SSG 0.1-14-14 - deny_password_attempts
by ssg fthfth
For SSGID Set Deny For Failed Password Attempts - (CCE-26844-1), with either the stig-rhel6-server or usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine..
The SSG content checks maximum failed login attempts allowed in /etc/pam.d/system-auth and /etc/pam.d/password-auth.
The STIG checks /etc/pam.d/system-auth-ac
/etc/pam.d/system-auth-ac file is symlinked to /etc/pam.d/system-auth
Any changes made to /etc/pam.d/system-auth are overwritten when authconfig is run.
10 years, 2 months
SSG 0.1-14-14 - no_hashes_outside_shadow
by ssg fthfth
For SSGID Verify All Account Password Hashes are Shadowed - (CCE-26476-2), with either the stig-rhel6-server or the usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine.
See the following report output:
Verify All Account Password Hashes are Shadowed
ID: no_hashes_outside_shadow
Result: Fail
Identities: CCE-26476-2
Description: If any password hashes are stored in /etc/passwd (in the second field, instead of an x), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.
Fix Text:
Severity: medium
Weight:
Reference: IA-5(h)
201
Definitions:
ID: oval:ssg:def:717
Result: false
Title: All Password Hashes Shadowed
Description: All password hashes should be shadowed.
Class: compliance
Tests:
false (All item-state comparisons must be true.)
false (password hashes are shadowed)
Tests:
Test ID: oval:ssg:tst:718
Result: false
Title: password hashes are shadowed
Check Existence: One or more collected items must exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:1760
Object Requirements:
username must match the pattern '.*'
State ID: oval:ssg:ste:1761
State Requirements:
password must be equal to 'x'
Collected Item Properties:
username equals 'root'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '0'
group_id equals '0'
gcos equals 'root'
home_dir equals '/root'
login_shell equals '/bin/bash'
last_login equals '1388687566'
Collected Item Properties:
username equals 'bin'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '1'
group_id equals '1'
gcos equals 'bin'
home_dir equals '/bin'
login_shell equals '/sbin/nologin'
last_login equals '0'
Collected Item Properties:
username equals 'daemon'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '2'
group_id equals '2'
gcos equals 'daemon'
home_dir equals '/sbin'
login_shell equals '/sbin/nologin'
last_login equals '0'
Collected Item Properties:
username equals 'adm'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '3'
group_id equals '4'
gcos equals 'adm'
home_dir equals '/var/adm'
login_shell equals '/sbin/nologin'
last_login equals '0'
Collected Item Properties:
username equals 'lp'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '4'
group_id equals '7'
gcos equals 'lp'
home_dir equals '/var/spool/lpd'
login_shell equals '/sbin/nologin'
last_login equals '0'
Collected Item Properties:
username equals 'sync'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '5'
group_id equals '0'
gcos equals 'sync'
home_dir equals '/sbin'
login_shell equals '/bin/sync'
last_login equals '0'
Collected Item Properties:
username equals 'shutdown'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '6'
group_id equals '0'
gcos equals 'shutdown'
home_dir equals '/sbin'
login_shell equals '/sbin/shutdown'
last_login equals '0'
Collected Item Properties:
username equals 'halt'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '7'
group_id equals '0'
gcos equals 'halt'
home_dir equals '/sbin'
login_shell equals '/sbin/halt'
last_login equals '0'
Collected Item Properties:
username equals 'mail'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '8'
group_id equals '12'
gcos equals 'mail'
home_dir equals '/var/spool/mail'
login_shell equals '/sbin/nologin'
last_login equals '0'
Collected Item Properties:
username equals 'uucp'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '10'
group_id equals '14'
gcos equals 'uucp'
home_dir equals '/var/spool/uucp'
login_shell equals '/sbin/nologin'
last_login equals '0'
Collected Item Properties:
username equals 'operator'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '11'
group_id equals '0'
gcos equals 'operator'
home_dir equals '/root'
login_shell equals '/sbin/nologin'
last_login equals '0'
Collected Item Properties:
username equals 'games'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '12'
group_id equals '100'
gcos equals 'games'
home_dir equals '/usr/games'
login_shell equals '/sbin/nologin'
last_login equals '0'
Collected Item Properties:
