[Open-scap] issue with PASS_MIN_DAYS validation
wm-lists
wm-lists at nixpeeps.com
Thu Oct 24 17:48:55 UTC 2013
Thanks Jan
That seems to have solved that one issue. I'll keep trying on the others
and see if I can figure out what's linked to what!
Will
On Thu, Oct 24, 2013 at 12:47 PM, Jan Lieskovsky <jlieskov at redhat.com>wrote:
> Hello Will,
>
> thank you for checking with us.
>
> ----- Original Message -----
> > From: "wm-lists" <wm-lists at nixpeeps.com>
> > To: open-scap-list at redhat.com
> > Sent: Thursday, October 24, 2013 2:52:41 PM
> > Subject: [Open-scap] issue with PASS_MIN_DAYS validation
> >
> > I'm using scap-security-guide-0.1-12.el6.noarch as my source from
> >
> >
> http://people.redhat.com/swells/scap-security-guide/rpmbuild/src/redhat/RPMS/noarch/
> >
> > Running oscap xccdf eval --profile server
> > /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
>
> The 'server' profile extends 'common' profile. Having a look at 'common'
> profile
> definition:
> [1]
> http://people.redhat.com/swells/scap-security-guide/RHEL6/input/profiles/common.xml
>
> it can be seen that =>
>
> > Generates a failure for
> > Title Set Password Minimum Age
> > Rule password_min_age
> > Ident CCE-27013-2
> > Result fail
> >
>
> <refine-value idref="var_accounts_minimum_age_login_defs" selector="7"/>
> <!-- minimum password age -->
>
> the profile requires / specifies the minimum password login age to be
> set to value of 7 the rule to succeed.
>
> Generally profiles can define their own requirements (via particular
> variable
> definition) how particular rule should be evaluated for success (IOW the
> values specified in the profile might differ with values specified in the
> HTML form
> of the guide:
> [2]
> http://people.redhat.com/swells/scap-security-guide/RHEL6/output/rhel6-guide.html
>
> > Title Set Password Maximum Age
> > Rule password_max_age
> > Ident CCE-26985-2
> > Result fail
>
> Similar for max password age:
>
> <refine-value idref="var_accounts_maximum_age_login_defs" selector="90"/>
> <!-- maximum password age -->
>
> Value at most 90 is required the test to succeed.
>
> For the rest of the rules I didn't search for exact details,
> but assuming the explanation would be the same.
>
> Hope the above being helpful. Let us know if we can be of any further
> assistance.
>
> Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Technologies Team
>
> >
> > Title Set Password Strength Minimum Uppercase Characters
> > Rule password_require_uppercases
> > Ident CCE-26601-5
> > Result fail
> >
> > Title Set Password Strength Minimum Special Characters
> > Rule password_require_specials
> > Ident CCE-26409-3
> > Result fail
> >
> > Title Set Password Strength Minimum Lowercase Characters
> > Rule password_require_lowercases
> > Ident CCE-26631-2
> > Result fail
> >
> > Among others.
> > I have cracklib configured what I believe is correct (according to the
> CCE)
> > # grep cracklib /etc/pam.d/system-auth-ac
> > password requisite pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1
> > lcredit=-1 difok=4 try_first_pass retry=3 minlen=14 type=
> > # grep PASS /etc/login.defs
> >
> > PASS_MAX_DAYS 180
> > PASS_MIN_DAYS 1
> > PASS_MIN_LEN 14
> > PASS_WARN_AGE 7
> >
> > Any help on what I might be missing here?
> >
> > Thanks!
> > Will
> >
> >
> >
> > _______________________________________________
> > Open-scap-list mailing list
> > Open-scap-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/open-scap-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20131024/ed645840/attachment.htm>
More information about the Open-scap-list
mailing list