ClientAliveCountMax <sub idref="var_sshd_set_keepalive"/>

+    
ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}

 rationale: |-

     This ensures a user login will be terminated as soon as the <tt>ClientAliveInterval</tt>

@@ -48,4 +48,4 @@ ocil: |-

     To ensure the SSH idle timeout will occur when the <tt>ClientAliveInterval</tt> is set, run the following command:

     
$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config

     If properly configured, output should be:

-    
ClientAliveCountMax <sub idref="var_sshd_set_keepalive"/>

+    
ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml

index 037bb1603d..d6e1f30b19 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml

@@ -6,7 +6,7 @@ description: |-

     The <tt>MaxAuthTries</tt> parameter specifies the maximum number of authentication attempts

     permitted per connection. Once the number of failures reaches half this value, additional failures are logged.

     to set MaxAUthTries edit <tt>/etc/ssh/sshd_config</tt> as follows:

-    
MaxAuthTries <sub idref="sshd_max_auth_tries_value"/>

+    
MaxAuthTries {{{ xccdf_value("sshd_max_auth_tries_value") }}}

 rationale: |-

     Setting the MaxAuthTries parameter to a low number will minimize the risk of successful

@@ -31,4 +31,4 @@ ocil: |-

     To ensure the <tt>MaxAuthTries</tt> parameter is set, run the following command:

     
$ sudo grep MaxAuthTries /etc/ssh/sshd_config

     If properly configured, output should be:

-    
MaxAuthTries <sub idref="sshd_max_auth_tries_value"/>

+    
MaxAuthTries {{{ xccdf_value("sshd_max_auth_tries_value") }}}

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml

index 3f74e662de..2782b71905 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml

@@ -5,7 +5,7 @@ title: 'Set SSH MaxSessions limit'

 description: |-

     The <tt>MaxSessions</tt> parameter specifies the maximum number of open sessions permitted

     from a given connection. To set MaxSessions edit

-    <tt>/etc/ssh/sshd_config</tt> as follows: 
MaxSessions <sub idref="var_sshd_max_sessions" />

+    <tt>/etc/ssh/sshd_config</tt> as follows: 
MaxSessions {{{ xccdf_value("var_sshd_max_sessions") }}}

 rationale: |-

     To protect a system from denial of service due to a large number of concurrent

@@ -27,4 +27,4 @@ ocil: |-

     Run the following command to see what the max sessions number is:

     
$ sudo grep MaxSessions /etc/ssh/sshd_config

     If properly configured, the output should be:

-    
MaxSessions <sub idref="var_sshd_max_sessions" />

+    
MaxSessions {{{ xccdf_value("var_sshd_max_sessions") }}}

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml

index 985bbd0b8b..c2204193dc 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml

@@ -31,7 +31,7 @@ description: |-

     {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}}

     {{% endif %}}

 {{% endif %}}

-    The rule is parametrized to use the following ciphers: {{{ sub_var_value("sshd_approved_ciphers") }}}.

+    The rule is parametrized to use the following ciphers: {{{ xccdf_value("sshd_approved_ciphers") }}}.

 rationale: |-

     Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml

index 4b563de550..b7adaca34b 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml

@@ -32,7 +32,7 @@ description: |-

     {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}}

     {{% endif %}}

 {{% endif %}}

-    The rule is parametrized to use the following MACs: {{{ sub_var_value("sshd_approved_macs") }}}.

+    The rule is parametrized to use the following MACs: {{{ xccdf_value("sshd_approved_macs") }}}.

 rationale: |-

     DoD Information Systems are required to use FIPS-approved cryptographic hash

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml

index 60813a75a2..14d1acfd22 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml

@@ -6,7 +6,7 @@ description: |-

     When enabled, SSH will create an unprivileged child process that

     has the privilege of the authenticated user. To enable privilege separation in

     SSH, add or correct the following line in the <tt>/etc/ssh/sshd_config</tt> file:

-    
UsePrivilegeSeparation <sub idref="var_sshd_priv_separation" />

+    
UsePrivilegeSeparation {{{ xccdf_value("var_sshd_priv_separation") }}}

 rationale: |-

     SSH daemon privilege separation causes the SSH process to drop root privileges

@@ -41,4 +41,4 @@ ocil: |-

     To check if UsePrivilegeSeparation is enabled or set correctly, run the

     following command:

     
$ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config

-    If configured properly, output should be <tt><sub idref="var_sshd_priv_separation" /></tt>.

