|
 |
f8899d |
From d2666b534c38bfc3bbd7308c4db4ef887cae6e0b Mon Sep 17 00:00:00 2001
|
|
|
f8899d |
From: Gabe <redhatrises@gmail.com>
|
|
|
f8899d |
Date: Wed, 11 Nov 2020 15:14:51 -0700
|
|
|
f8899d |
Subject: [PATCH] Add new pwquality.conf and faillock.conf rules
|
|
|
f8899d |
|
|
|
f8899d |
- Add rule for enforcing password complexity for root
|
|
|
f8899d |
- Add rules for enforcing pwquality and faillock for local users only
|
|
|
f8899d |
- Enable SSH client for STIG
|
|
|
f8899d |
- Part of #4978
|
|
|
f8899d |
- Fixes #2706
|
|
|
f8899d |
- Fixes #2174
|
|
|
f8899d |
---
|
|
|
f8899d |
.../ansible/shared.yml | 12 ++++++
|
|
|
f8899d |
.../bash/shared.sh | 9 ++++
|
|
|
f8899d |
.../oval/shared.xml | 21 ++++++++++
|
|
|
f8899d |
.../rule.yml | 42 +++++++++++++++++++
|
|
|
f8899d |
.../ansible/shared.yml | 12 ++++++
|
|
|
f8899d |
.../bash/shared.sh | 9 ++++
|
|
|
f8899d |
.../oval/shared.xml | 21 ++++++++++
|
|
|
f8899d |
.../rule.yml | 42 +++++++++++++++++++
|
|
|
f8899d |
.../ansible/shared.yml | 12 ++++++
|
|
|
f8899d |
.../bash/shared.sh | 9 ++++
|
|
|
f8899d |
.../oval/shared.xml | 21 ++++++++++
|
|
|
f8899d |
.../rule.yml | 39 +++++++++++++++++
|
|
|
f8899d |
rhel8/profiles/stig.profile | 4 +-
|
|
|
f8899d |
.../oval/accounts_password_pam_faillock.xml | 26 ++++++++++++
|
|
|
f8899d |
.../data/profile_stability/rhel8/stig.profile | 4 ++
|
|
|
f8899d |
16 files changed, 282 insertions(+), 4 deletions(-)
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
|
|
|
f8899d |
create mode 100644 shared/checks/oval/accounts_password_pam_faillock.xml
|
|
|
f8899d |
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..6ead01fab5
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml
|
|
|
f8899d |
@@ -0,0 +1,12 @@
|
|
|
f8899d |
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
f8899d |
+# reboot = false
|
|
|
f8899d |
+# strategy = restrict
|
|
|
f8899d |
+# complexity = low
|
|
|
f8899d |
+# disruption = low
|
|
|
f8899d |
+
|
|
|
f8899d |
+- name: Ensure failed password attempts lockout only for local users
|
|
|
f8899d |
+ lineinfile:
|
|
|
f8899d |
+ create: yes
|
|
|
f8899d |
+ dest: "/etc/security/faillock.conf"
|
|
|
f8899d |
+ regexp: '^#?\s*local_users_only'
|
|
|
f8899d |
+ line: "local_users_only"
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..8c43a8bb82
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh
|
|
|
f8899d |
@@ -0,0 +1,9 @@
|
|
|
f8899d |
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
f8899d |
+# reboot = false
|
|
|
f8899d |
+# strategy = restrict
|
|
|
f8899d |
+# complexity = low
|
|
|
f8899d |
+# disruption = low
|
|
|
f8899d |
+
|
|
|
f8899d |
+if ! grep -q "^local_users_only" /etc/security/faillock.conf; then
|
|
|
f8899d |
+ sed "s/# local_users_only/local_users_only/g" -i /etc/security/faillock.conf
|
|
|
f8899d |
+fi
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..8e8ce134b0
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml
|
|
|
f8899d |
@@ -0,0 +1,21 @@
|
|
|
f8899d |
+<def-group>
|
|
|
f8899d |
+ <definition class="compliance" id="accounts_passwords_pam_faillock_enforce_local" version="1">
|
|
|
f8899d |
+ {{{ oval_metadata("Failed password attempts are enforced for local users only.") }}}
|
|
|
f8899d |
+ <criteria operator="AND" comment="conditions for accounts_passwords_pam_faillock_enforce_local are satisfied">
|
|
|
f8899d |
