|
|
07cb6b |
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh
|
|
|
07cb6b |
new file mode 100644
|
|
|
07cb6b |
index 00000000000..1c151a1ec1a
|
|
|
07cb6b |
--- /dev/null
|
|
|
07cb6b |
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh
|
|
|
07cb6b |
@@ -0,0 +1,5 @@
|
|
|
07cb6b |
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhv
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" "/etc/pam.d/password-auth"; then
|
|
|
07cb6b |
+ sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" "/etc/pam.d/password-auth"
|
|
|
07cb6b |
+fi
|
|
|
07cb6b |
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml
|
|
|
07cb6b |
new file mode 100644
|
|
|
07cb6b |
index 00000000000..24fdbe4c1d4
|
|
|
07cb6b |
--- /dev/null
|
|
|
07cb6b |
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml
|
|
|
07cb6b |
@@ -0,0 +1,19 @@
|
|
|
07cb6b |
+<def-group>
|
|
|
07cb6b |
+ <definition class="compliance" id="set_password_hashing_algorithm_passwordauth" version="1">
|
|
|
07cb6b |
+ {{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/password-auth.") }}}
|
|
|
07cb6b |
+ <criteria operator="AND">
|
|
|
07cb6b |
+ <criterion test_ref="test_pam_unix_passwordauth_sha512" />
|
|
|
07cb6b |
+ </criteria>
|
|
|
07cb6b |
+ </definition>
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check /etc/pam.d/password-auth for correct settings" id="test_pam_unix_passwordauth_sha512" version="1">
|
|
|
07cb6b |
+ <ind:object object_ref="object_pam_unix_passwordauth_sha512" />
|
|
|
07cb6b |
+ </ind:textfilecontent54_test>
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ <ind:textfilecontent54_object comment="check /etc/pam.d/password-auth for correct settings" id="object_pam_unix_passwordauth_sha512" version="1">
|
|
|
07cb6b |
+ <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
|
|
|
07cb6b |
+ <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$</ind:pattern>
|
|
|
07cb6b |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
07cb6b |
+ </ind:textfilecontent54_object>
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+</def-group>
|
|
|
07cb6b |
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml
|
|
|
07cb6b |
new file mode 100644
|
|
|
07cb6b |
index 00000000000..9375269161d
|
|
|
07cb6b |
--- /dev/null
|
|
|
07cb6b |
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml
|
|
|
07cb6b |
@@ -0,0 +1,72 @@
|
|
|
07cb6b |
+documentation_complete: true
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+prodtype: fedora,rhel7,rhel8,rhel9,rhv4
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+title: "Set PAM's Password Hashing Algorithm - password-auth"
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+description: |-
|
|
|
07cb6b |
+ The PAM system service can be configured to only store encrypted
|
|
|
07cb6b |
+ representations of passwords. In
|
|
|
07cb6b |
+ <tt>/etc/pam.d/password-auth</tt>,
|
|
|
07cb6b |
+ the
|
|
|
07cb6b |
+ <tt>password</tt> section of the file controls which PAM modules execute
|
|
|
07cb6b |
+ during a password change. Set the <tt>pam_unix.so</tt> module in the
|
|
|
07cb6b |
+ <tt>password</tt> section to include the argument <tt>sha512</tt>, as shown
|
|
|
07cb6b |
+ below:
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ password sufficient pam_unix.so sha512 other arguments...
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ This will help ensure when local users change their passwords, hashes for
|
|
|
07cb6b |
+ the new passwords will be generated using the SHA-512 algorithm. This is
|
|
|
07cb6b |
+ the default.
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+rationale: |-
|
|
|
07cb6b |
+ Passwords need to be protected at all times, and encryption is the standard
|
|
|
07cb6b |
+ method for protecting passwords. If passwords are not encrypted, they can
|
|
|
07cb6b |
+ be plainly read (i.e., clear text) and easily compromised. Passwords that
|
|
|
07cb6b |
+ are encrypted with a weak algorithm are no more protected than if they are
|
|
|
07cb6b |
+ kepy in plain text.