username equals 'gopher'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '13'
group_id equals '30'
gcos equals 'gopher'
home_dir equals '/var/gopher'
login_shell equals '/sbin/nologin'
last_login equals '0'
Collected Item Properties:
username equals 'ftp'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '14'
group_id equals '50'
gcos equals 'FTP User'
home_dir equals '/var/ftp'
login_shell equals '/sbin/nologin'
last_login equals '0'
Collected Item Properties:
username equals 'nobody'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '99'
group_id equals '99'
gcos equals 'Nobody'
home_dir equals '/'
login_shell equals '/sbin/nologin'
last_login equals '0'
Collected Item Properties:
username equals 'dbus'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '81'
group_id equals '81'
gcos equals 'System message bus'
home_dir equals '/'
login_shell equals '/sbin/nologin'
last_login equals '0'
Collected Item Properties:
username equals 'vcsa'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '69'
group_id equals '69'
gcos equals 'virtual console memory owner'
home_dir equals '/dev'
login_shell equals '/sbin/nologin'
last_login equals '0'
Collected Item Properties:
username equals 'rtkit'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '499'
group_id equals '497'
gcos equals 'RealtimeKit'
home_dir equals '/proc'
login_shell equals '/sbin/nologin'
last_login equals '0'
Collected Item Properties:
username equals 'avahi-autoipd'
password equals '[MASKED PASSWORD FIELD]'
user_id equals '170'
group_id equals '170'
gcos equals 'Avahi IPv4LL Stack'
home_dir equals '/var/lib/avahi-autoipd'
login_shell equals '/sbin/nologin'
last_login equals '0'
Collected Item Properties:
10 years, 2 months
SSG 0.1-14-14 - enable_randomize_va_space
by ssg fthfth
For SSGID Enable Randomized Layout of Virtual Address Space - (CCE-26999-3), with either the stig-rhel6-server or usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine.. The Check Content for RHEL-06-000078 is to query the kernel parameter running state. If the system defaults to ‘2’ but configuration has not been set, with the SSG this check will fail on a RHEL6V1R2 complaint machine..
The command
/bin/echo -e "\n# ASLR\nkernel.randomize_va_space = 2" >> /etc/sysctl.conf
may not be necessary as verified by
sysctl kernel.randomize_va_space
Weather to verify the runtime state, configuration, or both is a common theme that we have seen in content/tool review of results.
10 years, 2 months
SSG 0.1-14-14 - enable_execshield
by ssg fthfth
For SSGID Enable ExecShield - (CCE-27007-4), with either the stig-rhel6-server or usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine.. The SSG is checking the Kernel Runtime Parameter kernel.exec-shield by identifying the value pair kernel.exec-shield = 1 in '/etc/sysctl.conf'
Runtime state vice the configuration:
(1) query kernel parameter
(2) if not set, query /etc/sysctl.conf
The DISA STIG first queries the kernel parameter by sysctl kernel.exec-shield ( /proc/sys/kernel/exec-shield)
If not set, then update sysctl.conf
For example, exec-sheild is enabled by default:
/bin/cat /proc/sys/kernel/exec-shield
1
In this case, /bin/echo -e "\n# Exec-Sheild\nkernel.exec-shield = 1" >> /etc/sysctl.conf is not required for compliance. The check should verify running state, not optional configuration possibly by way of:
sysctl kernel.exec-shield
or `cat` as listed above. Weather to verify the runtime state, configuration, or both is a common theme that we have seen in content/tool review.
10 years, 2 months
SSG 0.1-14-14 - umask_for_daemons
by ssg fthfth
For SSGID Set Daemon Umask - (CCE-27031-4), with either the stig-rhel6-server or usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine.. RHEL-06-000346 complaint values are 022 or 027. The SSG complaint value is 027.
10 years, 2 months
SSG 0.1-14-14 - disable_tftp
by ssg fthfth
For Disable tftp Service - (CCE-27055-3), with either the stig-rhel6-server or the usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-negative on a RHEL6V1R2 non-complaint machine.
The Check Content for RHEL-06-000223 reads, "Output should indicate the "tftp" service has either not been installed, or has been disabled at all run levels, as shown in the example below: # chkconfig "tftp" --list "tftp" 0:off 1:off 2:off 3:off 4:off 5:off 6:off" The expected output should be, "tftp off" as it is part of xinetd. chkconfig can manage xinetd scripts via the means of xinetd.d configuration files, but only the on, off, and --list commands are supported for xinetd.d services.