+ <extend_definition comment="faillock.so exists in system-auth" definition_ref="accounts_password_pam_faillock" />
|
|
|
f8899d |
+ <criterion comment="faillock.conf" test_ref="test_accounts_passwords_pam_faillock_enforce_local" />
|
|
|
f8899d |
+ </criteria>
|
|
|
f8899d |
+ </definition>
|
|
|
f8899d |
+
|
|
|
f8899d |
+
|
|
|
f8899d |
+ comment="check the configuration of /etc/security/faillock.conf"
|
|
|
f8899d |
+ id="test_accounts_passwords_pam_faillock_enforce_local" version="1">
|
|
|
f8899d |
+ <ind:object object_ref="obj_accounts_passwords_pam_faillock_enforce_local" />
|
|
|
f8899d |
+ </ind:textfilecontent54_test>
|
|
|
f8899d |
+
|
|
|
f8899d |
+ <ind:textfilecontent54_object id="obj_accounts_passwords_pam_faillock_enforce_local" version="1">
|
|
|
f8899d |
+ <ind:filepath>/etc/security/faillock.conf</ind:filepath>
|
|
|
f8899d |
+ <ind:pattern operation="pattern match">^[\s]*local_users_only[\s]*$</ind:pattern>
|
|
|
f8899d |
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
|
|
|
f8899d |
+ </ind:textfilecontent54_object>
|
|
|
f8899d |
+</def-group>
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..a189ac68ec
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml
|
|
|
f8899d |
@@ -0,0 +1,42 @@
|
|
|
f8899d |
+documentation_complete: true
|
|
|
f8899d |
+
|
|
|
f8899d |
+prodtype: fedora,rhel8
|
|
|
f8899d |
+
|
|
|
f8899d |
+title: 'Enforce pam_faillock for Local Accounts Only'
|
|
|
f8899d |
+
|
|
|
f8899d |
+description: |-
|
|
|
f8899d |
+ The pam_faillock module's <tt>local_users_only</tt> parameter controls requirements for
|
|
|
f8899d |
+ enforcing failed lockout attempts only for local user accounts and ignoring
|
|
|
f8899d |
+ centralized user account management failed attempt configurations. Enable the <tt>local_users_only</tt>
|
|
|
f8899d |
+ setting in <tt>/etc/security/faillock.conf</tt> to require failed password attempts
|
|
|
f8899d |
+ for only local user accounts.
|
|
|
f8899d |
+
|
|
|
f8899d |
+rationale: |-
|
|
|
f8899d |
+ The operating system must provide automated mechanisms for supporting account management
|
|
|
f8899d |
+ functions. Enterprise environments make application account management challenging and
|
|
|
f8899d |
+ complex. A manual process for account management functions adds the risk of a potential
|
|
|
f8899d |
+ oversight or other error.
|
|
|
f8899d |
+
|
|
|
f8899d |
+severity: medium
|
|
|
f8899d |
+
|
|
|
f8899d |
+identifiers:
|
|
|
f8899d |
+ cce@rhel8: CCE-83401-0
|
|
|
f8899d |
+
|
|
|
f8899d |
+references:
|
|
|
f8899d |
+ disa: CCI-000015
|
|
|
f8899d |
+ nist: AC-2(1)
|
|
|
f8899d |
+ srg: SRG-OS-000001-GPOS-00001
|
|
|
f8899d |
+
|
|
|
f8899d |
+ocil_clause: 'local_users_only is not uncommented or configured correctly'
|
|
|
f8899d |
+
|
|
|
f8899d |
+ocil: |-
|
|
|
f8899d |
+ To check if root user is required to use complex passwords, run the following command:
|
|
|
f8899d |
+ $ grep local_users_only /etc/security/faillock.conf
|
|
|
f8899d |
+ The output should return <tt>local_users_only</tt> uncommented.
|
|
|
f8899d |
+
|
|
|
f8899d |
+platform: pam
|
|
|
f8899d |
+
|
|
|
f8899d |
+warnings:
|
|
|
f8899d |
+ - management: |-
|
|
|
f8899d |
+ Using this rule bypasses pam_faillock's functionality and should be used in cases
|
|
|
f8899d |
+ where centralized management such as LDAP or Active Directory is in use.
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..cebb406ad7
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml
|
|
|
f8899d |
@@ -0,0 +1,12 @@
|
|
|
f8899d |
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
f8899d |
+# reboot = false
|
|
|
f8899d |
+# strategy = restrict
|
|
|
f8899d |
+# complexity = low
|
|
|
f8899d |
+# disruption = low
|
|
|
f8899d |
+
|
|
|
f8899d |
+- name: Ensure password complexity only for local users
|
|
|
f8899d |
+ lineinfile:
|
|
|
f8899d |
+ create: yes
|
|
|
f8899d |
+ dest: "/etc/security/pwquality.conf"
|
|
|
f8899d |
+ regexp: '^#?\s*local_users_only'
|
|
|
f8899d |
+ line: "local_users_only"
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..4049539796
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh
|
|
|
f8899d |
@@ -0,0 +1,9 @@
|
|
|
f8899d |
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
f8899d |
+# reboot = false
|
|
|
f8899d |
+# strategy = restrict
|
|
|
f8899d |
+# complexity = low
|
|
|
f8899d |
+# disruption = low
|
|
|
f8899d |
+
|
|
|
f8899d |
+if ! grep -q "^local_users_only" /etc/security/pwquality.conf; then
|
|
|
f8899d |
+ sed "s/# local_users_only/local_users_only/g" -i /etc/security/pwquality.conf
|
|
|
f8899d |
+fi
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..794344e635
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml
|
|
|
f8899d |
@@ -0,0 +1,21 @@
|
|
|
f8899d |
+<def-group>
|
|
|
f8899d |
+ <definition class="compliance" id="accounts_password_pam_pwquality_enforce_local" version="1">
|
|
|
f8899d |
+ {{{ oval_metadata("The password complexity requirements are enforced for local users only.") }}}
|
|
|
f8899d |
+ <criteria operator="AND" comment="conditions for enforce_local are satisfied">
|
|
|
f8899d |
+ <extend_definition comment="pwquality.so exists in system-auth" definition_ref="accounts_password_pam_pwquality" />
|
|
|
f8899d |
+ <criterion comment="pwquality.conf" test_ref="test_accounts_password_pam_pwquality_enforce_local" />
|
|
|
f8899d |
+ </criteria>
|
|
|
f8899d |
+ </definition>
|
|
|
f8899d |
+
|
|
|
f8899d |
+
|
|
|
f8899d |
+ comment="check the configuration of /etc/security/pwquality.conf"
|
|
|
f8899d |
+ id="test_accounts_password_pam_pwquality_enforce_local" version="1">
|
|
|
f8899d |
+ <ind:object object_ref="obj_accounts_password_pam_pwquality_enforce_local" />
|
|
|
f8899d |
+ </ind:textfilecontent54_test>
|
|
|
f8899d |
+
|
|
|
f8899d |
+ <ind:textfilecontent54_object id="obj_accounts_password_pam_pwquality_enforce_local" version="1">
|
|
|
f8899d |
+ <ind:filepath>/etc/security/pwquality.conf</ind:filepath>
|
|
|
f8899d |
+ <ind:pattern operation="pattern match">^[\s]*local_users_only[\s]*$</ind:pattern>
|
|
|
f8899d |
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
|
|
|
f8899d |
+ </ind:textfilecontent54_object>
|
|
|
f8899d |
+</def-group>
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..37f89b75b5
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
|
|
|
f8899d |
@@ -0,0 +1,42 @@
|
|
|
f8899d |
+documentation_complete: true
|
|
|
f8899d |
+
|
|
|
f8899d |
+prodtype: fedora,rhel8
|
|
|
f8899d |
+
|
|
|
f8899d |
+title: 'Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only'
|
|
|
f8899d |
+
|
|
|
f8899d |
+description: |-
|
|
|
f8899d |
+ The pam_pwquality module's <tt>local_users_only</tt> parameter controls requirements for
|
|
|
f8899d |
+ enforcing password complexity by pam_pwquality only for local user accounts and ignoring
|
|
|
f8899d |
+ centralized user account management password complexity configurations. Enable the <tt>local_users_only</tt>
|
|
|
f8899d |
+ setting in <tt>/etc/security/pwquality.conf</tt> to require password complexity enforcement
|
|
|
f8899d |
+ for only local user accounts.
|
|
|
f8899d |
+
|
|
|
f8899d |
+rationale: |-
|
|
|
f8899d |
+ The operating system must provide automated mechanisms for supporting account management
|
|
|
f8899d |
+ functions. Enterprise environments make application account management challenging and
|
|
|
f8899d |
+ complex. A manual process for account management functions adds the risk of a potential
|
|
|
f8899d |
+ oversight or other error.
|
|
|
f8899d |
+
|
|
|
f8899d |
+severity: medium
|
|
|
f8899d |
+
|
|
|
f8899d |
+identifiers:
|
|
|
f8899d |
+ cce@rhel8: CCE-83364-0
|
|
|
f8899d |
+
|
|
|
f8899d |
+references:
|
|
|
f8899d |
+ disa: CCI-000015
|
|
|
f8899d |
+ nist: AC-2(1)
|
|
|
f8899d |
+ srg: SRG-OS-000001-GPOS-00001
|
|
|
f8899d |
+
|
|
|
f8899d |
+ocil_clause: 'local_users_only is not uncommented or configured correctly'
|
|
|
f8899d |
+
|
|
|
f8899d |
+ocil: |-
|
|
|
f8899d |
+ To verify if password complexities are only enforce on local users, run the following command:
|
|
|
f8899d |
+ $ grep local_users_only /etc/security/pwquality.conf
|
|
|
f8899d |
+ The output should return <tt>local_users_only</tt> uncommented.
|
|
|
f8899d |
+
|
|
|
f8899d |
+platform: pam
|
|
|
f8899d |
+
|
|
|
f8899d |
+warnings:
|
|
|
f8899d |
+ - management: |-
|
|
|
f8899d |
+ Using this rule bypasses pam_faillock's functionality and should be used in cases
|
|
|
f8899d |
+ where centralized management such as LDAP or Active Directory is in use.
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..516c5c1ae6
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml
|
|
|
f8899d |
@@ -0,0 +1,12 @@
|
|
|
f8899d |
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
f8899d |
+# reboot = false
|
|
|
f8899d |
+# strategy = restrict
|
|
|
f8899d |
+# complexity = low
|
|
|
f8899d |
+# disruption = low
|
|
|
f8899d |
+
|
|
|
f8899d |
+- name: Ensure password complexity for root user
|
|
|
f8899d |
+ lineinfile:
|
|
|
f8899d |
+ create: yes
|
|
|
f8899d |
+ dest: "/etc/security/pwquality.conf"
|
|
|
f8899d |
+ regexp: '^#?\s*enforce_for_root'
|
|
|
f8899d |
+ line: "enforce_for_root"
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..97f45c6259
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh
|
|
|
f8899d |
@@ -0,0 +1,9 @@
|
|
|
f8899d |
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
f8899d |
+# reboot = false
|
|
|
f8899d |
+# strategy = restrict
|
|
|
f8899d |
+# complexity = low
|
|
|
f8899d |
+# disruption = low
|
|
|
f8899d |
+
|
|
|
f8899d |
+if ! grep -q "^enforce_for_root" /etc/security/pwquality.conf; then
|
|
|
f8899d |
+ sed "s/# enforce_for_root/enforce_for_root/g" -i /etc/security/pwquality.conf
|
|
|
f8899d |
+fi
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..fccf5fd00e
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml
|
|
|
f8899d |
@@ -0,0 +1,21 @@
|
|
|
f8899d |
+<def-group>
|
|
|
f8899d |
+ <definition class="compliance" id="accounts_password_pam_pwquality_enforce_root" version="1">
|
|
|
f8899d |
+ {{{ oval_metadata("The password complexity requirements are enforced for root.") }}}
|
|
|
f8899d |
+ <criteria operator="AND" comment="conditions for enforce_root are satisfied">
|
|
|
f8899d |
+ <extend_definition comment="pwquality.so exists in system-auth" definition_ref="accounts_password_pam_pwquality" />
|
|
|
f8899d |
+ <criterion comment="pwquality.conf" test_ref="test_accounts_password_pam_pwquality_enforce_root" />
|
|
|
f8899d |
+ </criteria>
|
|
|
f8899d |
+ </definition>
|
|
|
f8899d |
+
|
|
|
f8899d |
+
|
|
|
f8899d |
+ comment="check the configuration of /etc/security/pwquality.conf"
|
|
|
f8899d |
+ id="test_accounts_password_pam_pwquality_enforce_root" version="1">
|
|
|
f8899d |
+ <ind:object object_ref="obj_accounts_password_pam_pwquality_enforce_root" />
|
|
|
f8899d |
+ </ind:textfilecontent54_test>
|
|
|
f8899d |
+
|
|
|
f8899d |
+ <ind:textfilecontent54_object id="obj_accounts_password_pam_pwquality_enforce_root" version="1">
|
|
|
f8899d |
+ <ind:filepath>/etc/security/pwquality.conf</ind:filepath>
|
|
|
f8899d |
+ <ind:pattern operation="pattern match">^[\s]*enforce_for_root[\s]*$</ind:pattern>
|
|
|
f8899d |
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
|
|
|
f8899d |
+ </ind:textfilecontent54_object>
|
|
|
f8899d |
+</def-group>
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..6aa1876e03
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
|
|
|
f8899d |
@@ -0,0 +1,39 @@
|
|
|
f8899d |
+documentation_complete: true
|
|
|
f8899d |
+
|
|
|
f8899d |
+prodtype: fedora,rhel8
|
|
|
f8899d |
+
|
|
|
f8899d |
+title: 'Ensure PAM Enforces Password Requirements - Enforce for root User'
|
|
|
f8899d |
+
|
|
|
f8899d |
+description: |-
|
|
|
f8899d |
+ The pam_pwquality module's <tt>enforce_for_root</tt> parameter controls requirements for
|
|
|
f8899d |
+ enforcing password complexity for the root user. Enable the <tt>enforce_for_root</tt>
|
|
|
f8899d |
+ setting in <tt>/etc/security/pwquality.conf</tt> to require the <tt>root</tt> user
|
|
|
f8899d |
+ to use complex passwords.
|
|
|
f8899d |
+
|
|
|
f8899d |
+rationale: |-
|
|
|
f8899d |
+ Use of a complex password helps to increase the time and resources required to compromise
|
|
|
f8899d |
+ the password. Password complexity, or strength, is a measure of the effectiveness of a
|
|
|
f8899d |
+ password in resisting attempts at guessing and brute-force attacks.
|
|
|
f8899d |
+
|
|
|
f8899d |
+ Password complexity is one factor of several that determines how long it takes to crack a
|
|
|
f8899d |
+ password. The more complex the password, the greater the number of possible combinations
|
|
|
f8899d |
+ that need to be tested before the password is compromised.
|
|
|
f8899d |
+
|
|
|
f8899d |
+severity: medium
|
|
|
f8899d |
+
|
|
|
f8899d |
+identifiers:
|
|
|
f8899d |
+ cce@rhel8: CCE-83377-2
|
|
|
f8899d |
+
|
|
|
f8899d |
+references:
|
|
|
f8899d |
+ disa: CCI-000194,CCI-000193,CCI-001619,CCI-000205,CCI-000195,CCI-000192,CCI-000366
|
|
|
f8899d |
+ nist: IA-5(c),IA-5(1)(a),CM-6(a),IA-5(4)
|
|
|
f8899d |
+ srg: SRG-OS-000072-GPOS-00040,SRG-OS-000071-GPOS-00039,SRG-OS-000070-GPOS-00038,SRG-OS-000266-GPOS-00101,SRG-OS-000078-GPOS-00046,SRG-OS-000480-GPOS-00225,SRG-OS-000069-GPOS-00037
|
|
|
f8899d |
+
|
|
|
f8899d |
+ocil_clause: 'enforce_for_root is not uncommented or configured correctly'
|
|
|
f8899d |
+
|
|
|
f8899d |
+ocil: |-
|
|
|
f8899d |
+ To verify if root user is required to use complex passwords, run the following command:
|
|
|
f8899d |
+ $ grep enforce_for_root /etc/security/pwquality.conf
|
|
|
f8899d |
+ The output should return <tt>enforce_for_root</tt> uncommented.
|
|
|
f8899d |
+
|
|
|
f8899d |
+platform: pam
|
|
|
f8899d |
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
|
|
f8899d |
index 15fe5c5bf9..b23cc05029 100644
|
|
|
f8899d |
--- a/rhel8/profiles/stig.profile
|
|
|
f8899d |
+++ b/rhel8/profiles/stig.profile
|
|
|
f8899d |
@@ -45,13 +45,15 @@ selections:
|
|
|
f8899d |
- package_audispd-plugins_installed
|
|
|
f8899d |
- package_libcap-ng-utils_installed
|
|
|
f8899d |
- auditd_audispd_syslog_plugin_activated
|
|
|
f8899d |
+ - accounts_passwords_pam_faillock_enforce_local
|
|
|
f8899d |
+ - accounts_password_pam_enforce_local
|
|
|
f8899d |
+ - accounts_password_pam_enforce_root
|
|
|
f8899d |
|
|
|
f8899d |
# Configure TLS for remote logging
|
|
|
f8899d |
- package_rsyslog_installed
|
|
|
f8899d |
- package_rsyslog-gnutls_installed
|
|
|
f8899d |
- rsyslog_remote_tls
|
|
|
f8899d |
- rsyslog_remote_tls_cacert
|
|
|
f8899d |
- - "!ssh_client_rekey_limit"
|
|
|
f8899d |
|
|
|
f8899d |
# Unselect zIPL rules from OSPP
|
|
|
f8899d |
- "!zipl_bls_entries_only"
|
|
|
f8899d |
diff --git a/shared/checks/oval/accounts_password_pam_faillock.xml b/shared/checks/oval/accounts_password_pam_faillock.xml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..c55c143ba5
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/shared/checks/oval/accounts_password_pam_faillock.xml
|
|
|
f8899d |
@@ -0,0 +1,26 @@
|
|
|
f8899d |
+<def-group>
|
|
|
f8899d |
+ <definition class="compliance" id="accounts_password_pam_faillock" version="1">
|
|
|
f8899d |
+ <metadata>
|
|
|
f8899d |
+ <title>Check pam_faillock Existence in system-auth</title>
|
|
|
f8899d |
+ <affected family="unix">
|
|
|
f8899d |
+ <platform>multi_platform_all</platform>
|
|
|
f8899d |
+ </affected>
|
|
|
f8899d |
+ <description>Check that pam_faillock.so exists in system-auth</description>
|
|
|
f8899d |
+ </metadata>
|
|
|
f8899d |
+ <criteria>
|
|
|
f8899d |
+
|
|
|
f8899d |
+ test_ref="test_accounts_password_pam_faillock" />
|
|
|
f8899d |
+ </criteria>
|
|
|
f8899d |
+ </definition>
|
|
|
f8899d |
+
|
|
|
f8899d |
+ <ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="test_accounts_password_pam_faillock" version="1">
|
|
|
f8899d |
+ <ind:object object_ref="obj_accounts_password_pam_faillock" />
|
|
|
f8899d |
+ </ind:textfilecontent54_test>
|
|
|
f8899d |
+
|
|
|
f8899d |
+ <ind:textfilecontent54_object id="obj_accounts_password_pam_faillock" version="1">
|
|
|
f8899d |
+ <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
|
|
|
f8899d |
+ <ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_faillock\.so.*$</ind:pattern>
|
|
|
f8899d |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
f8899d |
+ </ind:textfilecontent54_object>
|
|
|
f8899d |
+
|
|
|
f8899d |
+</def-group>
|
|
|
f8899d |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
f8899d |
index 569eed6636..5add9d462f 100644
|
|
|
f8899d |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
f8899d |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
f8899d |
@@ -272,4 +272,8 @@ selections:
|
|
|
f8899d |
- grub2_vsyscall_argument.severity=info
|
|
|
f8899d |
- sysctl_user_max_user_namespaces.role=unscored
|
|
|
f8899d |
- sysctl_user_max_user_namespaces.severity=info
|
|
|
f8899d |
+- ssh_client_rekey_limit
|
|
|
f8899d |
+- accounts_passwords_pam_faillock_enforce_local
|
|
|
f8899d |
+- accounts_password_pam_enforce_local
|
|
|
f8899d |
+- accounts_password_pam_enforce_root
|
|
|
f8899d |
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
|