+    If configured properly, output should be <tt>{{{ xccdf_value("var_sshd_priv_separation") }}}</tt>.

diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml

index 00cda4f144..35ec8c497c 100644

--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml

+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml

@@ -6,14 +6,14 @@ title: 'Configure SSSD''s Memory Cache to Expire'

 description: |-

     SSSD's memory cache should be configured to set to expire records after

-    <tt><sub idref="var_sssd_memcache_timeout" /></tt> seconds.

+    <tt>{{{ xccdf_value("var_sssd_memcache_timeout") }}}</tt> seconds.

     To configure SSSD to expire memory cache, set <tt>memcache_timeout</tt> to

-    <tt><sub idref="var_sssd_memcache_timeout" /></tt> under the

+    <tt>{{{ xccdf_value("var_sssd_memcache_timeout") }}}</tt> under the

     <tt>[nss]</tt> section in <tt>/etc/sssd/sssd.conf</tt>.

     For example:

     
[nss]

-    memcache_timeout = <sub idref="var_sssd_memcache_timeout" />

+    memcache_timeout = {{{ xccdf_value("var_sssd_memcache_timeout") }}}

 rationale: |-

@@ -46,4 +46,4 @@ ocil_clause: 'it does not exist or is not configured properly'

 ocil: |-

     To verify that SSSD's in-memory cache expires after a day, run the following command:

     
$ sudo grep memcache_timeout /etc/sssd/sssd.conf

-    If configured properly, output should be 
memcache_timeout = <sub idref="var_sssd_memcache_timeout" />
.

+    If configured properly, output should be 
memcache_timeout = {{{ xccdf_value("var_sssd_memcache_timeout") }}}
.

diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml

index ce83991f57..00f1f3b485 100644

--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml

+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml

@@ -6,12 +6,12 @@ title: 'Configure SSSD to Expire SSH Known Hosts'

 description: |-

     SSSD should be configured to expire keys from known SSH hosts after

-    <tt><sub idref="var_sssd_ssh_known_hosts_timeout" /></tt> seconds.

+    <tt>{{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}</tt> seconds.

     To configure SSSD to known SSH hosts, set <tt>ssh_known_hosts_timeout</tt>

-    to <tt><sub idref="var_sssd_ssh_known_hosts_timeout" /></tt> under the

+    to <tt>{{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}</tt> under the

     <tt>[ssh]</tt> section in <tt>/etc/sssd/sssd.conf</tt>. For example:

     
[ssh]

-    ssh_known_hosts_timeout = <sub idref="var_sssd_ssh_known_hosts_timeout" />

+    ssh_known_hosts_timeout = {{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}

 rationale: |-

@@ -44,4 +44,4 @@ ocil: |-

     To verify that SSSD expires known SSH host keys, run the following command:

     
$ sudo grep ssh_known_hosts_timeout /etc/sssd/sssd.conf

     If configured properly, output should be

-    
ssh_known_hosts_timeout = <sub idref="var_sssd_ssh_known_hosts_timeout" />

+    
ssh_known_hosts_timeout = {{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml

index 7c7b14860c..f6857da463 100644

--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml

@@ -9,14 +9,14 @@ description: |-

     accomplished by using the <tt>remember</tt> option for the <tt>pam_unix</tt>

     or <tt>pam_pwhistory</tt> PAM modules.

-    In the file <tt>/etc/pam.d/system-auth</tt>, append <tt>remember=<sub idref="var_password_pam_unix_remember" /></tt>

+    In the file <tt>/etc/pam.d/system-auth</tt>, append <tt>remember={{{ xccdf_value("var_password_pam_unix_remember") }}}</tt>

     to the line which refers to the <tt>pam_unix.so</tt> or <tt>pam_pwhistory.so</tt>module, as shown below:

     
for the <tt>pam_unix.so</tt> case:

-    
password sufficient pam_unix.so ...existing_options... remember=<sub idref="var_password_pam_unix_remember" />

+    
password sufficient pam_unix.so ...existing_options... remember={{{ xccdf_value("var_password_pam_unix_remember") }}}

     
for the <tt>pam_pwhistory.so</tt> case:

-    
password requisite pam_pwhistory.so ...existing_options... remember=<sub idref="var_password_pam_unix_remember" />

+    
password requisite pam_pwhistory.so ...existing_options... remember={{{ xccdf_value("var_password_pam_unix_remember") }}}

     The DoD STIG requirement is 5 passwords.

