From 2af7d6d8f86f80dbac088d115a50162cfc28c542 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 27 Jul 2021 07:49:50 -0500 Subject: [PATCH] Add rule for RHEL-08-020300 --- .../accounts_password_pam_dictcheck/rule.yml | 45 +++++++++++++++++++ .../tests/disabled.fail.sh | 3 ++ .../tests/enable.pass.sh | 3 ++ .../tests/not_defined.fail.sh | 3 ++ .../var_password_pam_dictcheck.var | 16 +++++++ products/rhel8/profiles/stig.profile | 2 + shared/references/cce-redhat-avail.txt | 1 - .../data/profile_stability/rhel8/stig.profile | 2 + .../profile_stability/rhel8/stig_gui.profile | 2 + 9 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/disabled.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/enable.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/not_defined.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml new file mode 100644 index 0000000000..2990150c0a --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml @@ -0,0 +1,45 @@ +documentation_complete: true + +prodtype: fedora,rhel8 + +title: 'Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words' + +description: |- + The pam_pwquality module's dictcheck check if passwords contains dictionary words. When + dictcheck is set to 1 passwords will be checked for dictionary words. + +rationale: |- + Use of a complex password helps to increase the time and resources required to compromise the password. + Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at + guessing and brute-force attacks. +

+ Password complexity is one factor of several that determines how long it takes to crack a password. The more + complex the password, the greater the number of possible combinations that need to be tested before the + password is compromised. +

+ Passwords with dictionary words may be more vulnerable to password-guessing attacks. + +severity: medium + +identifiers: + cce@rhel8: CCE-86233-4 + +references: + disa: CCI-000366 + nist: IA-5(c),IA-5(1)(a),CM-6(a),IA-5(4) + stigid@rhel8: RHEL-08-020300 + +ocil_clause: 'dictcheck is not found or not equal to the required value' + +ocil: |- + To check if dictionary words are disallowed run the following command: + 
$ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf
+ The dictcheck parameter should be equal to 1. The value should look like + 
dictcheck=1
+ + +template: + name: accounts_password + vars: + variable: dictcheck + operation: equals diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/disabled.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/disabled.fail.sh new file mode 100644 index 0000000000..cb84c6d968 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/disabled.fail.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +echo "dictcheck=0" > /etc/security/pwquality.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/enable.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/enable.pass.sh new file mode 100644 index 0000000000..ceb9f7ec44 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/enable.pass.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +echo "dictcheck=1" > /etc/security/pwquality.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/not_defined.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/not_defined.fail.sh new file mode 100644 index 0000000000..57e54b6623 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/not_defined.fail.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +sed -i s/dictcheck.+//g /etc/security/pwquality.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var new file mode 100644 index 0000000000..26452c3a8e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var @@ -0,0 +1,16 @@ +documentation_complete: true + +title: dictcheck + +description: |- + Prevent the use of dictionary words for passwords. + +type: number + +operator: equals + +interactive: false + +options: + 1: 1 + default: 1 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index bf410c2087..f17a7b88b1 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -45,6 +45,7 @@ selections: - var_password_pam_minlen=15 - var_password_pam_ocredit=1 - var_password_pam_dcredit=1 + - var_password_pam_dictcheck=1 - var_password_pam_ucredit=1 - var_password_pam_lcredit=1 - var_password_pam_retry=3 @@ -567,6 +568,7 @@ selections: - sssd_offline_cred_expiration # RHEL-08-020300 + - accounts_password_pam_dictcheck # RHEL-08-020310 - accounts_logon_fail_delay diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 0b794d5c2a..dae4495b2d 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -362,7 +362,6 @@ CCE-86229-2 CCE-86230-0 CCE-86231-8 CCE-86232-6 -CCE-86233-4 CCE-86234-2 CCE-86235-9 CCE-86236-7 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index ddfa13e731..236e595604 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -35,6 +35,7 @@ selections: - accounts_password_all_shadowed_sha512 - accounts_password_minlen_login_defs - accounts_password_pam_dcredit +- accounts_password_pam_dictcheck - accounts_password_pam_difok - accounts_password_pam_lcredit - accounts_password_pam_maxclassrepeat @@ -332,6 +333,7 @@ selections: - var_password_pam_minlen=15 - var_password_pam_ocredit=1 - var_password_pam_dcredit=1 +- var_password_pam_dictcheck=1 - var_password_pam_ucredit=1 - var_password_pam_lcredit=1 - var_password_pam_retry=3 diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 017ab8c0e3..9973b5adef 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -46,6 +46,7 @@ selections: - accounts_password_all_shadowed_sha512 - accounts_password_minlen_login_defs - accounts_password_pam_dcredit +- accounts_password_pam_dictcheck - accounts_password_pam_difok - accounts_password_pam_lcredit - accounts_password_pam_maxclassrepeat @@ -342,6 +343,7 @@ selections: - var_password_pam_minlen=15 - var_password_pam_ocredit=1 - var_password_pam_dcredit=1 +- var_password_pam_dictcheck=1 - var_password_pam_ucredit=1 - var_password_pam_lcredit=1 - var_password_pam_retry=3