I ended up setting all four values to the requirement and that resolved the login.defs requirements.. now I'm trying to figure out what's "goobering" up the credit's for cracklib... While I'm sure deciphering the xml is easy enough for someone who's been nose deep in this for a while, it's proving a bit challenging for me to find what's connected to what...

Title Set Password Strength Minimum Uppercase Characters Rule password_require_uppercases Ident CCE-26601-5 Result fail

Title Set Password Strength Minimum Special Characters Rule password_require_specials Ident CCE-26409-3 Result fail

Title Set Password Strength Minimum Lowercase Characters Rule password_require_lowercases Ident CCE-26631-2 Result fail

grep cracklib /etc/pam.d/system-auth password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4

On Thu, Oct 24, 2013 at 1:29 PM, Jeff Bachtel < jbachtel@bericotechnologies.com> wrote:

Will,

I'm seeing the same failures using SCC 3.1 (which is DISA's packaging of SSG). I suspect a profile problem (leading to improper external variables possibly being set). What happens when you run the test with profile stig-rhel6-server ?

Actually, checking /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml the "server" profile specifies <refine-value idref="var_password_min_age" selector="7"/> so that's the minimum acceptable with the profile you're using.

But thanks for the email, now I have an idea what might be goobering up on SCC...

Jeff

On Thu, Oct 24, 2013 at 11:40 AM, wm-lists wm-lists@nixpeeps.com wrote:

...

I'm using scap-security-guide-0.1-12.el6.noarch as my source from

http://people.redhat.com/swells/scap-security-guide/rpmbuild/src/redhat/RPMS...

Running oscap xccdf eval --profile server /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml Generates a failure for Title Set Password Minimum Age Rule password_min_age Ident CCE-27013-2 Result fail

Title Set Password Maximum Age Rule password_max_age Ident CCE-26985-2 Result fail

Title Set Password Strength Minimum Uppercase Characters Rule password_require_uppercases Ident CCE-26601-5 Result fail

Title Set Password Strength Minimum Special Characters Rule password_require_specials Ident CCE-26409-3 Result fail

Title Set Password Strength Minimum Lowercase Characters Rule password_require_lowercases Ident CCE-26631-2 Result fail

Among others. I have cracklib configured what I believe is correct (according to the CCE) # grep cracklib /etc/pam.d/system-auth-ac password requisite pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4 try_first_pass retry=3 minlen=14 type= # grep PASS /etc/login.defs

PASS_MAX_DAYS 180 PASS_MIN_DAYS 1 PASS_MIN_LEN 14 PASS_WARN_AGE 7

Any help on what I might be missing here?

Thanks! Will

---

scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

---

scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

On 10/24/13, 1:51 PM, Shawn Wells wrote:

On 10/24/13, 1:29 PM, Jeff Bachtel wrote:

...

Will,

I'm seeing the same failures using SCC 3.1 (which is DISA's packaging of SSG). I suspect a profile problem (leading to improper external variables possibly being set). What happens when you run the test with profile stig-rhel6-server ?

Actually, checking /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml the "server" profile specifies <refine-value idref="var_password_min_age" selector="7"/> so that's the minimum acceptable with the profile you're using.

But thanks for the email, now I have an idea what might be goobering up on SCC...

Jeff

On Thu, Oct 24, 2013 at 11:40 AM, wm-lists <wm-lists@nixpeeps.com mailto:wm-lists@nixpeeps.com> wrote:

I'm using scap-security-guide-0.1-12.el6.noarch as my source from

http://people.redhat.com/swells/scap-security-guide/rpmbuild/src/redhat/RPMS/noarch/

Running oscap xccdf eval --profile server
/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Generates a failure for
Title   Set Password Minimum Age
Rule    password_min_age
Ident   CCE-27013-2
Result  fail

Title   Set Password Maximum Age
Rule    password_max_age
Ident   CCE-26985-2
Result  fail

Title   Set Password Strength Minimum Uppercase Characters
Rule    password_require_uppercases
Ident   CCE-26601-5
Result  fail

