From d2666b534c38bfc3bbd7308c4db4ef887cae6e0b Mon Sep 17 00:00:00 2001
From: Gabe <redhatrises@gmail.com>
Date: Wed, 11 Nov 2020 15:14:51 -0700
Subject: [PATCH] Add new pwquality.conf and faillock.conf rules
- Add rule for enforcing password complexity for root
- Add rules for enforcing pwquality and faillock for local users only
- Enable SSH client for STIG
- Part of #4978
- Fixes #2706
- Fixes #2174
---
.../ansible/shared.yml | 12 ++++++
.../bash/shared.sh | 9 ++++
.../oval/shared.xml | 21 ++++++++++
.../rule.yml | 42 +++++++++++++++++++
.../ansible/shared.yml | 12 ++++++
.../bash/shared.sh | 9 ++++
.../oval/shared.xml | 21 ++++++++++
.../rule.yml | 42 +++++++++++++++++++
.../ansible/shared.yml | 12 ++++++
.../bash/shared.sh | 9 ++++
.../oval/shared.xml | 21 ++++++++++
.../rule.yml | 39 +++++++++++++++++
rhel8/profiles/stig.profile | 4 +-
.../oval/accounts_password_pam_faillock.xml | 26 ++++++++++++
.../data/profile_stability/rhel8/stig.profile | 4 ++
16 files changed, 282 insertions(+), 4 deletions(-)
create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml
create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh
create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
create mode 100644 shared/checks/oval/accounts_password_pam_faillock.xml
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml
new file mode 100644
index 0000000000..6ead01fab5
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml
@@ -0,0 +1,12 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Ensure failed password attempts lockout only for local users
+ lineinfile:
+ create: yes
+ dest: "/etc/security/faillock.conf"
+ regexp: '^#?\s*local_users_only'
+ line: "local_users_only"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh
new file mode 100644
index 0000000000..8c43a8bb82
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+if ! grep -q "^local_users_only" /etc/security/faillock.conf; then
+ sed "s/# local_users_only/local_users_only/g" -i /etc/security/faillock.conf
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml
new file mode 100644
index 0000000000..8e8ce134b0
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml
@@ -0,0 +1,21 @@
+<def-group>
+ <definition class="compliance" id="accounts_passwords_pam_faillock_enforce_local" version="1">
+ {{{ oval_metadata("Failed password attempts are enforced for local users only.") }}}
+ <criteria operator="AND" comment="conditions for accounts_passwords_pam_faillock_enforce_local are satisfied">
+ <extend_definition comment="faillock.so exists in system-auth" definition_ref="accounts_password_pam_faillock" />
+ <criterion comment="faillock.conf" test_ref="test_accounts_passwords_pam_faillock_enforce_local" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all"
+ comment="check the configuration of /etc/security/faillock.conf"
+ id="test_accounts_passwords_pam_faillock_enforce_local" version="1">
+ <ind:object object_ref="obj_accounts_passwords_pam_faillock_enforce_local" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_accounts_passwords_pam_faillock_enforce_local" version="1">
+ <ind:filepath>/etc/security/faillock.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*local_users_only[\s]*$</ind:pattern>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml
new file mode 100644
index 0000000000..a189ac68ec
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml
@@ -0,0 +1,42 @@
+documentation_complete: true
+
+prodtype: fedora,rhel8
+
+title: 'Enforce pam_faillock for Local Accounts Only'
+
+description: |-
+ The pam_faillock module's <tt>local_users_only</tt> parameter controls requirements for
+ enforcing failed lockout attempts only for local user accounts and ignoring
+ centralized user account management failed attempt configurations. Enable the <tt>local_users_only</tt>
+ setting in <tt>/etc/security/faillock.conf</tt> to require failed password attempts
+ for only local user accounts.
+
+rationale: |-
+ The operating system must provide automated mechanisms for supporting account management
+ functions. Enterprise environments make application account management challenging and
+ complex. A manual process for account management functions adds the risk of a potential
+ oversight or other error.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-83401-0
+
+references:
+ disa: CCI-000015
+ nist: AC-2(1)
+ srg: SRG-OS-000001-GPOS-00001
+
+ocil_clause: 'local_users_only is not uncommented or configured correctly'
+
+ocil: |-
+ To check if root user is required to use complex passwords, run the following command:
+ <pre>$ grep local_users_only /etc/security/faillock.conf</pre>
+ The output should return <tt>local_users_only</tt> uncommented.
