Blame SOURCES/scap-security-guide-0.1.58-RHEL_08_020300-PR_7289.patch

76240a
From 2af7d6d8f86f80dbac088d115a50162cfc28c542 Mon Sep 17 00:00:00 2001
76240a
From: Matthew Burket <mburket@redhat.com>
76240a
Date: Tue, 27 Jul 2021 07:49:50 -0500
76240a
Subject: [PATCH] Add rule for RHEL-08-020300
76240a
76240a
---
76240a
 .../accounts_password_pam_dictcheck/rule.yml  | 45 +++++++++++++++++++
76240a
 .../tests/disabled.fail.sh                    |  3 ++
76240a
 .../tests/enable.pass.sh                      |  3 ++
76240a
 .../tests/not_defined.fail.sh                 |  3 ++
76240a
 .../var_password_pam_dictcheck.var            | 16 +++++++
76240a
 products/rhel8/profiles/stig.profile          |  2 +
76240a
 shared/references/cce-redhat-avail.txt        |  1 -
76240a
 .../data/profile_stability/rhel8/stig.profile |  2 +
76240a
 .../profile_stability/rhel8/stig_gui.profile  |  2 +
76240a
 9 files changed, 76 insertions(+), 1 deletion(-)
76240a
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
76240a
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/disabled.fail.sh
76240a
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/enable.pass.sh
76240a
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/not_defined.fail.sh
76240a
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var
76240a
76240a
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
76240a
new file mode 100644
76240a
index 0000000000..2990150c0a
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
76240a
@@ -0,0 +1,45 @@
76240a
+documentation_complete: true
76240a
+
76240a
+prodtype: fedora,rhel8
76240a
+
76240a
+title: 'Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words'
76240a
+
76240a
+description: |-
76240a
+    The pam_pwquality module's <tt>dictcheck</tt> check if passwords contains dictionary words. When
76240a
+    <tt>dictcheck</tt> is set to <tt>1</tt> passwords will be checked for dictionary words.
76240a
+
76240a
+rationale: |-
76240a
+    Use of a complex password helps to increase the time and resources required to compromise the password.
76240a
+    Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
76240a
+    guessing and brute-force attacks.
76240a
+    

76240a
+    Password complexity is one factor of several that determines how long it takes to crack a password. The more
76240a
+    complex the password, the greater the number of possible combinations that need to be tested before the
76240a
+    password is compromised.
76240a
+    

76240a
+    Passwords with dictionary words may be more vulnerable to password-guessing attacks.
76240a
+
76240a
+severity: medium
76240a
+
76240a
+identifiers:
76240a
+    cce@rhel8: CCE-86233-4
76240a
+
76240a
+references:
76240a
+    disa: CCI-000366
76240a
+    nist: IA-5(c),IA-5(1)(a),CM-6(a),IA-5(4)
76240a
+    stigid@rhel8: RHEL-08-020300
76240a
+
76240a
+ocil_clause: 'dictcheck is not found or not equal to the required value'
76240a
+
76240a
+ocil: |-
76240a
+    To check if dictionary words are disallowed run the following command:
76240a
+    
$ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf
76240a
+    The <tt>dictcheck</tt> parameter should be equal to 1. The value should look like
76240a
+    
dictcheck=1
76240a
+
76240a
+
76240a
+template:
76240a
+    name: accounts_password
76240a
+    vars:
76240a
+        variable: dictcheck
76240a
+        operation: equals
76240a
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/disabled.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/disabled.fail.sh
76240a
new file mode 100644
76240a
index 0000000000..cb84c6d968
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/disabled.fail.sh
76240a
@@ -0,0 +1,3 @@
76240a
+#!/bin/bash
76240a
+
76240a
+echo "dictcheck=0" > /etc/security/pwquality.conf
76240a
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/enable.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/enable.pass.sh
76240a
new file mode 100644
76240a
index 0000000000..ceb9f7ec44
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/enable.pass.sh
76240a
@@ -0,0 +1,3 @@
76240a
+#!/bin/bash
76240a
+
76240a
+echo "dictcheck=1" > /etc/security/pwquality.conf
76240a
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/not_defined.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/not_defined.fail.sh
76240a
new file mode 100644
76240a
index 0000000000..57e54b6623
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/not_defined.fail.sh
76240a
@@ -0,0 +1,3 @@
76240a
+#!/bin/bash
76240a
+
76240a
+sed -i s/dictcheck.+//g /etc/security/pwquality.conf
76240a
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var
76240a
new file mode 100644
76240a
index 0000000000..26452c3a8e
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var
76240a
@@ -0,0 +1,16 @@
76240a
+documentation_complete: true
76240a
+
76240a
+title: dictcheck
76240a
+
76240a
+description: |-
76240a
+    Prevent the use of dictionary words for passwords.
76240a
+
76240a
+type: number
76240a
+
76240a
+operator: equals
76240a
+
76240a
+interactive: false
76240a
+
76240a
+options:
76240a
+    1: 1
76240a
+    default: 1
76240a
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
76240a
index bf410c2087..f17a7b88b1 100644
76240a
--- a/products/rhel8/profiles/stig.profile
76240a
+++ b/products/rhel8/profiles/stig.profile
76240a
@@ -45,6 +45,7 @@ selections:
76240a
     - var_password_pam_minlen=15
76240a
     - var_password_pam_ocredit=1
76240a
     - var_password_pam_dcredit=1
76240a
+    - var_password_pam_dictcheck=1
76240a
     - var_password_pam_ucredit=1
76240a
     - var_password_pam_lcredit=1
76240a
     - var_password_pam_retry=3
76240a
@@ -567,6 +568,7 @@ selections:
76240a
     - sssd_offline_cred_expiration
76240a
 
