Okay, this is helpful, but two things: - by convention the Defintion ID should be the same as the filename - the fix script isn't parameterized

There is support for parameters in fix scripts, per a recent patch: https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-June/00342...

On Fri, Jun 28, 2013 at 9:15 AM, Brian Millett bmillett@gmail.com wrote:

Signed-off-by: Brian Millett bmillett@gmail.com

.../accounts_password_minclass_login_defs.xml | 43 ++++++++++++++++++++++ .../fixes/bash/password_require_minimun_class.sh | 6 +++ 2 files changed, 49 insertions(+) create mode 100644 RHEL6/input/checks/accounts_password_minclass_login_defs.xml create mode 100644 RHEL6/input/fixes/bash/password_require_minimun_class.sh

diff --git a/RHEL6/input/checks/accounts_password_minclass_login_defs.xml b/RHEL6/input/checks/accounts_password_minclass_login_defs.xml new file mode 100644 index 0000000..539164b --- /dev/null +++ b/RHEL6/input/checks/accounts_password_minclass_login_defs.xml @@ -0,0 +1,43 @@ +<def-group>

• <definition class="compliance"

id="accounts_password_pam_cracklib_minclass" version="1">

• <metadata>

•  <title>Set Password minclass Requirements</title>
  

•  <affected family="unix">
  

•    <platform>Red Hat Enterprise Linux 6</platform>
  

•  </affected>
  

•  <description>The password minclass should meet minimum
  

•  requirements using pam_cracklib</description>
  

• </metadata>

• <criteria>

•  <criterion comment="Conditions for minclass are satisfied"
  

•             test_ref="test_password_pam_cracklib_minclass" />
  

• </criteria>

• </definition>

• <ind:textfilecontent54_test check="all"

•                          comment="check the configuration of
  

/etc/pam.d/system-auth"

•                          id="test_password_pam_cracklib_minclass"
  

version="1">

• <ind:object object_ref="obj_password_pam_cracklib_minclass" />
• <ind:state state_ref="state_password_pam_cracklib_minclass" />
• </ind:textfilecontent54_test>
• <ind:textfilecontent54_state id="state_password_pam_cracklib_minclass"

•                           version="1">
  

• <ind:instance datatype="int">1</ind:instance>
• <ind:subexpression datatype="int"

•                   operation="less than or equal"
  

•                   var_ref="var_password_pam_cracklib_minclass" />
  

• </ind:textfilecontent54_state>
• <external_variable comment="External variable for pam_cracklib minclass"

•                 datatype="int"
  

id="var_password_pam_cracklib_minclass"

•                 version="1" />
  

• <ind:textfilecontent54_object id="obj_password_pam_cracklib_minclass"

•                            version="1">
  

• ind:path/etc/pam.d</ind:path>
• ind:filenamesystem-auth</ind:filename>
• <ind:pattern operation="pattern

match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_.-=\s]+[\s]minclass=(-?\d+)(?:[\s]|$)</ind:pattern>

• <ind:instance datatype="int" operation="less than or

equal">1</ind:instance>

• </ind:textfilecontent54_object>

+</def-group> diff --git a/RHEL6/input/fixes/bash/password_require_minimun_class.sh b/RHEL6/input/fixes/bash/password_require_minimun_class.sh new file mode 100644 index 0000000..127c004 --- /dev/null +++ b/RHEL6/input/fixes/bash/password_require_minimun_class.sh @@ -0,0 +1,6 @@ +grep -q minclass /etc/pam.d/system-auth +if [ $? = "0" ]; then

• sed --follow-symlinks -i "/

pam_cracklib.so/s/minclass=[0-4]/minclass=3/" /etc/pam.d/system-auth +else

• sed --follow-symlinks -i "/pam_cracklib.so/s/pam_cracklib.so/pam_cracklib.so minclass=3 /" /etc/pam.d/system-auth

+fi

1.8.2.1

---

scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Yep, got it.

Thanks.

By the way, I've found that the template works better if there is a blank line after the "populate",

__BEGIN__ source ./templates/support.sh populate var_password_pam_cracklib_minclass

grep -q minclass /etc/pam.d/system-auth __END__

Other wise when expanded, the var is on the same line as the grep, which holds only for the grep. IE: var_password_pam_cracklib_minclas=3 grep -q minclass /etc/pam.d/system-auth

But I really like the template.

Tha nks. On Mon, 01 Jul 2013 23:32:13 -0400 Shawn Wells shawn@redhat.com wrote:

On 6/28/13 9:15 AM, Brian Millett wrote:

...

+++ b/RHEL6/input/fixes/bash/password_require_minimun_class.sh @@ -0,0 +1,6 @@ +grep -q minclass /etc/pam.d/system-auth +if [ $? = "0" ]; then

• sed --follow-symlinks -i

"/pam_cracklib.so/s/minclass=[0-4]/minclass=3/" /etc/pam.d/system-auth +else

• sed --follow-symlinks -i

"/pam_cracklib.so/s/pam_cracklib.so /pam_cracklib.so minclass=3 /" /etc/pam.d/system-auth +fi

Per Jeff's note, the pseudo code for remediation parameters should be something like:

source ./templates/support.sh populate var_password_pam_cracklib_minclass grep -q minclass /etc/pam.d/system-auth if [ $? = "0" ]; then sed --follow-symlinks -i "/pam_cracklib.so/s/minclass=[0-4]/minclass=$var_password_pam_cracklib_minclass /" /etc/pam.d/system-auth else sed --follow-symlinks -i "/pam_cracklib.so/s/pam_cracklib.so /pam_cracklib.so minclass=$var_password_pam_cracklib_minclass /" /etc/pam.d/system-auth fi