+
+platform: pam
+
+warnings:
+ - management: |-
+ Using this rule bypasses pam_faillock's functionality and should be used in cases
+ where centralized management such as LDAP or Active Directory is in use.
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml
new file mode 100644
index 0000000000..cebb406ad7
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml
@@ -0,0 +1,12 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Ensure password complexity only for local users
+ lineinfile:
+ create: yes
+ dest: "/etc/security/pwquality.conf"
+ regexp: '^#?\s*local_users_only'
+ line: "local_users_only"
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh
new file mode 100644
index 0000000000..4049539796
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+if ! grep -q "^local_users_only" /etc/security/pwquality.conf; then
+ sed "s/# local_users_only/local_users_only/g" -i /etc/security/pwquality.conf
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml
new file mode 100644
index 0000000000..794344e635
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml
@@ -0,0 +1,21 @@
+<def-group>
+ <definition class="compliance" id="accounts_password_pam_pwquality_enforce_local" version="1">
+ {{{ oval_metadata("The password complexity requirements are enforced for local users only.") }}}
+ <criteria operator="AND" comment="conditions for enforce_local are satisfied">
+ <extend_definition comment="pwquality.so exists in system-auth" definition_ref="accounts_password_pam_pwquality" />
+ <criterion comment="pwquality.conf" test_ref="test_accounts_password_pam_pwquality_enforce_local" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all"
+ comment="check the configuration of /etc/security/pwquality.conf"
+ id="test_accounts_password_pam_pwquality_enforce_local" version="1">
+ <ind:object object_ref="obj_accounts_password_pam_pwquality_enforce_local" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_accounts_password_pam_pwquality_enforce_local" version="1">
+ <ind:filepath>/etc/security/pwquality.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*local_users_only[\s]*$</ind:pattern>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
new file mode 100644
index 0000000000..37f89b75b5
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
@@ -0,0 +1,42 @@
+documentation_complete: true
+
+prodtype: fedora,rhel8
+
+title: 'Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only'
+
+description: |-
+ The pam_pwquality module's <tt>local_users_only</tt> parameter controls requirements for
+ enforcing password complexity by pam_pwquality only for local user accounts and ignoring
+ centralized user account management password complexity configurations. Enable the <tt>local_users_only</tt>
+ setting in <tt>/etc/security/pwquality.conf</tt> to require password complexity enforcement
+ for only local user accounts.
+
+rationale: |-
+ The operating system must provide automated mechanisms for supporting account management
+ functions. Enterprise environments make application account management challenging and
+ complex. A manual process for account management functions adds the risk of a potential
+ oversight or other error.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-83364-0
+
+references:
+ disa: CCI-000015
+ nist: AC-2(1)
+ srg: SRG-OS-000001-GPOS-00001
+
+ocil_clause: 'local_users_only is not uncommented or configured correctly'
+
+ocil: |-
+ To verify if password complexities are only enforce on local users, run the following command:
+ <pre>$ grep local_users_only /etc/security/pwquality.conf</pre>
+ The output should return <tt>local_users_only</tt> uncommented.
+
+platform: pam
+
+warnings:
+ - management: |-
+ Using this rule bypasses pam_faillock's functionality and should be used in cases
+ where centralized management such as LDAP or Active Directory is in use.
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml
new file mode 100644
index 0000000000..516c5c1ae6
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml
@@ -0,0 +1,12 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Ensure password complexity for root user
+ lineinfile:
+ create: yes
+ dest: "/etc/security/pwquality.conf"
+ regexp: '^#?\s*enforce_for_root'
+ line: "enforce_for_root"
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh
new file mode 100644
index 0000000000..97f45c6259
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+if ! grep -q "^enforce_for_root" /etc/security/pwquality.conf; then
+ sed "s/# enforce_for_root/enforce_for_root/g" -i /etc/security/pwquality.conf
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml
new file mode 100644
index 0000000000..fccf5fd00e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml
@@ -0,0 +1,21 @@
+<def-group>
+ <definition class="compliance" id="accounts_password_pam_pwquality_enforce_root" version="1">
+ {{{ oval_metadata("The password complexity requirements are enforced for root.") }}}
+ <criteria operator="AND" comment="conditions for enforce_root are satisfied">
+ <extend_definition comment="pwquality.so exists in system-auth" definition_ref="accounts_password_pam_pwquality" />
+ <criterion comment="pwquality.conf" test_ref="test_accounts_password_pam_pwquality_enforce_root" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all"
+ comment="check the configuration of /etc/security/pwquality.conf"
+ id="test_accounts_password_pam_pwquality_enforce_root" version="1">
+ <ind:object object_ref="obj_accounts_password_pam_pwquality_enforce_root" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_accounts_password_pam_pwquality_enforce_root" version="1">
+ <ind:filepath>/etc/security/pwquality.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*enforce_for_root[\s]*$</ind:pattern>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
new file mode 100644
index 0000000000..6aa1876e03
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
@@ -0,0 +1,39 @@
+documentation_complete: true
+
+prodtype: fedora,rhel8
+
+title: 'Ensure PAM Enforces Password Requirements - Enforce for root User'
+
+description: |-
+ The pam_pwquality module's <tt>enforce_for_root</tt> parameter controls requirements for
+ enforcing password complexity for the root user. Enable the <tt>enforce_for_root</tt>
+ setting in <tt>/etc/security/pwquality.conf</tt> to require the <tt>root</tt> user
+ to use complex passwords.
+
+rationale: |-
+ Use of a complex password helps to increase the time and resources required to compromise
+ the password. Password complexity, or strength, is a measure of the effectiveness of a
+ password in resisting attempts at guessing and brute-force attacks.
+
+ Password complexity is one factor of several that determines how long it takes to crack a
+ password. The more complex the password, the greater the number of possible combinations
+ that need to be tested before the password is compromised.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-83377-2
+
+references:
+ disa: CCI-000194,CCI-000193,CCI-001619,CCI-000205,CCI-000195,CCI-000192,CCI-000366
+ nist: IA-5(c),IA-5(1)(a),CM-6(a),IA-5(4)
+ srg: SRG-OS-000072-GPOS-00040,SRG-OS-000071-GPOS-00039,SRG-OS-000070-GPOS-00038,SRG-OS-000266-GPOS-00101,SRG-OS-000078-GPOS-00046,SRG-OS-000480-GPOS-00225,SRG-OS-000069-GPOS-00037
+
+ocil_clause: 'enforce_for_root is not uncommented or configured correctly'
+
+ocil: |-
+ To verify if root user is required to use complex passwords, run the following command:
+ <pre>$ grep enforce_for_root /etc/security/pwquality.conf</pre>
+ The output should return <tt>enforce_for_root</tt> uncommented.
+
+platform: pam
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 15fe5c5bf9..b23cc05029 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -45,13 +45,15 @@ selections:
- package_audispd-plugins_installed
- package_libcap-ng-utils_installed
- auditd_audispd_syslog_plugin_activated
+ - accounts_passwords_pam_faillock_enforce_local
+ - accounts_password_pam_enforce_local
+ - accounts_password_pam_enforce_root
# Configure TLS for remote logging
- package_rsyslog_installed
- package_rsyslog-gnutls_installed
- rsyslog_remote_tls
- rsyslog_remote_tls_cacert
- - "!ssh_client_rekey_limit"
# Unselect zIPL rules from OSPP
- "!zipl_bls_entries_only"
diff --git a/shared/checks/oval/accounts_password_pam_faillock.xml b/shared/checks/oval/accounts_password_pam_faillock.xml
new file mode 100644
index 0000000000..c55c143ba5
--- /dev/null
+++ b/shared/checks/oval/accounts_password_pam_faillock.xml
@@ -0,0 +1,26 @@
+<def-group>
+ <definition class="compliance" id="accounts_password_pam_faillock" version="1">
+ <metadata>
+ <title>Check pam_faillock Existence in system-auth</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>Check that pam_faillock.so exists in system-auth</description>
+ </metadata>
+ <criteria>
+ <criterion comment="Conditions for pam_faillock are satisfied"
+ test_ref="test_accounts_password_pam_faillock" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="test_accounts_password_pam_faillock" version="1">
+ <ind:object object_ref="obj_accounts_password_pam_faillock" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_accounts_password_pam_faillock" version="1">
+ <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
+ <ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_faillock\.so.*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 569eed6636..5add9d462f 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -272,4 +272,8 @@ selections:
- grub2_vsyscall_argument.severity=info
- sysctl_user_max_user_namespaces.role=unscored
- sysctl_user_max_user_namespaces.severity=info
+- ssh_client_rekey_limit
+- accounts_passwords_pam_faillock_enforce_local
+- accounts_password_pam_enforce_local
+- accounts_password_pam_enforce_root
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'