|
 |
825e43 |
From 25216f8eb9caa6e783322158967b689e8bd784e7 Mon Sep 17 00:00:00 2001
|
|
|
825e43 |
From: Watson Sato <wsato@redhat.com>
|
|
|
825e43 |
Date: Mon, 13 Feb 2023 17:49:14 +0100
|
|
|
825e43 |
Subject: [PATCH 4/5] Accept required and requisite control flag for
|
|
|
825e43 |
pam_pwhistory
|
|
|
825e43 |
|
|
|
825e43 |
Patch-name: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
|
|
|
825e43 |
Patch-status: Accept required and requisite control flag for pam_pwhistory
|
|
|
825e43 |
---
|
|
|
825e43 |
controls/cis_rhel8.yml | 2 +-
|
|
|
825e43 |
controls/cis_rhel9.yml | 2 +-
|
|
|
825e43 |
controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml | 2 +-
|
|
|
825e43 |
.../rule.yml | 4 ++++
|
|
|
825e43 |
.../var_password_pam_remember_control_flag.var | 1 +
|
|
|
825e43 |
products/rhel8/profiles/stig.profile | 2 +-
|
|
|
825e43 |
tests/data/profile_stability/rhel8/stig.profile | 2 +-
|
|
|
825e43 |
tests/data/profile_stability/rhel8/stig_gui.profile | 2 +-
|
|
|
825e43 |
8 files changed, 11 insertions(+), 6 deletions(-)
|
|
|
825e43 |
|
|
|
825e43 |
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
|
825e43 |
index c0406f97b8..efc53d03fd 100644
|
|
|
825e43 |
--- a/controls/cis_rhel8.yml
|
|
|
825e43 |
+++ b/controls/cis_rhel8.yml
|
|
|
825e43 |
@@ -2267,7 +2267,7 @@ controls:
|
|
|
825e43 |
rules:
|
|
|
825e43 |
- accounts_password_pam_pwhistory_remember_password_auth
|
|
|
825e43 |
- accounts_password_pam_pwhistory_remember_system_auth
|
|
|
825e43 |
- - var_password_pam_remember_control_flag=requisite
|
|
|
825e43 |
+ - var_password_pam_remember_control_flag=requisite_or_required
|
|
|
825e43 |
- var_password_pam_remember=5
|
|
|
825e43 |
|
|
|
825e43 |
- id: 5.5.4
|
|
|
825e43 |
diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
|
|
|
825e43 |
index 7299a39528..30f7e8d182 100644
|
|
|
825e43 |
--- a/controls/cis_rhel9.yml
|
|
|
825e43 |
+++ b/controls/cis_rhel9.yml
|
|
|
825e43 |
@@ -2112,7 +2112,7 @@ controls:
|
|
|
825e43 |
rules:
|
|
|
825e43 |
- accounts_password_pam_pwhistory_remember_password_auth
|
|
|
825e43 |
- accounts_password_pam_pwhistory_remember_system_auth
|
|
|
825e43 |
- - var_password_pam_remember_control_flag=requisite
|
|
|
825e43 |
+ - var_password_pam_remember_control_flag=requisite_or_required
|
|
|
825e43 |
- var_password_pam_remember=5
|
|
|
825e43 |
|
|
|
825e43 |
- id: 5.5.4
|
|
|
825e43 |
diff --git a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
|
|
|
825e43 |
index 1e8286a4a4..b02b7da419 100644
|
|
|
825e43 |
--- a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
|
|
|
825e43 |
+++ b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
|
|
|
825e43 |
@@ -5,7 +5,7 @@ controls:
|
|
|
825e43 |
title: {{{ full_name }}} must prohibit password reuse for a minimum of five generations.
