Signed-off-by: David Smith <dsmith(a)eclipse.ncsc.mil>
---
RHEL6/input/auxiliary/transition_notes.xml | 4 ++--
RHEL6/input/system/accounts/pam.xml | 18 ++++++++++++++++++
.../accounts/restrictions/password_storage.xml | 17 +++++++++++++++++
.../system/accounts/restrictions/root_logins.xml | 18 ++++++++++++++++++
4 files changed, 55 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/auxiliary/transition_notes.xml
b/RHEL6/input/auxiliary/transition_notes.xml
index 8fe2a0a..f557120 100644
--- a/RHEL6/input/auxiliary/transition_notes.xml
+++ b/RHEL6/input/auxiliary/transition_notes.xml
@@ -811,7 +811,7 @@ This is desirable but not practical in many environments. Notably,
many other O
do not even support this capability.
</note>
-<note ref="780,781,4382,11975,12765" auth="JB">
+<note ref="780,12765" auth="JB">
This needs to be added to the RHEL6 content.
</note>
@@ -1634,7 +1634,7 @@ exist.
rule=sshd_enable_warning_banner manual=no
</note>
-<note ref="776,777,812,761,782" auth="DS">
+<note ref="776,777,812,761,781,782,4382,11975" auth="DS">
This is covered in the RHEL6 content.
</note>
</notegroup>
diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml
index 5f10315..8bc87b0 100644
--- a/RHEL6/input/system/accounts/pam.xml
+++ b/RHEL6/input/system/accounts/pam.xml
@@ -203,6 +203,24 @@ is different from account lockout, which is provided by the
pam_faillock module.
<ref nist="IA-5" disa="1092" />
</Rule>
+<Rule id="password_require_3consecrepeat">
+<title>Set Password to Maximum of Three Consecutive Repeating
Characters</title>
+<description>The pam_cracklib module's <tt>maxrepeat</tt> parameter
controls requirements for
+consecutive repeating characters. Edit the <tt>/etc/pam.d/system-auth</tt>
file to include the following
+line prior to the <tt>password include system-auth-ac</tt> line:
+<pre>password required pam_cracklib.so maxrepeat=3</pre>
+</description>
+<ocil clause="maxrepeat is not found or not set to the required value">
+To check the maximum value for consecutive repeating characters, run the following
command:
+<pre>$ grep pam_cracklib /etc/pam.d/system-auth</pre>
+Look for the value of the <tt>maxrepeat</tt> parameter. The DoD requirement
is 3.
+</ocil>
+<rationale>
+Passwords with excessive repeating characters may be more vulnerable to password-guessing
attacks.
+</rationale>
+<ref disa="366"/>
+</Rule>
+
<Rule id="password_require_digits">
<title>Set Password Strength Minimum Digit Characters</title>
<description>The pam_cracklib module's <tt>dcredit</tt> parameter
controls requirements for
diff --git a/RHEL6/input/system/accounts/restrictions/password_storage.xml
b/RHEL6/input/system/accounts/restrictions/password_storage.xml
index 3b6a98d..a4db5f7 100644
--- a/RHEL6/input/system/accounts/restrictions/password_storage.xml
+++ b/RHEL6/input/system/accounts/restrictions/password_storage.xml
@@ -66,6 +66,23 @@ which is readable by all users.
<ref nist="IA-5" disa="201" />
</Rule>
+<Rule id="gid_passwd_group_same">
+<title>All GIDs referenced in /etc/passwd must be defined in
/etc/group</title>
+<description>
+Add a group to the system for each GID referenced without a corresponding group.
+</description>
+<ocil clause="there is output">
+To ensure all GIDs referenced in /etc/passwd are defined in /etc/group,
+run the following command:
+<pre># pwck -r</pre>
+There should be no output.
+</ocil>
+<rationale>
+Inconsistency in GIDs between /etc/passwd and /etc/group could lead to a user having
unintended rights.
+</rationale>
+<ref disa="366" />
+</Rule>
+
<Rule id="no_netrc_files">
<title>Verify No netrc Files Exist</title>
<description>The <tt>.netrc</tt> files contain login information
diff --git a/RHEL6/input/system/accounts/restrictions/root_logins.xml
b/RHEL6/input/system/accounts/restrictions/root_logins.xml
index e9bc55a..d5e3a07 100644
--- a/RHEL6/input/system/accounts/restrictions/root_logins.xml
+++ b/RHEL6/input/system/accounts/restrictions/root_logins.xml
@@ -87,6 +87,24 @@ using the root account.
<ref nist="AC-3, AC-6" disa="770" />
</Rule>
+<Rule id="no_root_webbrowsing">
+<title>Restrict Web Browser Use for Administrative Accounts</title>
+<description>
+Enforce policy requiring administrative accounts use web browsers only for
+local service administration.
+</description>
+<ocil clause="this is not the case">
+Check the <tt>root</tt> home directory for a <tt>.mozilla</tt>
directory. If
+one exists, ensure browsing is limited to local service administration.
+</ocil>
+<rationale>
+If a browser vulnerability is exploited while running with administrative privileges,
+the entire system could be compromised. Specific exceptions for local service
+administration should be documented in site-defined policy.
+</rationale>
+<ref disa="366" />
+</Rule>
+
<Rule id="no_shelllogin_for_systemaccounts">
<title>Ensure that System Accounts Do Not Run a Shell Upon Login</title>
<description>
--
1.7.1