From d2666b534c38bfc3bbd7308c4db4ef887cae6e0b Mon Sep 17 00:00:00 2001 From: Gabe Date: Wed, 11 Nov 2020 15:14:51 -0700 Subject: [PATCH] Add new pwquality.conf and faillock.conf rules - Add rule for enforcing password complexity for root - Add rules for enforcing pwquality and faillock for local users only - Enable SSH client for STIG - Part of #4978 - Fixes #2706 - Fixes #2174 --- .../ansible/shared.yml | 12 ++++++ .../bash/shared.sh | 9 ++++ .../oval/shared.xml | 21 ++++++++++ .../rule.yml | 42 +++++++++++++++++++ .../ansible/shared.yml | 12 ++++++ .../bash/shared.sh | 9 ++++ .../oval/shared.xml | 21 ++++++++++ .../rule.yml | 42 +++++++++++++++++++ .../ansible/shared.yml | 12 ++++++ .../bash/shared.sh | 9 ++++ .../oval/shared.xml | 21 ++++++++++ .../rule.yml | 39 +++++++++++++++++ rhel8/profiles/stig.profile | 4 +- .../oval/accounts_password_pam_faillock.xml | 26 ++++++++++++ .../data/profile_stability/rhel8/stig.profile | 4 ++ 16 files changed, 282 insertions(+), 4 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml create mode 100644 shared/checks/oval/accounts_password_pam_faillock.xml diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml new file mode 100644 index 0000000000..6ead01fab5 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml @@ -0,0 +1,12 @@ +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: Ensure failed password attempts lockout only for local users + lineinfile: + create: yes + dest: "/etc/security/faillock.conf" + regexp: '^#?\s*local_users_only' + line: "local_users_only" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh new file mode 100644 index 0000000000..8c43a8bb82 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh @@ -0,0 +1,9 @@ +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +if ! grep -q "^local_users_only" /etc/security/faillock.conf; then + sed "s/# local_users_only/local_users_only/g" -i /etc/security/faillock.conf +fi diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml new file mode 100644 index 0000000000..8e8ce134b0 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml @@ -0,0 +1,21 @@ + + + {{{ oval_metadata("Failed password attempts are enforced for local users only.") }}} + + + + + + + + + + + + /etc/security/faillock.conf + ^[\s]*local_users_only[\s]*$ + 1 + + diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml new file mode 100644 index 0000000000..a189ac68ec --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml @@ -0,0 +1,42 @@ +documentation_complete: true + +prodtype: fedora,rhel8 + +title: 'Enforce pam_faillock for Local Accounts Only' + +description: |- + The pam_faillock module's local_users_only parameter controls requirements for + enforcing failed lockout attempts only for local user accounts and ignoring + centralized user account management failed attempt configurations. Enable the local_users_only + setting in /etc/security/faillock.conf to require failed password attempts + for only local user accounts. + +rationale: |- + The operating system must provide automated mechanisms for supporting account management + functions. Enterprise environments make application account management challenging and + complex. A manual process for account management functions adds the risk of a potential + oversight or other error. + +severity: medium + +identifiers: + cce@rhel8: CCE-83401-0 + +references: + disa: CCI-000015 + nist: AC-2(1) + srg: SRG-OS-000001-GPOS-00001 + +ocil_clause: 'local_users_only is not uncommented or configured correctly' + +ocil: |- + To check if root user is required to use complex passwords, run the following command: + 
$ grep local_users_only /etc/security/faillock.conf
+ The output should return local_users_only uncommented. + +platform: pam + +warnings: + - management: |- + Using this rule bypasses pam_faillock's functionality and should be used in cases + where centralized management such as LDAP or Active Directory is in use. diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml new file mode 100644 index 0000000000..cebb406ad7 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml @@ -0,0 +1,12 @@ +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: Ensure password complexity only for local users + lineinfile: + create: yes + dest: "/etc/security/pwquality.conf" + regexp: '^#?\s*local_users_only' + line: "local_users_only" diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh new file mode 100644 index 0000000000..4049539796 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh @@ -0,0 +1,9 @@ +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +if ! grep -q "^local_users_only" /etc/security/pwquality.conf; then + sed "s/# local_users_only/local_users_only/g" -i /etc/security/pwquality.conf +fi diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml new file mode 100644 index 0000000000..794344e635 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml @@ -0,0 +1,21 @@ + + + {{{ oval_metadata("The password complexity requirements are enforced for local users only.") }}} + + + + + + + + + + + + /etc/security/pwquality.conf + ^[\s]*local_users_only[\s]*$ + 1 + + diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml new file mode 100644 index 0000000000..37f89b75b5 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml @@ -0,0 +1,42 @@ +documentation_complete: true + +prodtype: fedora,rhel8 + +title: 'Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only' + +description: |- + The pam_pwquality module's local_users_only parameter controls requirements for + enforcing password complexity by pam_pwquality only for local user accounts and ignoring + centralized user account management password complexity configurations. Enable the local_users_only + setting in /etc/security/pwquality.conf to require password complexity enforcement + for only local user accounts. + +rationale: |- + The operating system must provide automated mechanisms for supporting account management + functions. Enterprise environments make application account management challenging and + complex. A manual process for account management functions adds the risk of a potential + oversight or other error. + +severity: medium + +identifiers: + cce@rhel8: CCE-83364-0 + +references: + disa: CCI-000015 + nist: AC-2(1) + srg: SRG-OS-000001-GPOS-00001 + +ocil_clause: 'local_users_only is not uncommented or configured correctly' + +ocil: |- + To verify if password complexities are only enforce on local users, run the following command: + 
$ grep local_users_only /etc/security/pwquality.conf
+ The output should return local_users_only uncommented. + +platform: pam + +warnings: + - management: |- + Using this rule bypasses pam_faillock's functionality and should be used in cases + where centralized management such as LDAP or Active Directory is in use. diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml new file mode 100644 index 0000000000..516c5c1ae6 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml @@ -0,0 +1,12 @@ +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: Ensure password complexity for root user + lineinfile: + create: yes + dest: "/etc/security/pwquality.conf" + regexp: '^#?\s*enforce_for_root' + line: "enforce_for_root" diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh new file mode 100644 index 0000000000..97f45c6259 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh @@ -0,0 +1,9 @@ +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +if ! grep -q "^enforce_for_root" /etc/security/pwquality.conf; then + sed "s/# enforce_for_root/enforce_for_root/g" -i /etc/security/pwquality.conf +fi diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml new file mode 100644 index 0000000000..fccf5fd00e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml @@ -0,0 +1,21 @@ + + + {{{ oval_metadata("The password complexity requirements are enforced for root.") }}} + + + + + + + + + + + + /etc/security/pwquality.conf + ^[\s]*enforce_for_root[\s]*$ + 1 + + diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml new file mode 100644 index 0000000000..6aa1876e03 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml @@ -0,0 +1,39 @@ +documentation_complete: true + +prodtype: fedora,rhel8 + +title: 'Ensure PAM Enforces Password Requirements - Enforce for root User' + +description: |- + The pam_pwquality module's enforce_for_root parameter controls requirements for + enforcing password complexity for the root user. Enable the enforce_for_root + setting in /etc/security/pwquality.conf to require the root user + to use complex passwords. + +rationale: |- + Use of a complex password helps to increase the time and resources required to compromise + the password. Password complexity, or strength, is a measure of the effectiveness of a + password in resisting attempts at guessing and brute-force attacks. + + Password complexity is one factor of several that determines how long it takes to crack a + password. The more complex the password, the greater the number of possible combinations + that need to be tested before the password is compromised. + +severity: medium + +identifiers: + cce@rhel8: CCE-83377-2 + +references: + disa: CCI-000194,CCI-000193,CCI-001619,CCI-000205,CCI-000195,CCI-000192,CCI-000366 + nist: IA-5(c),IA-5(1)(a),CM-6(a),IA-5(4) + srg: SRG-OS-000072-GPOS-00040,SRG-OS-000071-GPOS-00039,SRG-OS-000070-GPOS-00038,SRG-OS-000266-GPOS-00101,SRG-OS-000078-GPOS-00046,SRG-OS-000480-GPOS-00225,SRG-OS-000069-GPOS-00037 + +ocil_clause: 'enforce_for_root is not uncommented or configured correctly' + +ocil: |- + To verify if root user is required to use complex passwords, run the following command: + 
$ grep enforce_for_root /etc/security/pwquality.conf
+ The output should return enforce_for_root uncommented. + +platform: pam diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile index 15fe5c5bf9..b23cc05029 100644 --- a/rhel8/profiles/stig.profile +++ b/rhel8/profiles/stig.profile @@ -45,13 +45,15 @@ selections: - package_audispd-plugins_installed - package_libcap-ng-utils_installed - auditd_audispd_syslog_plugin_activated + - accounts_passwords_pam_faillock_enforce_local + - accounts_password_pam_enforce_local + - accounts_password_pam_enforce_root # Configure TLS for remote logging - package_rsyslog_installed - package_rsyslog-gnutls_installed - rsyslog_remote_tls - rsyslog_remote_tls_cacert - - "!ssh_client_rekey_limit" # Unselect zIPL rules from OSPP - "!zipl_bls_entries_only" diff --git a/shared/checks/oval/accounts_password_pam_faillock.xml b/shared/checks/oval/accounts_password_pam_faillock.xml new file mode 100644 index 0000000000..c55c143ba5 --- /dev/null +++ b/shared/checks/oval/accounts_password_pam_faillock.xml @@ -0,0 +1,26 @@ + + + + Check pam_faillock Existence in system-auth + + multi_platform_all + + Check that pam_faillock.so exists in system-auth + + + + + + + + + + + + /etc/pam.d/system-auth + ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_faillock\.so.*$ + 1 + + + diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 569eed6636..5add9d462f 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -272,4 +272,8 @@ selections: - grub2_vsyscall_argument.severity=info - sysctl_user_max_user_namespaces.role=unscored - sysctl_user_max_user_namespaces.severity=info +- ssh_client_rekey_limit +- accounts_passwords_pam_faillock_enforce_local +- accounts_password_pam_enforce_local +- accounts_password_pam_enforce_root title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'