The non-compliant system has tftp running:
/usr/bin/sudo /sbi\n/chkconfig "tftp" --list
tftp on
See the following report output:
Disable tftp Service
ID: disable_tftp
Result: Pass
Identities: CCE-27055-3
Description: The tftp service should be disabled. The tftp service can be disabled with the following command: # chkconfig tftp off
Fix Text:
Severity: medium
Weight:
Reference: AC-17(8)
CM-7
1436
Definitions:
ID: oval:ssg:def:247
Result: true
Title: Service tftp Disabled
Description: The tftp service should be disabled if possible.
Class: compliance
Tests:
true (One or more item-state comparisons may be true.)
true (All item-state comparisons must be true.)
true (Runlevel test)
true (Runlevel test)
true (Runlevel test)
true (Runlevel test)
true (Runlevel test)
true (Runlevel test)
true (Runlevel test)
false (All item-state comparisons must be true.)
false (package tftp-server is removed)
Tests:
Test ID: oval:ssg:tst:249
Result: true
Title: Runlevel test
Check Existence: Zero or more collected items may exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:1360
Object Requirements:
service_name must be equal to 'tftp'
runlevel must be equal to '0'
State ID: oval:ssg:ste:1361
State Requirements:
start must be equal to 'false'
kill must be equal to 'true'
Collected Item Properties:
service_name does not exist
runlevel does not exist
start does not exist
kill does not exist
Additional Information:
Test ID: oval:ssg:tst:250
Result: true
Title: Runlevel test
Check Existence: Zero or more collected items may exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:1362
Object Requirements:
service_name must be equal to 'tftp'
runlevel must be equal to '1'
State ID: oval:ssg:ste:1361
State Requirements:
start must be equal to 'false'
kill must be equal to 'true'
Collected Item Properties:
service_name does not exist
runlevel does not exist
start does not exist
kill does not exist
Additional Information:
Test ID: oval:ssg:tst:251
Result: true
Title: Runlevel test
Check Existence: Zero or more collected items may exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:1363
Object Requirements:
service_name must be equal to 'tftp'
runlevel must be equal to '2'
State ID: oval:ssg:ste:1361
State Requirements:
start must be equal to 'false'
kill must be equal to 'true'
Collected Item Properties:
service_name does not exist
runlevel does not exist
start does not exist
kill does not exist
Additional Information:
Test ID: oval:ssg:tst:252
Result: true
Title: Runlevel test
Check Existence: Zero or more collected items may exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:1364
Object Requirements:
service_name must be equal to 'tftp'
runlevel must be equal to '3'
State ID: oval:ssg:ste:1361
State Requirements:
start must be equal to 'false'
kill must be equal to 'true'
Collected Item Properties:
service_name does not exist
runlevel does not exist
start does not exist
kill does not exist
Additional Information:
Test ID: oval:ssg:tst:253
Result: true
Title: Runlevel test
Check Existence: Zero or more collected items may exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:1365
Object Requirements:
service_name must be equal to 'tftp'
runlevel must be equal to '4'
State ID: oval:ssg:ste:1361
State Requirements:
start must be equal to 'false'
kill must be equal to 'true'
Collected Item Properties:
service_name does not exist
runlevel does not exist
start does not exist
kill does not exist
Additional Information:
Test ID: oval:ssg:tst:254
Result: true
Title: Runlevel test
Check Existence: Zero or more collected items may exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:1366
Object Requirements:
service_name must be equal to 'tftp'
runlevel must be equal to '5'
State ID: oval:ssg:ste:1361
State Requirements:
start must be equal to 'false'
kill must be equal to 'true'
Collected Item Properties:
service_name does not exist
runlevel does not exist
start does not exist
kill does not exist
Additional Information:
Test ID: oval:ssg:tst:255
Result: true
Title: Runlevel test
Check Existence: Zero or more collected items may exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:1367
Object Requirements:
service_name must be equal to 'tftp'
runlevel must be equal to '6'
State ID: oval:ssg:ste:1361
State Requirements:
start must be equal to 'false'
kill must be equal to 'true'
Collected Item Properties:
service_name does not exist
runlevel does not exist
start does not exist
kill does not exist
Additional Information:
Test ID: oval:ssg:tst:583
Result: false
Title: package tftp-server is removed
Check Existence: No collected items may exist.