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ This setting ensures user and group account administration utilities are
|
|
|
07cb6b |
+ configured to store only encrypted representations of passwords.
|
|
|
07cb6b |
+ Additionally, the <tt>crypt_style</tt> configuration option ensures the use
|
|
|
07cb6b |
+ of a strong hashing algorithm that makes password cracking attacks more
|
|
|
07cb6b |
+ difficult.
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+severity: medium
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+identifiers:
|
|
|
07cb6b |
+ cce@rhel7: CCE-85943-9
|
|
|
07cb6b |
+ cce@rhel8: CCE-85945-4
|
|
|
07cb6b |
+ cce@rhel9: CCE-85946-2
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+references:
|
|
|
07cb6b |
+ anssi: BP28(R32)
|
|
|
07cb6b |
+ cis-csc: 1,12,15,16,5
|
|
|
07cb6b |
+ cis@rhel7: 5.4.3
|
|
|
07cb6b |
+ cis@rhel8: 5.4.4
|
|
|
07cb6b |
+ cjis: 5.6.2.2
|
|
|
07cb6b |
+ cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
|
|
|
07cb6b |
+ cui: 3.13.11
|
|
|
07cb6b |
+ disa: CCI-000196
|
|
|
07cb6b |
+ isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
|
|
|
07cb6b |
+ isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
|
|
|
07cb6b |
+ ism: 0418,1055,1402
|
|
|
07cb6b |
+ iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
|
|
|
07cb6b |
+ nist: IA-5(c),IA-5(1)(c),CM-6(a)
|
|
|
07cb6b |
+ nist-csf: PR.AC-1,PR.AC-6,PR.AC-7
|
|
|
07cb6b |
+ pcidss: Req-8.2.1
|
|
|
07cb6b |
+ srg: SRG-OS-000073-GPOS-00041
|
|
|
07cb6b |
+ stigid@rhel7: RHEL-07-010200
|
|
|
07cb6b |
+ stigid@rhel8: RHEL-08-010160
|
|
|
07cb6b |
+ vmmsrg: SRG-OS-000480-VMM-002000
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ocil_clause: 'it does not'
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ocil: |-
|
|
|
07cb6b |
+ Inspect the <tt>password</tt> section of <tt>/etc/pam.d/password-auth</tt>
|
|
|
07cb6b |
+ and ensure that the <tt>pam_unix.so</tt> module includes the argument
|
|
|
07cb6b |
+ <tt>sha512</tt>:
|
|
|
07cb6b |
+ $ grep sha512 /etc/pam.d/password-auth
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+platform: pam
|
|
|
07cb6b |
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh
|
|
|
07cb6b |
new file mode 100644
|
|
|
07cb6b |
index 00000000000..a924fe5bd97
|
|
|
07cb6b |
--- /dev/null
|
|
|
07cb6b |
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh
|
|
|
07cb6b |
@@ -0,0 +1,5 @@
|
|
|
07cb6b |
+#!/bin/bash
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" "/etc/pam.d/password-auth"; then
|
|
|
07cb6b |
+ sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" "/etc/pam.d/password-auth"
|
|
|
07cb6b |
+fi
|
|
|
07cb6b |
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh
|
|
|
07cb6b |
new file mode 100644
|
|
|
07cb6b |
index 00000000000..68e925a645f
|
|
|
07cb6b |
--- /dev/null
|
|
|
07cb6b |
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh
|
|
|
07cb6b |
@@ -0,0 +1,3 @@
|
|
|
07cb6b |
+#!/bin/bash
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/sha512//g" "/etc/pam.d/password-auth"
|
|
|
07cb6b |
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
|
|
|
07cb6b |
index 542ea521a6c..e7503feeecb 100644
|
|
|
07cb6b |
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
|
|
|
07cb6b |
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
|
|
|
07cb6b |
@@ -1,7 +1,9 @@
|
|
|
07cb6b |
-# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
|
|
|
07cb6b |
+# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
|
|
07cb6b |
|
|
|
07cb6b |
AUTH_FILES[0]="/etc/pam.d/system-auth"
|
|
|
07cb6b |
+{{%- if product == "rhel7" %}}
|
|
|
07cb6b |
AUTH_FILES[1]="/etc/pam.d/password-auth"
|
|
|
07cb6b |
+{{%- endif %}}
|
|
|
07cb6b |
|
|
|
07cb6b |
for pamFile in "${AUTH_FILES[@]}"
|
|
|
07cb6b |
do
|
|
|
07cb6b |
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
|
|
|
07cb6b |
index d76b6f80c0c..a754a84df6c 100644
|
|
|
07cb6b |
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
|
|
|
07cb6b |
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
|
|
|
07cb6b |
@@ -3,6 +3,9 @@
|
|
|
07cb6b |
{{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.") }}}
|
|
|
07cb6b |
<criteria operator="AND">
|
|
|
07cb6b |
<criterion test_ref="test_pam_unix_sha512" />
|
|
|
07cb6b |
+ {{%- if product == "rhel7" %}}
|
|
|
07cb6b |
+ <extend_definition comment="check /etc/pam.d/password-auth for correct settings" definition_ref="set_password_hashing_algorithm_passwordauth" />
|
|
|
07cb6b |
+ {{%- endif %}}
|
|
|
07cb6b |
</criteria>
|
|
|
07cb6b |
</definition>
|
|
|
07cb6b |
|
|
|
07cb6b |
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
|
|
|
07cb6b |
index 13da9dd4086..59fb48e93b5 100644
|
|
|
07cb6b |
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
|
|
|
07cb6b |
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
|
|
|
07cb6b |
@@ -70,7 +70,7 @@ references:
|
|
|
07cb6b |
stigid@ol7: OL07-00-010200
|
|
|
07cb6b |
stigid@ol8: OL08-00-010160
|
|
|
07cb6b |
stigid@rhel7: RHEL-07-010200
|
|
|
07cb6b |
- stigid@rhel8: RHEL-08-010160
|
|
|
07cb6b |
+ stigid@rhel8: RHEL-08-010159
|
|
|
07cb6b |
stigid@sle12: SLES-12-010230
|
|
|
07cb6b |
stigid@sle15: SLES-15-020170
|
|
|
07cb6b |
vmmsrg: SRG-OS-000480-VMM-002000
|
|
|
07cb6b |
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
|
|
|
07cb6b |
index 7e481760670..fb9feec4d27 100644
|
|
|
07cb6b |
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
|
|
|
07cb6b |
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
|
|
|
07cb6b |
@@ -1,7 +1,9 @@
|
|
|
07cb6b |
#!/bin/bash
|
|
|
07cb6b |
|
|
|
07cb6b |
AUTH_FILES[0]="/etc/pam.d/system-auth"
|
|
|
07cb6b |
+{{%- if product == "rhel7" %}}
|
|
|
07cb6b |
AUTH_FILES[1]="/etc/pam.d/password-auth"
|
|
|
07cb6b |
+{{%- endif %}}
|
|
|
07cb6b |
|
|
|
07cb6b |
for pamFile in "${AUTH_FILES[@]}"
|
|
|
07cb6b |
do
|
|
|
07cb6b |
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
|
|
|
07cb6b |
index 09bb82dd1d7..2f35381d475 100644
|
|
|
07cb6b |
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
|
|
|
07cb6b |
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
|
|
|
07cb6b |
@@ -1,7 +1,9 @@
|
|
|
07cb6b |
#!/bin/bash
|
|
|
07cb6b |
|
|
|
07cb6b |
AUTH_FILES[0]="/etc/pam.d/system-auth"
|
|
|
07cb6b |
+{{%- if product == "rhel7" %}}
|
|
|
07cb6b |
AUTH_FILES[1]="/etc/pam.d/password-auth"
|
|
|
07cb6b |
+{{%- endif %}}
|
|
