this meets some OS SRG reqs as well
Jeffrey Blank (1): added new Rule and check to disable inactive accounts * inactivity is defined as time following automatic password expiration * also added relevant CCI refs
rhel6/src/input/auxiliary/srg_support.xml | 13 +++++- .../checks/accounts_disable_post_pw_expiration.xml | 39 +++++++++++++++++ rhel6/src/input/guide.xslt | 1 + rhel6/src/input/profiles/test.xml | 12 ++--- .../accounts/restrictions/account_expiration.xml | 46 ++++++++++++++++++++ 5 files changed, 102 insertions(+), 9 deletions(-) create mode 100644 rhel6/src/input/checks/accounts_disable_post_pw_expiration.xml create mode 100644 rhel6/src/input/system/accounts/restrictions/account_expiration.xml
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- rhel6/src/input/auxiliary/srg_support.xml | 13 +++++- .../checks/accounts_disable_post_pw_expiration.xml | 39 +++++++++++++++++ rhel6/src/input/guide.xslt | 1 + rhel6/src/input/profiles/test.xml | 12 ++--- .../accounts/restrictions/account_expiration.xml | 46 ++++++++++++++++++++ 5 files changed, 102 insertions(+), 9 deletions(-) create mode 100644 rhel6/src/input/checks/accounts_disable_post_pw_expiration.xml create mode 100644 rhel6/src/input/system/accounts/restrictions/account_expiration.xml
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index c1bdf83..5b8f406 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -24,19 +24,28 @@ The requirement is impractical or out of scope. <ref disa="165,21,354,1094,371,372,535,537,539,780,1682,1383,370,66,37,213,221" /> </Group> <!-- end unmet_impractical_guidance -->
+<Group id="unmet_impractical_product"> +<title>Product Does Not Meet this Requirement Due to Impracticality or Scope</title> +<description> +The product does not meet this requirement. +The requirement is impractical or out of scope. +</description> +</Group> <!-- end unmet_impractical_product --> + + <Group id="requirement_unclear"> <title>Implementation of the Requirement is Unclear</title> <description> It is unclear how to satisfy this requirement. </description> <ref disa="20,31,218,219,224" /> -</Group> <!-- end unmet_impractical_product --> +</Group> <!-- end requirement_unclear -->
<Group id="new_rule_needed"> <title>A New Policy/Manual Rule is Needed</title> <description> A new Rule needs to be created in the scap-security-guide content. </description> -</Group> <!-- end unmet_impractical_product --> +</Group> <!-- end new_rule_needed -->
</Group> diff --git a/rhel6/src/input/checks/accounts_disable_post_pw_expiration.xml b/rhel6/src/input/checks/accounts_disable_post_pw_expiration.xml new file mode 100644 index 0000000..8ef6afb --- /dev/null +++ b/rhel6/src/input/checks/accounts_disable_post_pw_expiration.xml @@ -0,0 +1,39 @@ +<def-group> + <definition class="compliance" id="accounts_disable_post_pw_expiration" version="1"> + <metadata> + <title>Set Accounts to Expire Following Password Expiration</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="CCE-TBD" source="CCE" /> + <description>The accounts should be configured to expire automatically following password expiration.</description> + </metadata> + <criteria comment="the value INACTIVE parameter should be set appropriately in /etc/default/useradd"> + <criterion test_ref="test_etc_default_useradd_inactive" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" comment="the value INACTIVE parameter should be set appropriately in /etc/default/useradd" + id="test_etc_default_useradd_inactive" version="1"> + <ind:object object_ref="object_etc_default_useradd_inactive" /> + <ind:state state_ref="state_etc_default_useradd_inactive" /> + <ind:state state_ref="state_etc_default_useradd_inactive_nonnegative" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_etc_default_useradd_inactive" version="1"> + ind:filepath/etc/default/useradd</ind:filepath> + <ind:pattern operation="pattern match">^\s*INACTIVE\s*=\s*(\d+)\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_state id="state_etc_default_useradd_inactive" version="1"> + <ind:subexpression operation="less than or equal" var_ref="var_account_disable_post_pw_expiration" /> + </ind:textfilecontent54_state> + + <ind:textfilecontent54_state id="state_etc_default_useradd_inactive_nonnegative" version="1"> + <ind:subexpression operation="greater than" datatype="int">-1</ind:subexpression> + </ind:textfilecontent54_state> + + <external_variable comment="inactive days expiration" datatype="int" id="var_account_disable_post_pw_expiration" version="1" /> + +</def-group> diff --git a/rhel6/src/input/guide.xslt b/rhel6/src/input/guide.xslt index ee40446..0475f04 100644 --- a/rhel6/src/input/guide.xslt +++ b/rhel6/src/input/guide.xslt @@ -51,6 +51,7 @@ <xsl:apply-templates select="document('system/accounts/restrictions/root_logins.xml')" /> <xsl:apply-templates select="document('system/accounts/restrictions/password_storage.xml')" /> <xsl:apply-templates select="document('system/accounts/restrictions/password_expiration.xml')" /> + <xsl:apply-templates select="document('system/accounts/restrictions/account_expiration.xml')" /> <xsl:apply-templates select="document('system/accounts/restrictions/nis_inclusions.xml')" /> </xsl:copy> </xsl:template> diff --git a/rhel6/src/input/profiles/test.xml b/rhel6/src/input/profiles/test.xml index 8d3761a..a9387b3 100644 --- a/rhel6/src/input/profiles/test.xml +++ b/rhel6/src/input/profiles/test.xml @@ -26,23 +26,21 @@ <refine-value idref="var_selinux_state_name" selector="enforcing"/> <refine-value idref="var_password_pam_cracklib_dcredit" selector="1"/> <refine-value idref="inactivity_timeout_value" selector="10_minutes"/> ---> - - - <select idref="configure_auditd_num_logs" selected="true"/> <select idref="configure_auditd_max_log_file" selected="true"/> <select idref="configure_auditd_action_mail_acct" selected="true"/> <select idref="configure_auditd_space_left_action" selected="true"/> <select idref="configure_auditd_admin_space_left_action" selected="true"/> -<select idref="configure_auditd_max_log_file_action" selected="true"/> +<select idref="configure_auditd_max_log_file_action" selected="true"/>--> +<select idref="account_disable_post_pw_expiration" selected="true"/>
-<refine-value idref="var_auditd_num_logs" selector="5"/> +<!--<refine-value idref="var_auditd_num_logs" selector="5"/> <refine-value idref="var_auditd_max_log_file" selector="6"/> <refine-value idref="var_auditd_max_log_file_action" selector="rotate"/> <refine-value idref="var_auditd_space_left_action" selector="syslog"/> <refine-value idref="var_auditd_admin_space_left_action" selector="single"/> -<refine-value idref="var_auditd_action_mail_acct" selector="root"/> +<refine-value idref="var_auditd_action_mail_acct" selector="root"/>--> +<refine-value idref="var_account_disable_post_pw_expiration" selector="35"/>
diff --git a/rhel6/src/input/system/accounts/restrictions/account_expiration.xml b/rhel6/src/input/system/accounts/restrictions/account_expiration.xml new file mode 100644 index 0000000..4491d58 --- /dev/null +++ b/rhel6/src/input/system/accounts/restrictions/account_expiration.xml @@ -0,0 +1,46 @@ +<Group id="account_expiration"> +<title>Set Account Expiration Parameters</title> +<description>The file <tt>/etc/defaults/useradd</tt> controls +default settings for local accounts created with the system's +normal command line utilities. +</description> + +<Value id="var_account_disable_post_pw_expiration" type="number" > +<title>number of days after a password expires until the account is permanently disabled</title> +<description>The number of days to wait after a password expires, until the account will be permanently disabled.</description> +<warning category="general">This will only apply to newly created accounts</warning> +<value selector="">35</value> +<value selector="35">35</value> +<value selector="60">60</value> +<value selector="90">90</value> +<value selector="180">180</value> +</Value> + + +<Rule id="account_disable_post_pw_expiration"> +<title>Set Account Expiration Following Inactivity</title> +<description>To specify the number of days after a password expires +(which signifies inactivity) until an +account is permanently disabled, edit the file <tt>/etc/defaults/useradd</tt> +and add or correct the following lines, substituting <tt><i>NUM_DAYS</i></tt> appropriately: +<pre>INACTIVE=<i>NUM_DAYS</i></pre> +A value of 35 is recommended. If a password is currently on the +verge of expiration, then 35 days remain until the account is automatically +disabled. However, if the password will not expire for another 60 days, then 95 +days could elapse until the account would be automatically disabled. See the +<tt>useradd</tt> man page for more information. Determining the inactivity +timeout must be done with careful consideration of the length of a "normal" +period of inactivity for users in the particular environment. Setting +the timeout too low incurs support costs and also has the potential to impact +availability of the system to legitimate users. +</description> +<rationale> +Disabling inactive accounts ensures that accounts which may not +have been responsibly removed are not available to attackers +who may have compromised their credentials. +</rationale> +<oval id="accounts_disable_post_pw_expiration" value="var_account_disable_post_pw_expiration"/> +<ref disa="15,16,17"/> +</Rule> + +</Group>
On 6/27/12 6:35 PM, Jeffrey Blank wrote:
+<Rule id="account_disable_post_pw_expiration"> +<title>Set Account Expiration Following Inactivity</title> +<description>To specify the number of days after a password expires +(which signifies inactivity) until an +account is permanently disabled, edit the file <tt>/etc/defaults/useradd</tt> +and add or correct the following lines, substituting <tt><i>NUM_DAYS</i></tt> appropriately: +<pre>INACTIVE=<i>NUM_DAYS</i></pre> +A value of 35 is recommended. If a password is currently on the +verge of expiration, then 35 days remain until the account is automatically +disabled. However, if the password will not expire for another 60 days, then 95 +days could elapse until the account would be automatically disabled. See the +<tt>useradd</tt> man page for more information. Determining the inactivity +timeout must be done with careful consideration of the length of a "normal" +period of inactivity for users in the particular environment. Setting +the timeout too low incurs support costs and also has the potential to impact +availability of the system to legitimate users. +</description> +<rationale>
nitpick. kinda.
do we want to have them edit text files, or just issue a chage command ala # chage -I 35 shawn
^ that's an uppercase i
and the idea of using this concept as the definition of 'inactive account' is novel, I haven't thought of this before!
We want to have them edit this text file since we want the setting to apply to ALL accounts by default when they are created.
Running chage on one account just sets it for that one account at that time.
That said, I can amend my commit prior to push to mention the existence of chage in the enclosing <Group>, so that the information is there.
Sound good?
On 06/27/2012 06:45 PM, Shawn Wells wrote:
On 6/27/12 6:35 PM, Jeffrey Blank wrote:
+<Rule id="account_disable_post_pw_expiration"> +<title>Set Account Expiration Following Inactivity</title> +<description>To specify the number of days after a password expires +(which signifies inactivity) until an +account is permanently disabled, edit the file <tt>/etc/defaults/useradd</tt> +and add or correct the following lines, substituting <tt><i>NUM_DAYS</i></tt> appropriately: +<pre>INACTIVE=<i>NUM_DAYS</i></pre> +A value of 35 is recommended. If a password is currently on the +verge of expiration, then 35 days remain until the account is automatically +disabled. However, if the password will not expire for another 60 days, then 95 +days could elapse until the account would be automatically disabled. See the +<tt>useradd</tt> man page for more information. Determining the inactivity +timeout must be done with careful consideration of the length of a "normal" +period of inactivity for users in the particular environment. Setting +the timeout too low incurs support costs and also has the potential to impact +availability of the system to legitimate users. +</description> +<rationale>
nitpick. kinda.
do we want to have them edit text files, or just issue a chage command ala # chage -I 35 shawn
^ that's an uppercase iand the idea of using this concept as the definition of 'inactive account' is novel, I haven't thought of this before! _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
Ack
-- Shawn Wells Technical Director, U.S. Intelligence Programs (e) shawn@redhat.com (c) 443-534-0130
On Jun 28, 2012, at 9:38 AM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
We want to have them edit this text file since we want the setting to apply to ALL accounts by default when they are created.
Running chage on one account just sets it for that one account at that time.
That said, I can amend my commit prior to push to mention the existence of chage in the enclosing <Group>, so that the information is there.
Sound good?
On 06/27/2012 06:45 PM, Shawn Wells wrote:
On 6/27/12 6:35 PM, Jeffrey Blank wrote:
+<Rule id="account_disable_post_pw_expiration"> +<title>Set Account Expiration Following Inactivity</title> +<description>To specify the number of days after a password expires +(which signifies inactivity) until an +account is permanently disabled, edit the file <tt>/etc/defaults/useradd</tt> +and add or correct the following lines, substituting <tt><i>NUM_DAYS</i></tt> appropriately: +<pre>INACTIVE=<i>NUM_DAYS</i></pre> +A value of 35 is recommended. If a password is currently on the +verge of expiration, then 35 days remain until the account is automatically +disabled. However, if the password will not expire for another 60 days, then 95 +days could elapse until the account would be automatically disabled. See the +<tt>useradd</tt> man page for more information. Determining the inactivity +timeout must be done with careful consideration of the length of a "normal" +period of inactivity for users in the particular environment. Setting +the timeout too low incurs support costs and also has the potential to impact +availability of the system to legitimate users. +</description> +<rationale>
nitpick. kinda.
do we want to have them edit text files, or just issue a chage command ala # chage -I 35 shawn
^ that's an uppercase iand the idea of using this concept as the definition of 'inactive account' is novel, I haven't thought of this before! _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
I just pushed with modification.
Willy may want to update mappings to some combination of CCIs 15, 16, and 17 for some combinations of this new Group (account_expiration) and Rule (account_disable_post_pw_expiration).
(And perhaps remove the "new rule needed" ref to CCI 17, and correct the closing-tag comments for the Groups in srg_support.xml).
I figure it's easier to ask than to cross commits mid-stream...
Thanks!
On 06/28/2012 12:27 PM, Shawn Wells wrote:
Ack
-- Shawn Wells Technical Director, U.S. Intelligence Programs (e) shawn@redhat.com (c) 443-534-0130
On Jun 28, 2012, at 9:38 AM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
We want to have them edit this text file since we want the setting to apply to ALL accounts by default when they are created.
Running chage on one account just sets it for that one account at that time.
That said, I can amend my commit prior to push to mention the existence of chage in the enclosing <Group>, so that the information is there.
Sound good?
On 06/27/2012 06:45 PM, Shawn Wells wrote:
On 6/27/12 6:35 PM, Jeffrey Blank wrote:
+<Rule id="account_disable_post_pw_expiration"> +<title>Set Account Expiration Following Inactivity</title> +<description>To specify the number of days after a password expires +(which signifies inactivity) until an +account is permanently disabled, edit the file <tt>/etc/defaults/useradd</tt> +and add or correct the following lines, substituting <tt><i>NUM_DAYS</i></tt> appropriately: +<pre>INACTIVE=<i>NUM_DAYS</i></pre> +A value of 35 is recommended. If a password is currently on the +verge of expiration, then 35 days remain until the account is automatically +disabled. However, if the password will not expire for another 60 days, then 95 +days could elapse until the account would be automatically disabled. See the +<tt>useradd</tt> man page for more information. Determining the inactivity +timeout must be done with careful consideration of the length of a "normal" +period of inactivity for users in the particular environment. Setting +the timeout too low incurs support costs and also has the potential to impact +availability of the system to legitimate users. +</description> +<rationale>
nitpick. kinda.
do we want to have them edit text files, or just issue a chage command ala # chage -I 35 shawn
^ that's an uppercase iand the idea of using this concept as the definition of 'inactive account' is novel, I haven't thought of this before! _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
Jeff,
Successfully pulled and merged the new content. I made the changes you requested.
-Willy
Willy Santos, RHCE Consultant Red Hat Consulting Cell: +1 (301) 254-7077 Email: wsantos@redhat.com
On 06/29/2012 02:07 PM, Jeffrey Blank wrote:
I just pushed with modification.
Willy may want to update mappings to some combination of CCIs 15, 16, and 17 for some combinations of this new Group (account_expiration) and Rule (account_disable_post_pw_expiration).
(And perhaps remove the "new rule needed" ref to CCI 17, and correct the closing-tag comments for the Groups in srg_support.xml).
I figure it's easier to ask than to cross commits mid-stream...
Thanks!
On 06/28/2012 12:27 PM, Shawn Wells wrote:
Ack
-- Shawn Wells Technical Director, U.S. Intelligence Programs (e) shawn@redhat.com (c) 443-534-0130
On Jun 28, 2012, at 9:38 AM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
We want to have them edit this text file since we want the setting to apply to ALL accounts by default when they are created.
Running chage on one account just sets it for that one account at that time.
That said, I can amend my commit prior to push to mention the existence of chage in the enclosing <Group>, so that the information is there.
Sound good?
On 06/27/2012 06:45 PM, Shawn Wells wrote:
On 6/27/12 6:35 PM, Jeffrey Blank wrote:
+<Rule id="account_disable_post_pw_expiration"> +<title>Set Account Expiration Following Inactivity</title> +<description>To specify the number of days after a password expires +(which signifies inactivity) until an +account is permanently disabled, edit the file <tt>/etc/defaults/useradd</tt> +and add or correct the following lines, substituting <tt><i>NUM_DAYS</i></tt> appropriately: +<pre>INACTIVE=<i>NUM_DAYS</i></pre> +A value of 35 is recommended. If a password is currently on the +verge of expiration, then 35 days remain until the account is automatically +disabled. However, if the password will not expire for another 60 days, then 95 +days could elapse until the account would be automatically disabled. See the +<tt>useradd</tt> man page for more information. Determining the inactivity +timeout must be done with careful consideration of the length of a "normal" +period of inactivity for users in the particular environment. Setting +the timeout too low incurs support costs and also has the potential to impact +availability of the system to legitimate users. +</description> +<rationale>
nitpick. kinda.
do we want to have them edit text files, or just issue a chage command ala # chage -I 35 shawn
^ that's an uppercase iand the idea of using this concept as the definition of 'inactive account' is novel, I haven't thought of this before! _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
EDIT: I made the changes you requested on my local copy, I'll submit along with other patches this afternoon.
Willy Santos, RHCE Consultant Red Hat Consulting Cell: +1 (301) 254-7077 Email: wsantos@redhat.com
On 06/29/2012 02:16 PM, Willy Santos wrote:
Jeff,
Successfully pulled and merged the new content. I made the changes you requested.
-Willy
Willy Santos, RHCE Consultant Red Hat Consulting Cell: +1 (301) 254-7077 Email: wsantos@redhat.com
On 06/29/2012 02:07 PM, Jeffrey Blank wrote:
I just pushed with modification.
Willy may want to update mappings to some combination of CCIs 15, 16, and 17 for some combinations of this new Group (account_expiration) and Rule (account_disable_post_pw_expiration).
(And perhaps remove the "new rule needed" ref to CCI 17, and correct the closing-tag comments for the Groups in srg_support.xml).
I figure it's easier to ask than to cross commits mid-stream...
Thanks!
On 06/28/2012 12:27 PM, Shawn Wells wrote:
Ack
-- Shawn Wells Technical Director, U.S. Intelligence Programs (e) shawn@redhat.com (c) 443-534-0130
On Jun 28, 2012, at 9:38 AM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
We want to have them edit this text file since we want the setting to apply to ALL accounts by default when they are created.
Running chage on one account just sets it for that one account at that time.
That said, I can amend my commit prior to push to mention the existence of chage in the enclosing <Group>, so that the information is there.
Sound good?
On 06/27/2012 06:45 PM, Shawn Wells wrote:
On 6/27/12 6:35 PM, Jeffrey Blank wrote:
+<Rule id="account_disable_post_pw_expiration"> +<title>Set Account Expiration Following Inactivity</title> +<description>To specify the number of days after a password expires +(which signifies inactivity) until an +account is permanently disabled, edit the file <tt>/etc/defaults/useradd</tt> +and add or correct the following lines, substituting <tt><i>NUM_DAYS</i></tt> appropriately: +<pre>INACTIVE=<i>NUM_DAYS</i></pre> +A value of 35 is recommended. If a password is currently on the +verge of expiration, then 35 days remain until the account is automatically +disabled. However, if the password will not expire for another 60 days, then 95 +days could elapse until the account would be automatically disabled. See the +<tt>useradd</tt> man page for more information. Determining the inactivity +timeout must be done with careful consideration of the length of a "normal" +period of inactivity for users in the particular environment. Setting +the timeout too low incurs support costs and also has the potential to impact +availability of the system to legitimate users. +</description> +<rationale>
nitpick. kinda.
do we want to have them edit text files, or just issue a chage command ala # chage -I 35 shawn
^ that's an uppercase iand the idea of using this concept as the definition of 'inactive account' is novel, I haven't thought of this before! _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Shawn Wells -
Shawn Wells -
Willy Santos