Check: Result is based on check existence only.
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:1639
Object Requirements:
name must be equal to 'tftp-server'
Collected Item Properties:
name equals 'tftp-server'
arch equals 'i686'
epoch equals '0'
release equals '7.el6'
version equals '0.49'
evr equals '0:0.49-7.el6'
signature_keyid equals '0946fca2c105b9de'
Additional Information: Collected items did not meet the check existence requirement.
10 years, 2 months
SSG 0.1-14-14 - enable_screensaver_password_lock
by ssg fthfth
For Enable Screen Lock Activation After Idle Period - (CCE-26235-2), with either the stig-rhel6-server or the usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-negative on a RHEL6V1R2 non-complaint machine.
The non-complaint system screensaver lock disabled:
/usr/bin/sudo /usr/bin/gconftool-2 -g /apps/gnome-screensaver/lock_enabled
False
See the following report output:
Enable Screen Lock Activation After Idle Period
ID: enable_screensaver_password_lock
Result: Pass
Identities: CCE-26235-2
Description: Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true
Fix Text:
Severity: medium
Weight:
Reference: AC-11(a)
57
Definitions:
ID: oval:ssg:def:770
Result: true
Title: Implement idle activation of screen lock
Description: Idle activation of the screen lock should be enabled.
Class: compliance
Tests:
true (All item-state comparisons must be true.)
true (screensaver lock is enabled)
Tests:
Test ID: oval:ssg:tst:771
Result: true
Title: screensaver lock is enabled
Check Existence: One or more collected items must exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:1804
Object Requirements:
filepath must be equal to '/etc/gconf/gconf.xml.defaults/%gconf-tree.xml'
xpath must be equal to '/gconf/dir[@name='schemas']/dir[@name='apps']/dir[@name='gnome-screensaver']/entry[@name='lock_enabled']/local_schema[1]/default[1]/@value'
State ID: oval:ssg:ste:1805
State Requirements:
value_of must be equal to 'true'
Collected Item Properties:
filepath equals '/etc/gconf/gconf.xml.defaults/%gconf-tree.xml'
path equals '/etc/gconf/gconf.xml.defaults'
filename equals '%gconf-tree.xml'
xpath equals '/gconf/dir[@name='schemas']/dir[@name='apps']/dir[@name='gnome-screensaver']/entry[@name='lock_enabled']/local_schema[1]/default[1]/@value'
value_of equals 'true'
Additional Information:
10 years, 2 months
SSG 0.1-14-14 - enable_screensaver_after_idle
by ssg fthfth
For GNOME Desktop Screensaver Mandatory Use - (CCE-26600-7), with either the stig-rhel6-server or the usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-negative on a RHEL6V1R2 non-complaint machine.
The non-complaint system idle activation for the screensaver is disabled:
/usr/bin/sudo /usr/bin/gconftool-2 -g /apps/gnome-screensaver/idle_activation_enabled
False
See the following report output:
GNOME Desktop Screensaver Mandatory Use
ID: enable_screensaver_after_idle
Result: Pass
Identities: CCE-26600-7
Description: Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true
Fix Text:
Severity: medium
Weight:
Reference: AC-11(a)
57
Definitions:
ID: oval:ssg:def:653
Result: true
Title: Implement idle activation of screen saver
Description: Idle activation of the screen saver should be enabled.
Class: compliance
Tests:
true (All item-state comparisons must be true.)
true (gnome screensaver is activated on idle)
Tests:
Test ID: oval:ssg:tst:654
Result: true
Title: gnome screensaver is activated on idle
Check Existence: One or more collected items must exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:1699
Object Requirements:
filepath must be equal to '/etc/gconf/gconf.xml.defaults/%gconf-tree.xml'
xpath must be equal to '/gconf/dir[@name='schemas']/dir[@name='apps']/dir[@name='gnome-screensaver']/entry[@name='idle_activation_enabled']/local_schema[1]/default[1]/@value'
State ID: oval:ssg:ste:1700
State Requirements:
value_of must be equal to 'true'
Collected Item Properties:
filepath equals '/etc/gconf/gconf.xml.defaults/%gconf-tree.xml'
path equals '/etc/gconf/gconf.xml.defaults'
filename equals '%gconf-tree.xml'
xpath equals '/gconf/dir[@name='schemas']/dir[@name='apps']/dir[@name='gnome-screensaver']/entry[@name='idle_activation_enabled']/local_schema[1]/default[1]/@value'
value_of equals 'true'
Additional Information:
10 years, 2 months
SSG 0.1-14-14 - set_screensaver_inactivity_timeout
by ssg fthfth
For Set GNOME Login Inactivity Timeout - (CCE-26828-4), with either the stig-rhel6-server or the usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-negative when running SCC 3.1.1.1 on a RHEL6V1R2 non-complaint machine.