|
07cb6b |
|
|
|
07cb6b |
for pamFile in "${AUTH_FILES[@]}"
|
|
|
07cb6b |
do
|
|
|
07cb6b |
diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile
|
|
|
07cb6b |
index 3ada8e6fe49..4df21f4ae6e 100644
|
|
|
07cb6b |
--- a/products/rhel8/profiles/pci-dss.profile
|
|
|
07cb6b |
+++ b/products/rhel8/profiles/pci-dss.profile
|
|
|
07cb6b |
@@ -126,6 +126,7 @@ selections:
|
|
|
07cb6b |
- service_pcscd_enabled
|
|
|
07cb6b |
- sssd_enable_smartcards
|
|
|
07cb6b |
- set_password_hashing_algorithm_systemauth
|
|
|
07cb6b |
+ - set_password_hashing_algorithm_passwordauth
|
|
|
07cb6b |
- set_password_hashing_algorithm_logindefs
|
|
|
07cb6b |
- set_password_hashing_algorithm_libuserconf
|
|
|
07cb6b |
- file_owner_etc_shadow
|
|
|
07cb6b |
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
|
|
|
07cb6b |
index 15abd98a6a5..7188062df72 100644
|
|
|
07cb6b |
--- a/products/rhel8/profiles/rht-ccp.profile
|
|
|
07cb6b |
+++ b/products/rhel8/profiles/rht-ccp.profile
|
|
|
07cb6b |
@@ -54,6 +54,7 @@ selections:
|
|
|
07cb6b |
- accounts_password_pam_difok
|
|
|
07cb6b |
- accounts_passwords_pam_faillock_deny
|
|
|
07cb6b |
- set_password_hashing_algorithm_systemauth
|
|
|
07cb6b |
+ - set_password_hashing_algorithm_passwordauth
|
|
|
07cb6b |
- set_password_hashing_algorithm_logindefs
|
|
|
07cb6b |
- set_password_hashing_algorithm_libuserconf
|
|
|
07cb6b |
- require_singleuser_auth
|
|
|
07cb6b |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
07cb6b |
index 04f158116ee..8d69bb48d38 100644
|
|
|
07cb6b |
--- a/products/rhel8/profiles/stig.profile
|
|
|
07cb6b |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
07cb6b |
@@ -149,6 +149,9 @@ selections:
|
|
|
07cb6b |
# RHEL-08-010152
|
|
|
07cb6b |
- require_emergency_target_auth
|
|
|
07cb6b |
|
|
|
07cb6b |
+ # RHEL-08-010159
|
|
|
07cb6b |
+ - set_password_hashing_algorithm_passwordauth
|
|
|
07cb6b |
+
|
|
|
07cb6b |
# RHEL-08-010160
|
|
|
07cb6b |
- set_password_hashing_algorithm_systemauth
|
|
|
07cb6b |
|
|
|
07cb6b |
diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
|
|
|
07cb6b |
index beb1acda31d..1e4044f4e7e 100644
|
|
|
07cb6b |
--- a/products/rhel9/profiles/pci-dss.profile
|
|
|
07cb6b |
+++ b/products/rhel9/profiles/pci-dss.profile
|
|
|
07cb6b |
@@ -123,6 +123,7 @@ selections:
|
|
|
07cb6b |
- service_pcscd_enabled
|
|
|
07cb6b |
- sssd_enable_smartcards
|
|
|
07cb6b |
- set_password_hashing_algorithm_systemauth
|
|
|
07cb6b |
+ - set_password_hashing_algorithm_passwordauth
|
|
|
07cb6b |
- set_password_hashing_algorithm_logindefs
|
|
|
07cb6b |
- set_password_hashing_algorithm_libuserconf
|
|
|
07cb6b |
- file_owner_etc_shadow
|
|
|
07cb6b |
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
|
|
|
07cb6b |
index 8f79b22e3e4..b9f557de030 100644
|
|
|
07cb6b |
--- a/products/rhel9/profiles/stig.profile
|
|
|
07cb6b |
+++ b/products/rhel9/profiles/stig.profile
|
|
|
07cb6b |
@@ -150,6 +150,9 @@ selections:
|
|
|
07cb6b |
# RHEL-08-010152
|
|
|
07cb6b |
- require_emergency_target_auth
|
|
|
07cb6b |
|
|
|
07cb6b |
+ # RHEL-08-010159
|
|
|
07cb6b |
+ - set_password_hashing_algorithm_passwordauth
|
|
|
07cb6b |
+
|
|
|
07cb6b |