@@ -56,6 +56,6 @@ ocil: |-

     To verify the password reuse setting is compliant, run the following command:

     
$ grep remember /etc/pam.d/system-auth

     The output should show the following at the end of the line:

-    
remember=<sub idref="var_password_pam_unix_remember" />

+    
remember={{{ xccdf_value("var_password_pam_unix_remember") }}}

 platform: pam

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml

index 8eeb24a9c5..15eba70d6a 100644

--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml

@@ -11,9 +11,9 @@ description: |-

     
 add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:

-    
auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />

+    
auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}

     
 add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:

-    
auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />

+    
auth [default=die] pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}

     
 add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:

     
account required pam_faillock.so

@@ -56,6 +56,6 @@ ocil_clause: 'that is not the case'

 ocil: |-

     To ensure the failed password attempt policy is configured correctly, run the following command:

     
$ grep pam_faillock /etc/pam.d/system-auth

-    The output should show <tt>deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /></tt>.

+    The output should show <tt>deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}}</tt>.

 platform: pam

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml

index 6f49ea9850..1780a66251 100644

--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml

@@ -13,10 +13,10 @@ description: |-

     
Modify the following line in the <tt>AUTH</tt> section to add

     <tt>even_deny_root</tt>:

-    
auth required pam_faillock.so preauth silent even_deny_root deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />

+    
auth required pam_faillock.so preauth silent even_deny_root deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}

     
Modify the following line in the <tt>AUTH</tt> section to add

     <tt>even_deny_root</tt>:

-    
auth [default=die] pam_faillock.so authfail even_deny_root deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />

+    
auth [default=die] pam_faillock.so authfail even_deny_root deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml

index f891d8e600..708e98e7f3 100644

--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml

@@ -14,11 +14,11 @@ description: |-

     
Add the following line immediately <tt>before</tt> the

         <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:

-    
auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />

+    
auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}

     
Add the following line immediately <tt>after</tt> the

         <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:

-    
auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />

+    
auth [default=die] pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}

     
Add the following line immediately <tt>before</tt> the

@@ -63,7 +63,7 @@ ocil: |-

     To ensure the failed password attempt policy is configured correctly,

     run the following command:

     
$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth

-    For each file, the output should show <tt>fail_interval=<interval-in-seconds></tt> where <tt>interval-in-seconds</tt> is <tt><sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></tt> or greater.

+    For each file, the output should show <tt>fail_interval=<interval-in-seconds></tt> where <tt>interval-in-seconds</tt> is <tt>{{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}</tt> or greater.

     If the <tt>fail_interval</tt> parameter is not set, the default setting

     of 900 seconds is acceptable.

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml

index c3c7fa1ccc..b992cf93bd 100644

--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml

@@ -11,9 +11,9 @@ description: |-

     
 add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:

-    
auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />

+    
auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}

     
 add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:

-    
auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />

+    
auth [default=die] pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}

     
 add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:

     
account required pam_faillock.so

diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml

index fde8c8a188..168960bd4e 100644

--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml

@@ -7,7 +7,7 @@ title: 'Set Password Strength Minimum Different Characters'

 description: |-

     The pam_cracklib module's <tt>difok</tt> parameter controls requirements for

     usage of different characters during a password change.