|
|
|
825e43 |
rules:
|
|
|
825e43 |
- var_password_pam_remember=5
|
|
|
825e43 |
- - var_password_pam_remember_control_flag=requisite
|
|
|
825e43 |
+ - var_password_pam_remember_control_flag=requisite_or_required
|
|
|
825e43 |
- accounts_password_pam_pwhistory_remember_password_auth
|
|
|
825e43 |
- accounts_password_pam_pwhistory_remember_system_auth
|
|
|
825e43 |
status: automated
|
|
|
825e43 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
|
|
825e43 |
index c549de2e96..d2b220ef9f 100644
|
|
|
825e43 |
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
|
|
825e43 |
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
|
|
825e43 |
@@ -129,3 +129,7 @@ warnings:
|
|
|
825e43 |
Newer versions of <tt>authselect</tt> contain an authselect feature to easily and properly
|
|
|
825e43 |
enable <tt>pam_pwhistory.so</tt> module. If this feature is not yet available in your
|
|
|
825e43 |
system, an authselect custom profile must be used to avoid integrity issues in PAM files.
|
|
|
825e43 |
+ If a custom profile was created and used in the system before this authselect feature was
|
|
|
825e43 |
+ available, the new feature can't be used with this custom profile and the
|
|
|
825e43 |
+ remediation will fail. In this case, the custom profile should be recreated or manually
|
|
|
825e43 |
+ updated.
|
|
|
825e43 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
|
|
|
825e43 |
index 8f01007550..1959936c04 100644
|
|
|
825e43 |
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
|
|
|
825e43 |
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
|
|
|
825e43 |
@@ -20,4 +20,5 @@ options:
|
|
|
825e43 |
"sufficient": "sufficient"
|
|
|
825e43 |
"binding": "binding"
|
|
|
825e43 |
"ol8": "required,requisite"
|
|
|
825e43 |
+ "requisite_or_required": "requisite,required"
|
|
|
825e43 |
default: "requisite"
|
|
|
825e43 |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
825e43 |
index 8c64868619..a3f7dc9720 100644
|
|
|
825e43 |
--- a/products/rhel8/profiles/stig.profile
|
|
|
825e43 |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
825e43 |
@@ -37,7 +37,7 @@ selections:
|
|
|
825e43 |
- var_accounts_minimum_age_login_defs=1
|
|
|
825e43 |
- var_accounts_max_concurrent_login_sessions=10
|
|
|
825e43 |
- var_password_pam_remember=5
|
|
|
825e43 |
- - var_password_pam_remember_control_flag=requisite
|
|
|
825e43 |
+ - var_password_pam_remember_control_flag=requisite_or_required
|
|
|
825e43 |
- var_selinux_state=enforcing
|
|
|
825e43 |
- var_selinux_policy_name=targeted
|
|
|
825e43 |
- var_password_pam_unix_rounds=5000
|
|
|
825e43 |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
825e43 |
index 6970a32b4f..5d694c6ae1 100644
|
|
|
825e43 |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
825e43 |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
825e43 |
@@ -433,7 +433,7 @@ selections:
|
|
|
825e43 |
- var_accounts_minimum_age_login_defs=1
|
|
|
825e43 |
- var_accounts_max_concurrent_login_sessions=10
|
|
|
825e43 |
- var_password_pam_remember=5
|
|
|
825e43 |
-- var_password_pam_remember_control_flag=requisite
|
|
|
825e43 |
+- var_password_pam_remember_control_flag=requisite_or_required
|
|
|
825e43 |
- var_selinux_state=enforcing
|
|
|
825e43 |
- var_selinux_policy_name=targeted
|
|
|
825e43 |
- var_password_pam_unix_rounds=5000
|
|
|
825e43 |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
825e43 |
index 314f14e4f6..e165525b90 100644
|
|
|
825e43 |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
825e43 |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
825e43 |
@@ -441,7 +441,7 @@ selections:
|
|
|
825e43 |
- var_accounts_minimum_age_login_defs=1
|
|
|
825e43 |
- var_accounts_max_concurrent_login_sessions=10
|
|
|
825e43 |
- var_password_pam_remember=5
|
|
|
825e43 |
-- var_password_pam_remember_control_flag=requisite
|
|
|
825e43 |
+- var_password_pam_remember_control_flag=requisite_or_required
|
|
|
825e43 |
- var_selinux_state=enforcing
|
|
|
825e43 |
- var_selinux_policy_name=targeted
|
|
|
825e43 |
- var_password_pam_unix_rounds=5000
|
|
|
825e43 |
--
|
|
|
825e43 |
2.39.1
|
|
|
825e43 |
|