# RHEL-08-010160
|
|
|
07cb6b |
- set_password_hashing_algorithm_systemauth
|
|
|
07cb6b |
|
|
|
07cb6b |
diff --git a/products/rhv4/profiles/pci-dss.profile b/products/rhv4/profiles/pci-dss.profile
|
|
|
07cb6b |
index c4ed0ec2d48..d00f44996d8 100644
|
|
|
07cb6b |
--- a/products/rhv4/profiles/pci-dss.profile
|
|
|
07cb6b |
+++ b/products/rhv4/profiles/pci-dss.profile
|
|
|
07cb6b |
@@ -121,6 +121,7 @@ selections:
|
|
|
07cb6b |
- service_pcscd_enabled
|
|
|
07cb6b |
- sssd_enable_smartcards
|
|
|
07cb6b |
- set_password_hashing_algorithm_systemauth
|
|
|
07cb6b |
+ - set_password_hashing_algorithm_passwordauth
|
|
|
07cb6b |
- set_password_hashing_algorithm_logindefs
|
|
|
07cb6b |
- set_password_hashing_algorithm_libuserconf
|
|
|
07cb6b |
- file_owner_etc_shadow
|
|
|
07cb6b |
diff --git a/products/rhv4/profiles/rhvh-stig.profile b/products/rhv4/profiles/rhvh-stig.profile
|
|
|
07cb6b |
index 01c2fd8cc2d..9cf416665ab 100644
|
|
|
07cb6b |
--- a/products/rhv4/profiles/rhvh-stig.profile
|
|
|
07cb6b |
+++ b/products/rhv4/profiles/rhvh-stig.profile
|
|
|
07cb6b |
@@ -356,6 +356,7 @@ selections:
|
|
|
07cb6b |
- set_password_hashing_algorithm_libuserconf
|
|
|
07cb6b |
- set_password_hashing_algorithm_logindefs
|
|
|
07cb6b |
- set_password_hashing_algorithm_systemauth
|
|
|
07cb6b |
+ - set_password_hashing_algorithm_passwordauth
|
|
|
07cb6b |
- package_opensc_installed
|
|
|
07cb6b |
- var_smartcard_drivers=cac
|
|
|
07cb6b |
- configure_opensc_card_drivers
|
|
|
07cb6b |
diff --git a/products/rhv4/profiles/rhvh-vpp.profile b/products/rhv4/profiles/rhvh-vpp.profile
|
|
|
07cb6b |
index c2b6c106937..e66fe435508 100644
|
|
|
07cb6b |
--- a/products/rhv4/profiles/rhvh-vpp.profile
|
|
|
07cb6b |
+++ b/products/rhv4/profiles/rhvh-vpp.profile
|
|
|
07cb6b |
@@ -201,6 +201,7 @@ selections:
|
|
|
07cb6b |
- accounts_password_pam_unix_remember
|
|
|
07cb6b |
- set_password_hashing_algorithm_logindefs
|
|
|
07cb6b |
- set_password_hashing_algorithm_systemauth
|
|
|
07cb6b |
+ - set_password_hashing_algorithm_passwordauth
|
|
|
07cb6b |
- set_password_hashing_algorithm_libuserconf
|
|
|
07cb6b |
- no_empty_passwords
|
|
|
07cb6b |
|
|
|
07cb6b |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
07cb6b |
index 3f6ec5e17c4..4aa925037b1 100644
|
|
|
07cb6b |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
07cb6b |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
07cb6b |
@@ -53,9 +53,6 @@ CCE-85939-7
|
|
|
07cb6b |
CCE-85940-5
|
|
|
07cb6b |
CCE-85941-3
|
|
|
07cb6b |
CCE-85942-1
|
|
|
07cb6b |
-CCE-85943-9
|
|
|
07cb6b |
-CCE-85945-4
|
|
|
07cb6b |
-CCE-85946-2
|
|
|
07cb6b |
CCE-85947-0
|
|
|
07cb6b |
CCE-85948-8
|
|
|
07cb6b |
CCE-85949-6
|
|
|
07cb6b |
diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile
|
|
|
07cb6b |
index f58bcf91cf2..e235d492438 100644
|
|
|
07cb6b |
--- a/tests/data/profile_stability/rhel8/pci-dss.profile
|
|
|
07cb6b |
+++ b/tests/data/profile_stability/rhel8/pci-dss.profile
|
|
|
07cb6b |
@@ -1,5 +1,9 @@
|
|
|
07cb6b |
+title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
|
|
|
07cb6b |
description: Ensures PCI-DSS v3.2.1 security configuration settings are applied.
