[Open-scap] issue with PASS_MIN_DAYS validation

Jan Lieskovsky jlieskov at redhat.com
Thu Oct 24 16:47:10 UTC 2013 

Hello Will,

  thank you for checking with us.

----- Original Message -----
> From: "wm-lists" <wm-lists at nixpeeps.com>
> To: open-scap-list at redhat.com
> Sent: Thursday, October 24, 2013 2:52:41 PM
> Subject: [Open-scap] issue with PASS_MIN_DAYS validation
> 
> I'm using scap-security-guide-0.1-12.el6.noarch as my source from
> 
> http://people.redhat.com/swells/scap-security-guide/rpmbuild/src/redhat/RPMS/noarch/
> 
> Running oscap xccdf eval --profile server
> /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

The 'server' profile extends 'common' profile. Having a look at 'common' profile
definition:
  [1] http://people.redhat.com/swells/scap-security-guide/RHEL6/input/profiles/common.xml

it can be seen that =>

> Generates a failure for
> Title Set Password Minimum Age
> Rule password_min_age
> Ident CCE-27013-2
> Result fail
> 

<refine-value idref="var_accounts_minimum_age_login_defs" selector="7"/>
<!-- minimum password age -->

the profile requires / specifies the minimum password login age to be
set to value of 7 the rule to succeed.

Generally profiles can define their own requirements (via particular variable
definition) how particular rule should be evaluated for success (IOW the
values specified in the profile might differ with values specified in the HTML form
of the guide:
  [2] http://people.redhat.com/swells/scap-security-guide/RHEL6/output/rhel6-guide.html

> Title Set Password Maximum Age
> Rule password_max_age
> Ident CCE-26985-2
> Result fail

Similar for max password age:

<refine-value idref="var_accounts_maximum_age_login_defs" selector="90"/>
<!-- maximum password age -->

Value at most 90 is required the test to succeed.

For the rest of the rules I didn't search for exact details,
but assuming the explanation would be the same.

Hope the above being helpful. Let us know if we can be of any further
assistance.

Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team

> 
> Title Set Password Strength Minimum Uppercase Characters
> Rule password_require_uppercases
> Ident CCE-26601-5
> Result fail
> 
> Title Set Password Strength Minimum Special Characters
> Rule password_require_specials
> Ident CCE-26409-3
> Result fail
> 
> Title Set Password Strength Minimum Lowercase Characters
> Rule password_require_lowercases
> Ident CCE-26631-2
> Result fail
> 
> Among others.
> I have cracklib configured what I believe is correct (according to the CCE)
> # grep cracklib /etc/pam.d/system-auth-ac
> password requisite pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1
> lcredit=-1 difok=4 try_first_pass retry=3 minlen=14 type=
> # grep PASS /etc/login.defs
> 
> PASS_MAX_DAYS 180
> PASS_MIN_DAYS 1
> PASS_MIN_LEN 14
> PASS_WARN_AGE 7
> 
> Any help on what I might be missing here?
> 
> Thanks!
> Will
> 
> 
> 
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list

More information about the Open-scap-list mailing list