76240a
     # RHEL-08-020300
76240a
+    - accounts_password_pam_dictcheck
76240a
 
76240a
     # RHEL-08-020310
76240a
     - accounts_logon_fail_delay
76240a
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
76240a
index 0b794d5c2a..dae4495b2d 100644
76240a
--- a/shared/references/cce-redhat-avail.txt
76240a
+++ b/shared/references/cce-redhat-avail.txt
76240a
@@ -362,7 +362,6 @@ CCE-86229-2
76240a
 CCE-86230-0
76240a
 CCE-86231-8
76240a
 CCE-86232-6
76240a
-CCE-86233-4
76240a
 CCE-86234-2
76240a
 CCE-86235-9
76240a
 CCE-86236-7
76240a
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
76240a
index ddfa13e731..236e595604 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig.profile
76240a
@@ -35,6 +35,7 @@ selections:
76240a
 - accounts_password_all_shadowed_sha512
76240a
 - accounts_password_minlen_login_defs
76240a
 - accounts_password_pam_dcredit
76240a
+- accounts_password_pam_dictcheck
76240a
 - accounts_password_pam_difok
76240a
 - accounts_password_pam_lcredit
76240a
 - accounts_password_pam_maxclassrepeat
76240a
@@ -332,6 +333,7 @@ selections:
76240a
 - var_password_pam_minlen=15
76240a
 - var_password_pam_ocredit=1
76240a
 - var_password_pam_dcredit=1
76240a
+- var_password_pam_dictcheck=1
76240a
 - var_password_pam_ucredit=1
76240a
 - var_password_pam_lcredit=1
76240a
 - var_password_pam_retry=3
76240a
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
index 017ab8c0e3..9973b5adef 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
@@ -46,6 +46,7 @@ selections:
76240a
 - accounts_password_all_shadowed_sha512
76240a
 - accounts_password_minlen_login_defs
76240a
 - accounts_password_pam_dcredit
76240a
+- accounts_password_pam_dictcheck
76240a
 - accounts_password_pam_difok
76240a
 - accounts_password_pam_lcredit
76240a
 - accounts_password_pam_maxclassrepeat
76240a
@@ -342,6 +343,7 @@ selections:
76240a
 - var_password_pam_minlen=15
76240a
 - var_password_pam_ocredit=1
76240a
 - var_password_pam_dcredit=1
76240a
+- var_password_pam_dictcheck=1
76240a
 - var_password_pam_ucredit=1
76240a
 - var_password_pam_lcredit=1
76240a
 - var_password_pam_retry=3