The non-complaint system login inactivity timeout is:
/usr/bin/sudo /usr/bin/gconftool-2 -g /apps/gnome-screensaver/idle_delay
999
See the following report output:
Set GNOME Login Inactivity Timeout
ID: set_screensaver_inactivity_timeout
Result: Pass
Identities: CCE-26828-4
Description: Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes: # gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /apps/gnome-screensaver/idle_delay 15
Fix Text:
Severity: medium
Weight:
Reference: AC-11(a)
57
Definitions:
ID: oval:ssg:def:497
Result: true
Title: Configure GUI Screen Locking
Description: The allowed period of inactivity before the screensaver is activated.
Class: compliance
Tests:
true (All item-state comparisons must be true.)
true (test screensaver timeout period)
Tests:
Test ID: oval:ssg:tst:498
Result: true
Title: test screensaver timeout period
Check Existence: One or more collected items must exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:1565
Object Requirements:
filepath must be equal to '/etc/gconf/gconf.xml.defaults/%gconf-tree.xml'
xpath must be equal to '/gconf/dir[@name='schemas']/dir[@name='apps']/dir[@name='gnome-screensaver']/entry[@name='idle_delay']/local_schema[1]/default[1]/@value'
State ID: oval:ssg:ste:1566
State Requirements:
value_of must be less than or equal to '15'
Collected Item Properties:
filepath equals '/etc/gconf/gconf.xml.defaults/%gconf-tree.xml'
path equals '/etc/gconf/gconf.xml.defaults'
filename equals '%gconf-tree.xml'
xpath equals '/gconf/dir[@name='schemas']/dir[@name='apps']/dir[@name='gnome-screensaver']/entry[@name='idle_delay']/local_schema[1]/default[1]/@value'
value_of equals '10'
Additional Information:
10 years, 2 months
SSG 0.1-14-14 - accounts_password_warn_age_login_defs
by ssg fthfth
For Set Password Warning Age - (CCE-26988-6), with either the stig-rhel6-server or the usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-negative when running SCC 3.1.1.1 on a RHEL6V1R2 non-complaint machine.
# /bin/grep ^PASS_WARN_AGE /etc/login.defs | cut -f2
77
See the following report output:
Set Password Warning Age
ID: accounts_password_warn_age_login_defs
Result: Pass
Identities: CCE-26988-6
Description: To specify how many days prior to password expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line, replacing DAYS appropriately: PASS_WARN_AGE DAYS The DoD requirement is 7.
Fix Text:
Severity: low
Weight:
Reference: IA-5(f)
Definitions:
ID: oval:ssg:def:351
Result: true
Title: Set Password Expiration Parameters
Description: The password expiration warning age should be set appropriately.
Class: compliance
Tests:
true (All item-state comparisons must be true.)
true (Tests the value of PASS_WARN_AGE in /etc/login.defs)
Tests:
Test ID: oval:ssg:tst:352
Result: true
Title: Tests the value of PASS_WARN_AGE in /etc/login.defs
Check Existence: One or more collected items must exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:1450
Object Requirements:
filepath must be equal to '/etc/login.defs'
pattern must match the pattern '^[\s]*PASS_WARN_AGE[\s]*(\d+)\s*$'
instance must be equal to '1'
State ID: oval:ssg:ste:1451
State Requirements:
subexpression must be greater than or equal to '7'
Collected Item Properties:
filepath equals '/etc/login.defs'
path equals '/etc'
filename equals 'login.defs'
pattern equals '^[\s]*PASS_WARN_AGE[\s]*(\d+)\s*$'
instance equals '1'
text equals 'PASS_WARN_AGE 77 '
subexpression equals '77'
Additional Information: pression equals '7'
Additional Information:
10 years, 2 months