Hello Trey,
thank you for checking with us.
----- Original Message -----
From: "Trey Henefield"
<trey.henefield(a)ultra-ats.com>
To: "Steve Grubb" <sgrubb(a)redhat.com>,
scap-security-guide(a)lists.fedorahosted.org
Sent: Thursday, March 20, 2014 2:09:35 PM
Subject: RE: Minimum Password Length ...
Thanks for the response Steve. That is what I had figured.
But because both the RHEL6 SSG and RHEL6 STIG require this functionality to
be configured only in /etc/login.defs as opposed to /etc/pam.d/system-auth,
it was questionable.
While system certifications simply require checking that a system is
configured in accordance with a published STIG, DSS will actually check to
see that the intended requirements are actually enforced (i.e. actually
attempt a non-compliant password as opposed to checking for applied
settings).
So if we are all in agreement, could the SSG check and fix for this please be
changed to include the setting that gets enforced (minlen=14 in
/etc/pam.d/system-auth)?
You are truly right that on Red Hat Enterprise Linux 5 the rule checks both
conditions:
http://ovaldb.altx-soft.ru/Definition.aspx?id=oval:gov.nist.usgcb.rhel:de...
while in SSG content for Red Hat Enterprise Linux 6 just /etc/login.defs condition:
https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/shared/ova...
But (slight) uncertainty comes from the following:
* in RHEL-5 the rule is titled "CCE-4541-1: Set password minimum length" (thus
somehow implying this
should be system-wide check). While
* on RHEL-6 it is titled "2.4.1.3.a. Set Password Minimum Length in login.defs
(CCE-27002-5)"
(thus somehow implying it should be checking just login.defs file due the login.defs
being
emphasized in the title).
This makes me believe the original intention when creating RHEL-6 content was to have
just
login.defs specific rule, and then add a pam_cracklib specific rule into / under:
"Set Password Quality Requirements" subsection of "Protect Accounts by
Configuring PAM" section
(maybe to have login.defs and PAM rules separated into sections?) But looks the second
part
(adding "minlen" check for PAM case) wasn't realized later.
The summary being -- you are correct, the PAM minlen check should be added to the current
form of RHEL-6 SSG content. The question is where we want to have this check being added
--
if into minimum password length login.defs rule (like it's done on RHEL-5) or under
the
PAM section (where it might seem to be more logical to belong to).
I can come with a patch proposal, just first need someone on the list to clarify the
expected
rule location. Shawn, can you possibly hint on this?
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
Thanks!
Best regards,
Trey Henefield, CISSP
Senior IAVA Engineer
Ultra Electronics
Advanced Tactical Systems, Inc.
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA
Trey.Henefield(a)ultra-ats.com
Tel: +1 512 327 6795 ext. 647
Fax: +1 512 327 8043
Mobile: +1 512 541 6450
www.ultra-ats.com
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Thursday, March 20, 2014 7:59 AM
To: scap-security-guide(a)lists.fedorahosted.org
Cc: Trey Henefield
Subject: Re: Minimum Password Length ...
On Thursday, March 20, 2014 07:28:34 AM Trey Henefield wrote:
> Nobody has seemed to respond to this. But this is an issue.
>
> In /etc/login.defs, I have PASS_MIN_LEN set to 14, yet as a user, I
> can set the following password 56tyghbn%^TY which only has 12
> characters via the passwd command.
In our common criteria setup, we have annotated the login.defs file with the
following:
# The evaluated configuration constraints are:
# PASS_MAX_DAYS MAY be changed, must be <= 60 # PASS_MAX_DAYS MAY be changed,
0 < PASS_MIN_DAYS < PASS_MAX_DAYS # PASS_MIN_LEN has no effect in the
evaluated configuration # PASS_WARN_AGE MAY be changed
Note...has no effect...
The intended way can be seen in system-auth:
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password required pam_deny.so
Of these, cracklib is responsible for enforcing password policy. Checking its
man page, it has something called minlen. Looking at the RHEL5 USGCB
settings, this is in fact how it's set:
sed -i "/pam_cracklib.so/s/retry=3/retry=3 minlen=12 dcredit=-1 ucredit=-1
ocredit=-1 lcredit=-1 difok=3/" /etc/pam.d/system-auth
So, to have 14, alter the above settings to correct it.
-Steve
Disclaimer
The information contained in this communication from
trey.henefield(a)ultra-ats.com sent at 2014-03-20 09:09:38 is private and may
be legally privileged or export controlled. It is intended solely for use by
scap-security-guide(a)lists.fedorahosted.org and others authorized to receive
it. If you are not scap-security-guide(a)lists.fedorahosted.org you are hereby
notified that any disclosure, copying, distribution or taking action in
reliance of the contents of this information is strictly prohibited and may
be unlawful.
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide