All,
Please forgive my ignorance, as I am just starting to
wrap my brain around the terminology in the Security
community and the SCAP testing tools. I guess a newbie
warning. I attempted to highlight sections of text below
to help in reading, but it may
get stripped out from some emailers. Jump to the bottom if
you want to see my questions and skip the investigation
parts.
After the Red Hat conference, I got interested in the
SCAP-Security-Guide and OpenScap project in terms of helping
to pass the RHEL 6 STIG from the DoD. Primarily I am in
R&D for a large Healthcare software company. We are
evaluating RHEL 6 now and
I wanted to incorporate as much of the DoD security
components that I could. The SCAP-Security-Guide and
OpenScap seemed like a perfect fit.
My configuration:
RHEL 6.4 +
openscap.x86_64
0.9.3-1.el6
openscap-utils.x86_64
0.9.3-1.el6
scap-security-guide.noarch
0.1-12.el6
I read through all of the pages in the SCAP Security
Guide web site, read the STIGs, and tested a eval of oscap
with the Profile set to stig-rhel6-server. I kept failing
the series of checks associated to the
/etc/pam.d/system-auth setting on pam_cracklib.so.
The rhel6-guide.html (section 2.4.2.2.1) indicated to
change /etc/pam.d/system-auth to read:
password required
pam_cracklib.so try_first_pass retry=3 maxrepeat=3
minlen=14 dcredit=-1 ucredit=-1
ocredit=-1 lcredit=-1 difok=4
Seemed simple enough. But, I was still failing the
evaluation check. The 'dcredit' would pass, but the
parameters beyond that would fail their respective checks.
Looking at the DoD STIG, version 1 release 2, it also
showed that a ucredit=-1 was the expected setting to pass
V-38569.
I first read through the open tickets to see if this was
a reported defect. Nothing in particular matched, although
there was some talk about changing these checks to work on
both the /etc/pam.d/system-auth and /etc/pam.d/password-auth
files.
I decided to dig into the source.
From the "accounts_password_pam_cracklib_ucredit.xml"
[1], I see that the checks appear to be a pattern match
operation, searching the file "system-auth" located in the
"/etc/pam.d" directory. I am not 100% sure what the
<ind:instance> is telling me,
but I assumed it was (a) the return value of the pattern
match had to be less than or equal to 1, or (b) that the
number of matches found in the system-auth file had to be
less than or equal to 1.
<ind:textfilecontent54_object
id="obj_password_pam_cracklib_ucredit"
version="1">
<ind:path>/etc/pam.d</ind:path>
<ind:filename>system-auth</ind:filename>
<ind:pattern
operation="pattern
match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]ucredit=(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance
datatype="int" operation="less than or
equal">1</ind:instance>
</ind:textfilecontent54_object>
My regex skills are weak, so I went to a helpful web
site[2] to help interpret the regex. Given my line in
system-auth file and the regex listed in the check, the
regex appeared to be working as designed. A value of "-1"
was being returned in the second
element of the array.
That is good.
I thought maybe my downloaded scap-security-guide content
may have been out of date compared to the source I was
reviewing. The mailing list seems to show a very active
project with many patches flowing into the project.
Since the installed files are a compilation of hundreds
of source xml files, reviewing the installed xml was
interesting. I am sure there is a simpler way to connect a
check to the commands….but here is how I completed the task.
In "ssg-rhel6-oval.xml", I find a <definition
id="oval:ssg:def:249"> that contains criteria for the
ucredit test, test_ref="oval:ssg:tst:250".
<definition
class="compliance" id="oval:ssg:def:249"
version="1">
<metadata>
<title>Set
Password ucredit Requirements</title>
<affected
family="unix">
<platform>Red
Hat Enterprise Linux 6</platform>
</affected>
<description>The
password ucredit should meet minimum
requirements using
pam_cracklib</description>
<reference source="ssg"
ref_id="accounts_password_pam_cracklib_ucredit"/></metadata>
<criteria>
<criterion
comment="Conditions for ucredit are satisfied" test_ref="oval:ssg:tst:250"/>
</criteria>
</definition>
Searching for "oval:ssg:tst:250", I find a stanza
pointing to the object_ref="oval:ssg:obj:1295" and
state_ref="oval:ssg:ste:1296".
<ind:textfilecontent54_test check="all"
comment="check the configuration of
/etc/pam.d/system-auth" id="oval:ssg:tst:250"
version="1">
<ind:object object_ref="oval:ssg:obj:1295"/>
<ind:state state_ref="oval:ssg:ste:1296"/>
</ind:textfilecontent54_test>
Object 1295 is the check which matches the source code I
found:
<ind:textfilecontent54_object id="oval:ssg:obj:1295"
version="1">
<ind:path>/etc/pam.d</ind:path>
<ind:filename>system-auth</ind:filename>
<ind:pattern
operation="pattern
match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]ucredit=(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance
datatype="int" operation="less than or
equal">1</ind:instance>
</ind:textfilecontent54_object>
That is good. My installed XML matches the source code
tree I was reviewing. But, I am still stuck with a failed
check.
The state_ref="oval:ssg:ste:1296" points to a variable
reference, var_ref="oval:ssg:var:2120".
<ind:textfilecontent54_state id="oval:ssg:ste:1296"
version="1">
<ind:instance
datatype="int">1</ind:instance>
<ind:subexpression
datatype="int" operation="less than or equal" var_ref="oval:ssg:var:2120"/>
</ind:textfilecontent54_state>
The variable reference, var_ref="oval:ssg:var:2120",
points to
<external_variable
comment="External variable for pam_cracklib ucredit"
datatype="int" id="oval:ssg:var:2120"
version="1"/>
I am not sure what an external variable is….but I did find
it referenced in the "ssg-rhel6-xccdf.xml" file as part of
the Rule id="password_require_uppercases".
<check-export export-name="oval:ssg:var:2120"
value-id="var_password_pam_cracklib_ucredit"/>
<check-content-ref
name="oval:ssg:def:249" href="ssg-rhel6-oval.xml"/>
</check>
So, now I have a
value-id="var_password_pam_cracklib_ucredit". I searched
some more….
Under the Profile <Profile id="stig-rhel6-server">,
I find the following:
<refine-value idref="var_password_pam_cracklib_ucredit"
selector="2"/>
I notice that the "dcredit" variable, which is passing,
is assigned a selector="1", but the others that were failing
all had a selector="2".
<refine-value
idref="var_password_pam_cracklib_retry"
selector="3"/>
<refine-value
idref="var_password_pam_cracklib_minlen"
selector="14"/>
<refine-value
idref="var_password_pam_cracklib_dcredit" selector="1"/>
<refine-value
idref="var_password_pam_cracklib_ucredit" selector="2"/>
<refine-value
idref="var_password_pam_cracklib_ocredit"
selector="2"/>
<refine-value
idref="var_password_pam_cracklib_lcredit"
selector="2"/>
<refine-value
idref="var_password_pam_cracklib_difok"
selector="3"/>
On a whim, I changed my /etc/pam.d/system-auth line to
use a value of -2 as follows:
password
requisite pam_cracklib.so try_first_pass retry=3
maxrepeat=3 minlen=14 dcredit=-1 ucredit=-2
ocredit=-2
lcredit=-2 difok=3
Now, I am passing the checks.
QUESTIONS:
- Is the reasoning above correct in that a Profile can use
variables to set specific values to check against?
- Did I uncover an incorrect variable value of
selector="2" in the stig-rhel6-server profile for the
ucredit (and others) associated to the pam_cracklib.so
settings?
Thanks in advance for your time.
Robert