On 4/26/12 8:06 PM, Willy Santos wrote:

CCI-000196 requires enforcing password encryption for storage. no_hashes_outside_shadow meets this requirement.

Signed-off-by: Willy Santos <wsantos@redhat.com>
---
 .../accounts/restrictions/password_storage.xml     |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/rhel6/src/input/system/accounts/restrictions/password_storage.xml b/rhel6/src/input/system/accounts/restrictions/password_storage.xml
index 30a6f52..e989bd5 100644
--- a/rhel6/src/input/system/accounts/restrictions/password_storage.xml
+++ b/rhel6/src/input/system/accounts/restrictions/password_storage.xml
@@ -49,6 +49,7 @@ which is readable by all users.
 <ident cce="14300-8" />
 <oval id="accounts_password_all_shadowed" />
 <ref nist="IA-5" />
+<ident cci="CCI-000196" />
 </Rule>
 </Group>

Ack

Note that DISA's description of CCI-000196 only says passwords must be encrypted in storage (aka /etc/shadow), however the NIST IA-5 (1)(c) control this maps back to also specifically adds passwords must be encrypted in transmission as well. I'd like to map this back to the requirement to disable telnet too. I created ticket #45 to remind us to do that.

-- 
Shawn Wells
Technical Director,
U.S. Intelligence Programs
(e) shawn@redhat.com
(c) 443.534.0130