7:58 p.m.
group limiting_password_reuse was causing the oval line not to properly
transform and making it into the final output. Changing Group to Rule
fixes this. Not sure why this is a group instead of a rule in anycase.
Also mapped CCI 1343 to the rule for auditd to drop to single user mode
when storage fills then removed that from the "needs new rule" group.
Kevin Spargur (2):
Mapped CCI 1343 to rule for action on full storage for auditd
Changed group limiting_password_reuse to a rule
RHEL6/input/auxiliary/srg_support.xml | 2 +-
RHEL6/input/system/accounts/pam.xml | 31 +++++++++++++++----------------
RHEL6/input/system/auditing.xml | 2 +-
3 files changed, 17 insertions(+), 18 deletions(-)
--
1.7.7.6
7:58 p.m.
New subject: [PATCH 1/2] Mapped CCI 1343 to rule for action on full storage for auditd
---
RHEL6/input/auxiliary/srg_support.xml | 2 +-
RHEL6/input/system/auditing.xml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/auxiliary/srg_support.xml
b/RHEL6/input/auxiliary/srg_support.xml
index 11e22f5..8958212 100644
--- a/RHEL6/input/auxiliary/srg_support.xml
+++ b/RHEL6/input/auxiliary/srg_support.xml
@@ -46,7 +46,7 @@ It is unclear how to satisfy this requirement.
<description>
A new Rule needs to be created in the scap-security-guide content.
</description>
-<ref disa="1343,52,53,1009,1019,1159,1125,1140,1143" />
+<ref disa="52,53,1009,1019,1159,1125,1140,1143" />
</Group> <!-- end new_rule_needed -->
</Group>
diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml
index 56936cf..c4b3b1c 100644
--- a/RHEL6/input/system/auditing.xml
+++ b/RHEL6/input/system/auditing.xml
@@ -298,7 +298,7 @@ audit records. If a separate partition or logical volume of adequate
size
is used, running low on space for audit records should never occur.
</rationale>
<oval id="auditd_data_retention_admin_space_left_action"
value="var_auditd_admin_space_left_action" />
-<ref disa="140,144" />
+<ref disa="140,144,1343" />
</Rule>
--
1.7.7.6
7:58 p.m.
New subject: [PATCH 2/2] Changed group limiting_password_reuse to a rule
---
RHEL6/input/system/accounts/pam.xml | 31 +++++++++++++++----------------
1 files changed, 15 insertions(+), 16 deletions(-)
diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml
index d95385d..5be75e2 100644
--- a/RHEL6/input/system/accounts/pam.xml
+++ b/RHEL6/input/system/accounts/pam.xml
@@ -42,6 +42,19 @@ file syntax can be found at
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration...
<ref disa="1391,1392" />
+<Value id="password_history_retain_number" type="number"
+operator="equals" interactive="0">
+<title>remember</title>
+<description>The last n passwords for each user are saved in
+<tt>/etc/security/opasswd</tt> in order to force password change history and
+keep the user from alternating between the same password too
+frequently.</description>
+<value selector="">5</value>
+<value selector="0">0</value>
+<value selector="5">5</value>
+<value selector="10">10</value>
+</Value>
+
<Group id="password_quality">
<title>Set Password Quality Requirements</title>
<description>The default <tt>pam_cracklib</tt> PAM module provides
strength
@@ -337,20 +350,7 @@ Using a stronger hashing algorithm makes password cracking attacks
more difficul
<ref nist="IA-5" />
</Rule>
-<Value id="password_history_retain_number" type="number"
-operator="equals" interactive="0">
-<title>remember</title>
-<description>The last n passwords for each user are saved in
-<tt>/etc/security/opasswd</tt> in order to force password change history and
-keep the user from alternating between the same password too
-frequently.</description>
-<value selector="">5</value>
-<value selector="0">0</value>
-<value selector="5">5</value>
-<value selector="10">10</value>
-</Value>
-
-<Group id="limiting_password_reuse">
+<Rule id="limiting_password_reuse">
<title>Limit Password Reuse</title>
<description>Do not allow users to reuse recent passwords. This can
be accomplished by using the <tt>remember</tt> option for the
<tt>pam_unix</tt> PAM
@@ -365,6 +365,5 @@ file <tt>/etc/security/opasswd</tt>.</description>
<ident cce="14939-3" />
<oval id="accounts_password_reuse_limit"
value="password_history_retain_number" />
<ref nist="IA-5" disa="200" />
-</Group>
-
+</Rule>
</Group>
--
1.7.7.6
7:40 a.m.
Ack to the set. Thanks Kevin!
Willy Santos, RHCE
Consultant
Red Hat Consulting
Cell: +1 (301) 254-7077
Email: wsantos(a)redhat.com
On 07/25/2012 08:58 PM, Kevin Spargur wrote:
group limiting_password_reuse was causing the oval line not to
properly
transform and making it into the final output. Changing Group to Rule
fixes this. Not sure why this is a group instead of a rule in anycase.
Also mapped CCI 1343 to the rule for auditd to drop to single user mode
when storage fills then removed that from the "needs new rule" group.
Kevin Spargur (2):
Mapped CCI 1343 to rule for action on full storage for auditd
Changed group limiting_password_reuse to a rule
RHEL6/input/auxiliary/srg_support.xml | 2 +-
RHEL6/input/system/accounts/pam.xml | 31 +++++++++++++++----------------
RHEL6/input/system/auditing.xml | 2 +-
3 files changed, 17 insertions(+), 18 deletions(-)
4301
days inactive
4301
days old
scap-security-guide@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
Kevin Spargur -
Willy Santos