Title   Set Password Strength Minimum Special Characters
Rule    password_require_specials
Ident   CCE-26409-3
Result  fail

Title   Set Password Strength Minimum Lowercase Characters
Rule    password_require_lowercases
Ident   CCE-26631-2
Result  fail

Among others.
I have cracklib configured what I believe is correct (according
to the CCE)
# grep cracklib /etc/pam.d/system-auth-ac
password    requisite     pam_cracklib.so dcredit=-1 ucredit=-1
ocredit=-1 lcredit=-1 difok=4 try_first_pass retry=3 minlen=14 type=
# grep PASS /etc/login.defs

PASS_MAX_DAYS   180
PASS_MIN_DAYS   1
PASS_MIN_LEN    14
PASS_WARN_AGE   7

Any help on what I might be missing here?

Thanks!
Will

Stuff off my people.redhat.com page is just scratch space I use for my own purposes -- demos, builds, etc. *Definitely* don't trust content from there as it's usually a clone of my (often broke) local git tree. And often outdated. Speaking of which, I need to drop in a norobots file....

As for this OVAL, it appears to have been fixed on 18-SEPT: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/RHEL6/input...

Should be reflected in next RPM update

Cutting an updated RPM now. Give me a few minutes to generate the RPM and put some release notes together. If you need to test *now*, clone from source: https://fedorahosted.org/scap-security-guide/wiki/downloads

On 10/24/13, 1:59 PM, wm-lists wrote:

Thanks Shawn I'll grab the RPM when you get it done and diff it against my xml (I have my own custom rpm for deploying a PCI-DSS standard based on the server profile) Thanks for all the work on this too. this goes a long way towards helping me get compliancy reports!

A PCI-DSS profile would be most welcome within the project! I'll buy you a beer if you start one. Very happy to assist in the commit process.

I'm not kidding.

On 10/24/13, 2:12 PM, wm-lists wrote:

Shawn, Happy to contribute. As I get it together, I'll provide what I have. I have a PCI-DSS QSA onsite for the foreseeable future to validate what I'm doing against the PCI-DSS 2.0 standards (3.0 will be out soon enough)..

If you're willing, as you create your profile, check which OVAL checks you're using have been signed off. The signed off ones will have a line similar to the following, somewhere in the <metadata> tags:

<reference source="DS" ref_id="20130928" ref_url="test_attestation" />

Give the list a shout if/as you find things without signoff. It'll help prioritize OVAL unit testing, especially since we'll know which ones are used within your PCI profile.

I use openscap in conjunction with Red Hat Satellite for reporting purposes to validate in scope systems

How do you manage distributing the SCAP RPMs to the clients? There's been a few writeups about custom RHN channels, dropping the XCCDF into configuration channels, etc.... very interested to see how things are being done in field deployments!

still getting the same result.. oscap xccdf eval --report /var/www/html/report.html --profile server /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance" id="RHEL-6" resolved="1" xml:lang="en-US"> <status date="2013-10-22">draft</status>

Title Set Password Strength Minimum Uppercase Characters Rule password_require_uppercases Ident CCE-26601-5 Result fail

Title Set Password Strength Minimum Special Characters Rule password_require_specials Ident CCE-26409-3 Result fail

Title Set Password Strength Minimum Lowercase Characters Rule password_require_lowercases Ident CCE-26631-2 Result fail

On Thu, Oct 24, 2013 at 1:51 PM, Shawn Wells shawn@redhat.com wrote:

On 10/24/13, 1:29 PM, Jeff Bachtel wrote:

Will,

I'm seeing the same failures using SCC 3.1 (which is DISA's packaging of SSG). I suspect a profile problem (leading to improper external variables possibly being set). What happens when you run the test with profile stig-rhel6-server ?

Actually, checking /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml the "server" profile specifies <refine-value idref="var_password_min_age" selector="7"/> so that's the minimum acceptable with the profile you're using.

But thanks for the email, now I have an idea what might be goobering up on SCC...

Jeff

On Thu, Oct 24, 2013 at 11:40 AM, wm-lists wm-lists@nixpeeps.com wrote:

...

I'm using scap-security-guide-0.1-12.el6.noarch as my source from

http://people.redhat.com/swells/scap-security-guide/rpmbuild/src/redhat/RPMS...

Running oscap xccdf eval --profile server /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml Generates a failure for Title Set Password Minimum Age Rule password_min_age Ident CCE-27013-2 Result fail

Title Set Password Maximum Age Rule password_max_age Ident CCE-26985-2 Result fail

Title Set Password Strength Minimum Uppercase Characters Rule password_require_uppercases Ident CCE-26601-5 Result fail

Title Set Password Strength Minimum Special Characters Rule password_require_specials Ident CCE-26409-3 Result fail

Title Set Password Strength Minimum Lowercase Characters Rule password_require_lowercases Ident CCE-26631-2 Result fail

Among others. I have cracklib configured what I believe is correct (according to the CCE) # grep cracklib /etc/pam.d/system-auth-ac password requisite pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4 try_first_pass retry=3 minlen=14 type= # grep PASS /etc/login.defs

PASS_MAX_DAYS 180 PASS_MIN_DAYS 1 PASS_MIN_LEN 14 PASS_WARN_AGE 7

Any help on what I might be missing here?

Thanks! Will

Stuff off my people.redhat.com page is just scratch space I use for my own purposes -- demos, builds, etc. *Definitely* don't trust content from there as it's usually a clone of my (often broke) local git tree. And often outdated. Speaking of which, I need to drop in a norobots file....

As for this OVAL, it appears to have been fixed on 18-SEPT:

https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/RHEL6/input...

Should be reflected in next RPM update

---

scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

yes mine is different since we use sssd for authentication, the placement of the cracklib is the same though. Switching to your cracklib values, actually caused me to fail more of the categories auth required pam_env.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900 auth required pam_deny.so

account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4 password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5 password sufficient pam_sss.so use_authtok password required pam_deny.so

session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so

I grabbed the zipfile this morning and used it <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance" id="RHEL-6" resolved="1" xml:lang="en-US"> <status date="2013-10-24">draft</status>

On Thu, Oct 24, 2013 at 8:22 PM, Shawn Wells shawn@redhat.com wrote:

On 10/24/13, 2:40 PM, wm-lists wrote:

...

still getting the same result.. oscap xccdf eval --report /var/www/html/report.html --profile server /usr/share/xml/scap/ssg/**content/ssg-rhel6-xccdf.xml

<Benchmark xmlns="http://checklists.nist.**gov/xccdf/1.1<http://checklists.nist.gov/xccdf/1.1>" xmlns:xsi="http://www.w3.org/**2001/XMLSchema-instance<http://www.w3.org/2001/XMLSchema-instance>" id="RHEL-6" resolved="1" xml:lang="en-US"> <status date="2013-10-22">draft</**status>

Title Set Password Strength Minimum Uppercase Characters Rule password_require_uppercases Ident CCE-26601-5 Result fail

Title Set Password Strength Minimum Special Characters Rule password_require_specials Ident CCE-26409-3 Result fail

Title Set Password Strength Minimum Lowercase Characters Rule password_require_lowercases Ident CCE-26631-2 Result fail

These XCCDF names reflect nomenclature from prior releases ;) Try rebasing via yum update or 'git pull' the latest source -- is it still happening?

In case you're still failing here's my /etc/pam.d/system-auth (which passes the checks).... is something different in yours?

...

auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so try_first_pass auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900 auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so

account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=5 type= ucredit=-1 lcredit=-1 ocredit=-1 password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok password required pam_deny.so

session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so

______________________________**_________________ scap-security-guide mailing list scap-security-guide@lists.**fedorahosted.orgscap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.**org/mailman/listinfo/scap-**security-guidehttps://lists.fedorahosted.org/mailman/listinfo/scap-security-guide