-    Add <tt>difok=<sub idref="var_password_pam_difok" /></tt> after pam_cracklib.so to require differing

+    Add <tt>difok={{{ xccdf_value("var_password_pam_difok") }}}</tt> after pam_cracklib.so to require differing

     characters when changing passwords. The DoD requirement is <tt>4</tt>.

 rationale: |-

diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml

index 8171db26bd..8865b29f36 100644

--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml

@@ -7,9 +7,9 @@ title: 'Set Password to Maximum of Three Consecutive Repeating Characters'

 description: |-

     The pam_cracklib module's <tt>maxrepeat</tt> parameter controls requirements for

     consecutive repeating characters. When set to a positive number, it will reject passwords

-    which contain more than that number of consecutive characters. Add <tt>maxrepeat=<sub idref="var_password_pam_maxrepeat" /></tt>

-    after pam_cracklib.so to prevent a run of (<sub idref="var_password_pam_maxrepeat" /> + 1) or more identical characters:

-    
password required pam_cracklib.so maxrepeat=<sub idref="var_password_pam_maxrepeat" />

+    which contain more than that number of consecutive characters. Add <tt>maxrepeat={{{ xccdf_value("var_password_pam_maxrepeat") }}}</tt>

+    after pam_cracklib.so to prevent a run of ({{{ xccdf_value("var_password_pam_maxrepeat") }}} + 1) or more identical characters:

+    
password required pam_cracklib.so maxrepeat={{{ xccdf_value("var_password_pam_maxrepeat") }}}

 rationale: 'Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.'

diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml

index 9723f28793..3c87a58cc6 100644

--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml

@@ -17,8 +17,8 @@ description: |-

     * Digits

     * Special characters (for example, punctuation)

-    Add <tt>minclass=<sub idref="var_password_pam_minclass" /></tt> after pam_cracklib.so entry into the

-    <tt>/etc/pam.d/system-auth</tt> file in order to require <sub idref="var_password_pam_minclass" />  differing categories of

+    Add <tt>minclass={{{ xccdf_value("var_password_pam_minclass") }}}</tt> after pam_cracklib.so entry into the

+    <tt>/etc/pam.d/system-auth</tt> file in order to require {{{ xccdf_value("var_password_pam_minclass") }}}  differing categories of

     characters when changing passwords.

     For example to require at least three character classes to be used in password, use <tt>minclass=3</tt>.

diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml

index cb902bccd7..1088af68ee 100644

--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml

@@ -6,7 +6,7 @@ title: 'Set Password Minimum Length'

 description: |-

     The pam_cracklib module's <tt>minlen</tt> parameter controls requirements for

-    minimum characters required in a password. Add <tt>minlen=<sub idref="var_password_pam_minlen" /></tt>

+    minimum characters required in a password. Add <tt>minlen={{{ xccdf_value("var_password_pam_minlen") }}}</tt>

     after pam_pwquality to set minimum password length requirements.

 rationale: |-

@@ -38,4 +38,4 @@ ocil_clause: 'minlen is not found or not set to the required value (or higher)'

 ocil: |-

     To check how many characters are required in a password, run the following command:

     
$ grep cracklib /etc/pam.d/system-auth

-    Your output should contain <tt>minlen=<sub idref="var_password_pam_minlen" /></tt>

+    Your output should contain <tt>minlen={{{ xccdf_value("var_password_pam_minlen") }}}</tt>

diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml

index 9c6d8a5b31..f8cb083106 100644

--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml

@@ -9,7 +9,7 @@ description: |-

     usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to

     contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional

     length credit for each special character.

-    Add <tt>ocredit=<sub idref="var_password_pam_ocredit" /></tt> after pam_cracklib.so to require use of a special character in passwords.

+    Add <tt>ocredit={{{ xccdf_value("var_password_pam_ocredit") }}}</tt> after pam_cracklib.so to require use of a special character in passwords.

 rationale: |-

     Requiring a minimum number of special characters makes password guessing attacks

diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml

index e0555d7224..cc1a9f72c7 100644

--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml

@@ -9,7 +9,7 @@ description: |-

     Edit the <tt>pam_cracklib.so</tt> statement in

     <tt>/etc/pam.d/system-auth</tt> to show

-    <tt>retry=<sub idref="var_password_pam_retry" /></tt>, or a lower value

+    <tt>retry={{{ xccdf_value("var_password_pam_retry") }}}</tt>, or a lower value

     if site policy is more restrictive.

     The DoD requirement is a maximum of 3 prompts per session.

diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml

index 965b10a57a..fb64b61520 100644

--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml