|
|
76240a |
From 2af7d6d8f86f80dbac088d115a50162cfc28c542 Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Matthew Burket <mburket@redhat.com>
|
|
|
76240a |
Date: Tue, 27 Jul 2021 07:49:50 -0500
|
|
|
76240a |
Subject: [PATCH] Add rule for RHEL-08-020300
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
.../accounts_password_pam_dictcheck/rule.yml | 45 +++++++++++++++++++
|
|
|
76240a |
.../tests/disabled.fail.sh | 3 ++
|
|
|
76240a |
.../tests/enable.pass.sh | 3 ++
|
|
|
76240a |
.../tests/not_defined.fail.sh | 3 ++
|
|
|
76240a |
.../var_password_pam_dictcheck.var | 16 +++++++
|
|
|
76240a |
products/rhel8/profiles/stig.profile | 2 +
|
|
|
76240a |
shared/references/cce-redhat-avail.txt | 1 -
|
|
|
76240a |
.../data/profile_stability/rhel8/stig.profile | 2 +
|
|
|
76240a |
.../profile_stability/rhel8/stig_gui.profile | 2 +
|
|
|
76240a |
9 files changed, 76 insertions(+), 1 deletion(-)
|
|
|
76240a |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
|
|
|
76240a |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/disabled.fail.sh
|
|
|
76240a |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/enable.pass.sh
|
|
|
76240a |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/not_defined.fail.sh
|
|
|
76240a |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var
|
|
|
76240a |
|
|
|
76240a |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 0000000000..2990150c0a
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
|
|
|
76240a |
@@ -0,0 +1,45 @@
|
|
|
76240a |
+documentation_complete: true
|
|
|
76240a |
+
|
|
|
76240a |
+prodtype: fedora,rhel8
|
|
|
76240a |
+
|
|
|
76240a |
+title: 'Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words'
|
|
|
76240a |
+
|
|
|
76240a |
+description: |-
|
|
|
76240a |
+ The pam_pwquality module's <tt>dictcheck</tt> check if passwords contains dictionary words. When
|
|
|
76240a |
+ <tt>dictcheck</tt> is set to <tt>1</tt> passwords will be checked for dictionary words.
|
|
|
76240a |
+
|
|
|
76240a |
+rationale: |-
|
|
|
76240a |
+ Use of a complex password helps to increase the time and resources required to compromise the password.
|
|
|
76240a |
+ Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
|
|
|
76240a |
+ guessing and brute-force attacks.
|
|
|
76240a |
+
|
|
|
76240a |
+ Password complexity is one factor of several that determines how long it takes to crack a password. The more
|
|
|
76240a |
+ complex the password, the greater the number of possible combinations that need to be tested before the
|
|
|
76240a |
+ password is compromised.
|
|
|
76240a |
+
|
|
|
76240a |
+ Passwords with dictionary words may be more vulnerable to password-guessing attacks.
|
|
|
76240a |
+
|
|
|
76240a |
+severity: medium
|
|
|
76240a |
+
|
|
|
76240a |
+identifiers:
|
|
|
76240a |
+ cce@rhel8: CCE-86233-4
|
|
|
76240a |
+
|
|
|
76240a |
+references:
|
|
|
76240a |
+ disa: CCI-000366
|
|
|
76240a |
+ nist: IA-5(c),IA-5(1)(a),CM-6(a),IA-5(4)
|
|
|
76240a |
+ stigid@rhel8: RHEL-08-020300
|
|
|
76240a |
+
|
|
|
76240a |
+ocil_clause: 'dictcheck is not found or not equal to the required value'
|
|
|
76240a |
+
|
|
|
76240a |
+ocil: |-
|
|
|
76240a |
+ To check if dictionary words are disallowed run the following command:
|
|
|
76240a |
+ $ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf
|
|
|
76240a |
+ The <tt>dictcheck</tt> parameter should be equal to 1. The value should look like
|
|
|
76240a |
+ dictcheck=1
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+template:
|
|
|
76240a |
+ name: accounts_password
|
|
|
76240a |
+ vars:
|
|
|
76240a |
+ variable: dictcheck
|
|
|
76240a |
+ operation: equals
|
|
|
76240a |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/disabled.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/disabled.fail.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 0000000000..cb84c6d968
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/disabled.fail.sh
|
|
|
76240a |
@@ -0,0 +1,3 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+
|
|
|
76240a |
+echo "dictcheck=0" > /etc/security/pwquality.conf
|
|
|
76240a |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/enable.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/enable.pass.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 0000000000..ceb9f7ec44
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/enable.pass.sh
|
|
|
76240a |
@@ -0,0 +1,3 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+
|
|
|
76240a |
+echo "dictcheck=1" > /etc/security/pwquality.conf
|
|
|
76240a |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/not_defined.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/not_defined.fail.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 0000000000..57e54b6623
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/not_defined.fail.sh
|
|
|
76240a |
@@ -0,0 +1,3 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+
|
|
|
76240a |
+sed -i s/dictcheck.+//g /etc/security/pwquality.conf
|
|
|
76240a |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 0000000000..26452c3a8e
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var
|
|
|
76240a |
@@ -0,0 +1,16 @@
|
|
|
76240a |
+documentation_complete: true
|
|
|
76240a |
+
|
|
|
76240a |
+title: dictcheck
|
|
|
76240a |
+
|
|
|
76240a |
+description: |-
|
|
|
76240a |
+ Prevent the use of dictionary words for passwords.
|
|
|
76240a |
+
|
|
|
76240a |
+type: number
|
|
|
76240a |
+
|
|
|
76240a |
+operator: equals
|
|
|
76240a |
+
|
|
|
76240a |
+interactive: false
|
|
|
76240a |
+
|
|
|
76240a |
+options:
|
|
|
76240a |
+ 1: 1
|
|
|
76240a |
+ default: 1
|
|
|
76240a |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
76240a |
index bf410c2087..f17a7b88b1 100644
|
|
|
76240a |
--- a/products/rhel8/profiles/stig.profile
|
|
|
76240a |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
76240a |
@@ -45,6 +45,7 @@ selections:
|
|
|
76240a |
- var_password_pam_minlen=15
|
|
|
76240a |
- var_password_pam_ocredit=1
|
|
|
76240a |
- var_password_pam_dcredit=1
|
|
|
76240a |
+ - var_password_pam_dictcheck=1
|
|
|
76240a |
- var_password_pam_ucredit=1
|
|
|
76240a |
- var_password_pam_lcredit=1
|
|
|
76240a |
- var_password_pam_retry=3
|
|
|
76240a |
@@ -567,6 +568,7 @@ selections:
|
|
|
76240a |
- sssd_offline_cred_expiration
|
|
|
76240a |
|
|
|
76240a |
# RHEL-08-020300
|
|
|
76240a |
+ - accounts_password_pam_dictcheck
|
|
|
76240a |
|
|
|
76240a |
# RHEL-08-020310
|
|
|
76240a |
- accounts_logon_fail_delay
|
|
|
76240a |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
index 0b794d5c2a..dae4495b2d 100644
|
|
|
76240a |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
@@ -362,7 +362,6 @@ CCE-86229-2
|
|
|
76240a |
CCE-86230-0
|
|
|
76240a |
CCE-86231-8
|
|
|
76240a |
CCE-86232-6
|
|
|
76240a |
-CCE-86233-4
|
|
|
76240a |
CCE-86234-2
|
|
|
76240a |
CCE-86235-9
|
|
|
76240a |
CCE-86236-7
|
|
|
76240a |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
index ddfa13e731..236e595604 100644
|
|
|
76240a |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
@@ -35,6 +35,7 @@ selections:
|
|
|
76240a |
- accounts_password_all_shadowed_sha512
|
|
|
76240a |
- accounts_password_minlen_login_defs
|
|
|
76240a |
- accounts_password_pam_dcredit
|
|
|
76240a |
+- accounts_password_pam_dictcheck
|
|
|
76240a |
- accounts_password_pam_difok
|
|
|
76240a |
- accounts_password_pam_lcredit
|
|
|
76240a |
- accounts_password_pam_maxclassrepeat
|
|
|
76240a |
@@ -332,6 +333,7 @@ selections:
|
|
|
76240a |
- var_password_pam_minlen=15
|
|
|
76240a |
- var_password_pam_ocredit=1
|
|
|
76240a |
- var_password_pam_dcredit=1
|
|
|
76240a |
+- var_password_pam_dictcheck=1
|
|
|
76240a |
- var_password_pam_ucredit=1
|
|
|
76240a |
- var_password_pam_lcredit=1
|
|
|
76240a |
- var_password_pam_retry=3
|
|
|
76240a |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
index 017ab8c0e3..9973b5adef 100644
|
|
|
76240a |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
@@ -46,6 +46,7 @@ selections:
|
|
|
76240a |
- accounts_password_all_shadowed_sha512
|
|
|
76240a |
- accounts_password_minlen_login_defs
|
|
|
76240a |
- accounts_password_pam_dcredit
|
|
|
76240a |
+- accounts_password_pam_dictcheck
|
|
|
76240a |
- accounts_password_pam_difok
|
|
|
76240a |
- accounts_password_pam_lcredit
|
|
|
76240a |
- accounts_password_pam_maxclassrepeat
|
|
|
76240a |
@@ -342,6 +343,7 @@ selections:
|
|
|
76240a |
- var_password_pam_minlen=15
|
|
|
76240a |
- var_password_pam_ocredit=1
|
|
|
76240a |
- var_password_pam_dcredit=1
|
|
|
76240a |
+- var_password_pam_dictcheck=1
|
|
|
76240a |
- var_password_pam_ucredit=1
|
|
|
76240a |
- var_password_pam_lcredit=1
|
|
|
76240a |
- var_password_pam_retry=3
|