All,
Please forgive my ignorance, as I am just starting to wrap my brain around the terminology in the Security community and the SCAP testing tools. I guess a newbie warning. I attempted to highlight sections of text below to help in reading, but it may
get stripped out from some emailers. Jump to the bottom if you want to see my questions and skip the investigation parts.
After the Red Hat conference, I got interested in the SCAP-Security-Guide and OpenScap project in terms of helping to pass the RHEL 6 STIG from the DoD. Primarily I am in R&D for a large Healthcare software company. We are evaluating RHEL 6 now and
I wanted to incorporate as much of the DoD security components that I could. The SCAP-Security-Guide and OpenScap seemed like a perfect fit.
My configuration:
RHEL 6.4 +
openscap.x86_64 0.9.3-1.el6
openscap-utils.x86_64 0.9.3-1.el6
scap-security-guide.noarch 0.1-12.el6
I read through all of the pages in the SCAP Security Guide web site, read the STIGs, and tested a eval of oscap with the Profile set to stig-rhel6-server. I kept failing the series of checks associated to the /etc/pam.d/system-auth setting on pam_cracklib.so.
The rhel6-guide.html (section 2.4.2.2.1) indicated to change /etc/pam.d/system-auth to read:
password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
Seemed simple enough. But, I was still failing the evaluation check. The 'dcredit' would pass, but the parameters beyond that would fail their respective checks.
Looking at the DoD STIG, version 1 release 2, it also showed that a ucredit=-1 was the expected setting to pass V-38569.
I first read through the open tickets to see if this was a reported defect. Nothing in particular matched, although there was some talk about changing these checks to work on both the /etc/pam.d/system-auth and /etc/pam.d/password-auth files.
I decided to dig into the source.
From the "accounts_password_pam_cracklib_ucredit.xml" [1], I see that the checks appear to be a pattern match operation, searching the file "system-auth" located in the "/etc/pam.d" directory. I am not 100% sure what the <ind:instance> is telling me,
but I assumed it was (a) the return value of the pattern match had to be less than or equal to 1, or (b) that the number of matches found in the system-auth file had to be less than or equal to 1.
<ind:textfilecontent54_object id="obj_password_pam_cracklib_ucredit"
version="1">
<ind:path>/etc/pam.d</ind:path>
<ind:filename>system-auth</ind:filename>
<ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]ucredit=(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
My regex skills are weak, so I went to a helpful web site[2] to help interpret the regex. Given my line in system-auth file and the regex listed in the check, the regex appeared to be working as designed. A value of "-1" was being returned in the second
element of the array.
That is good.
I thought maybe my downloaded scap-security-guide content may have been out of date compared to the source I was reviewing. The mailing list seems to show a very active project with many patches flowing into the project.
Since the installed files are a compilation of hundreds of source xml files, reviewing the installed xml was interesting. I am sure there is a simpler way to connect a check to the commands….but here is how I completed the task.
In "ssg-rhel6-oval.xml", I find a <definition id="oval:ssg:def:249"> that contains criteria for the ucredit test, test_ref="oval:ssg:tst:250".
<definition class="compliance" id="oval:ssg:def:249" version="1">
<metadata>
<title>Set Password ucredit Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The password ucredit should meet minimum
requirements using pam_cracklib</description>
<reference source="ssg" ref_id="accounts_password_pam_cracklib_ucredit"/></metadata>
<criteria>
<criterion comment="Conditions for ucredit are satisfied" test_ref="oval:ssg:tst:250"/>
</criteria>
</definition>
Searching for "oval:ssg:tst:250", I find a stanza pointing to the object_ref="oval:ssg:obj:1295" and state_ref="oval:ssg:ste:1296".
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg:tst:250" version="1">
<ind:object object_ref="oval:ssg:obj:1295"/>
<ind:state state_ref="oval:ssg:ste:1296"/>
</ind:textfilecontent54_test>
Object 1295 is the check which matches the source code I found:
<ind:textfilecontent54_object id="oval:ssg:obj:1295" version="1">
<ind:path>/etc/pam.d</ind:path>
<ind:filename>system-auth</ind:filename>
<ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]ucredit=(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
That is good. My installed XML matches the source code tree I was reviewing. But, I am still stuck with a failed check.
The state_ref="oval:ssg:ste:1296" points to a variable reference, var_ref="oval:ssg:var:2120".
<ind:textfilecontent54_state id="oval:ssg:ste:1296" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:2120"/>
</ind:textfilecontent54_state>
The variable reference, var_ref="oval:ssg:var:2120", points to
<external_variable comment="External variable for pam_cracklib ucredit" datatype="int" id="oval:ssg:var:2120" version="1"/>
I am not sure what an external variable is….but I did find it referenced in the "ssg-rhel6-xccdf.xml" file as part of the Rule id="password_require_uppercases".
<check-export export-name="oval:ssg:var:2120" value-id="var_password_pam_cracklib_ucredit"/>
<check-content-ref name="oval:ssg:def:249" href="ssg-rhel6-oval.xml"/>
</check>
So, now I have a value-id="var_password_pam_cracklib_ucredit". I searched some more….
Under the Profile <Profile id="stig-rhel6-server">, I find the following:
<refine-value idref="var_password_pam_cracklib_ucredit" selector="2"/>
I notice that the "dcredit" variable, which is passing, is assigned a selector="1", but the others that were failing all had a selector="2".
<refine-value idref="var_password_pam_cracklib_retry" selector="3"/>
<refine-value idref="var_password_pam_cracklib_minlen" selector="14"/>
<refine-value idref="var_password_pam_cracklib_dcredit" selector="1"/>
<refine-value idref="var_password_pam_cracklib_ucredit" selector="2"/>
<refine-value idref="var_password_pam_cracklib_ocredit" selector="2"/>
<refine-value idref="var_password_pam_cracklib_lcredit" selector="2"/>
<refine-value idref="var_password_pam_cracklib_difok" selector="3"/>
On a whim, I changed my /etc/pam.d/system-auth line to use a value of -2 as follows:
password requisite pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-2 ocredit=-2
lcredit=-2 difok=3
Now, I am passing the checks.
QUESTIONS:
- Is the reasoning above correct in that a Profile can use variables to set specific values to check against?
- Did I uncover an incorrect variable value of selector="2" in the stig-rhel6-server profile for the ucredit (and others) associated to the pam_cracklib.so settings?
Thanks in advance for your time.
Robert