|
|
|
07cb6b |
-documentation_complete: true
|
|
|
07cb6b |
+extends: null
|
|
|
07cb6b |
+metadata:
|
|
|
07cb6b |
+ SMEs:
|
|
|
07cb6b |
+ - yuumasato
|
|
|
07cb6b |
reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
|
|
|
07cb6b |
selections:
|
|
|
07cb6b |
- account_disable_post_pw_expiration
|
|
|
07cb6b |
@@ -120,6 +124,7 @@ selections:
|
|
|
07cb6b |
- service_pcscd_enabled
|
|
|
07cb6b |
- set_password_hashing_algorithm_libuserconf
|
|
|
07cb6b |
- set_password_hashing_algorithm_logindefs
|
|
|
07cb6b |
+- set_password_hashing_algorithm_passwordauth
|
|
|
07cb6b |
- set_password_hashing_algorithm_systemauth
|
|
|
07cb6b |
- sshd_set_idle_timeout
|
|
|
07cb6b |
- sshd_set_keepalive_0
|
|
|
07cb6b |
@@ -136,4 +141,8 @@ selections:
|
|
|
07cb6b |
- var_multiple_time_servers=rhel
|
|
|
07cb6b |
- var_sshd_set_keepalive=0
|
|
|
07cb6b |
- var_smartcard_drivers=cac
|
|
|
07cb6b |
-title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
|
|
|
07cb6b |
+platforms: !!set {}
|
|
|
07cb6b |
+cpe_names: !!set {}
|
|
|
07cb6b |
+platform: null
|
|
|
07cb6b |
+filter_rules: ''
|
|
|
07cb6b |
+documentation_complete: true
|
|
|
07cb6b |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
07cb6b |
index ed739e724f4..c5fcbf47de2 100644
|
|
|
07cb6b |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
07cb6b |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
07cb6b |
@@ -336,6 +337,7 @@ selections:
|
|
|
07cb6b |
- service_systemd-coredump_disabled
|
|
|
07cb6b |
- service_usbguard_enabled
|
|
|
07cb6b |
- set_password_hashing_algorithm_logindefs
|
|
|
07cb6b |
+- set_password_hashing_algorithm_passwordauth
|
|
|
07cb6b |
- set_password_hashing_algorithm_systemauth
|
|
|
07cb6b |
- sshd_disable_compression
|
|
|
07cb6b |
- sshd_disable_empty_passwords
|
|
|
07cb6b |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
07cb6b |
index 56c3fcb9f59..49ec4ae41ac 100644
|
|
|
07cb6b |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
07cb6b |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
07cb6b |
@@ -347,6 +348,7 @@ selections:
|
|
|
07cb6b |
- service_systemd-coredump_disabled
|
|
|
07cb6b |
- service_usbguard_enabled
|
|
|
07cb6b |
- set_password_hashing_algorithm_logindefs
|
|
|
07cb6b |
+- set_password_hashing_algorithm_passwordauth
|
|
|
07cb6b |
- set_password_hashing_algorithm_systemauth
|
|
|
07cb6b |
- sshd_disable_compression
|
|
|
07cb6b |
- sshd_disable_empty_passwords
|