----- Original Message -----
From: "Maura Dailey" <maura(a)eclipse.ncsc.mil>
To: "Jan Lieskovsky" <jlieskov(a)redhat.com>
Sent: Tuesday, April 1, 2014 7:35:07 PM
I don't like leaving bugs in place while these decisions are being made.
I can understand this approach (that fixing obvious bugs immediately is
better than wait for overall concept change taking longer time / more massive
patch).
I'd still like to add the missing platform line in, unless
you're
telling me that the final release of RHEL 7 won't have pam_cracklib.so
at all or unless you're saying that pam_cracklib.so won't be a supported
option for users that use the announced upgrade in place option. You or
Shawn would know better than I, seeing as how both modules were
apparently written by Redhat.
The problem with the actual state (as far as I got it from the testing)
being the following:
* system administrators are not expected to edit /etc/pam.d/system-auth directly
(from /etc/pam.d/system-auth file:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.)
but rather to use one of authconfig, authconfig-tui, authconfig-gtk utilities.
* new file /etc/security/pwquality.conf has been added to RHEL-7, that should
control / enforce expectations on password attributes like difok, minlen, dcredit,
ucredit etc.
* the procedure to fine-tune the "additional" pwd requirements on RHEL-7 seems
to be
the following:
1) user runs authconfig / authconfig-tui / authconfig-gtk as root,
2) clicks on the Password Options tab,
3) specifies Length / Character Classes (or some other option from the offer),
4) clicks the "Apply" button,
5) the change / requirements are written into /etc/security/pwquality.conf file
instead to be written into /etc/pam.d/system-auth directly,
6) when user's password change request is issued, pam's pam_pwquality.so module
is checking the settings from /etc/security/pwquality.conf, and displaying
"Bad Password" message when the provided password did not meet the
expected
criteria (example requesting minlen=12 and providing shorter password shows
message like:
BAD PASSWORD: The password is shorter than 12 characters)
pam_cracklib.so will be in RHEL-7. But direct editing of /etc/pam.d/system-auth
will be unsupported configuration (since users aren't expected to edit
/etc/pam.d/system-auth
directly).
Alternately, I could submit a patch to move all the pam_cracklib.so
options back to RHEL 6's check directory until this is sorted out, or,
if a version of Fedora uses pam_cracklib, I could change all the
platform lines to read Fedora instead of RHEL 7.)
In the light of the further information above, the most reasonable approach
(to me) seems to be the following one:
* move the pam_cracklib.so checks back to RHEL/6 directory,
* create new ones for RHEL/7 use case - these will need to be created in any
case, since they shouldn't be checking the presence of options in
/etc/pam.d/system-auth
file, but rather / instead presence of required values (minlen, difok etc.) in
/etc/security/pwquality.conf file,
* the fact that current rules work also on RHEL-7 is just coincidence
(pam_pwquality.so options being similar to pam_cracklib.so ones). But
it brings more confusion, than actually clarifies things.
pam_pwquality.so is obviously geared to be an easy change for sysadmins,
seeing as how the option names are currently the same. However, if they
diverge going forward, a universal check might have unexpected behavior.
Yeah, agree having universal check wouldn't be good (in light of new facts
stated above).
So I'm leaning a little more towards creating pam_pwquality
specific checks.
Agree. Please make a patch moving original pam_cracklib.so ones back to RHEL/6
directory. Then we can create RHEL-7 specific ones honouring / checking settings
in /etc/security/pwquality.conf.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
- Maura Dailey
On 04/01/2014 12:40 PM, Jan Lieskovsky wrote:
> Hello Maura,
>
> ----- Original Message -----
>> From: "Maura Dailey" <maura(a)eclipse.ncsc.mil>
>> Subject: [PATCH] Shared check was missing RHEL 7 platform line
>>
>> Other pam_cracklib shared checks had the required platform field, but the
>> check for difok appears to have been inadvertently skipped.
> I would say instead of storing RHEL-7 as platform into shared pam_cracklib
> oval checks, we should create a RHEL-7 specific / own pam_pwquality
> oriented ones.
>
> In RHEL-7 pam_cracklib has been replaced with pam_pwquality (man
> pw_quality)
> and while the checks still work, their names:
>
> accounts_password_pam_cracklib_difok.xml
> accounts_password_pam_cracklib_lcredit.xml
> etc.
>
> might be misleading. Under my opinion we have two options how to proceed:
> * either rename the rules (remove the pam_cracklib string from them) and
> make them universal (IOW able to handle both of pam_cracklib &
> pam_pwquality cases).
> Particular rule names in shared/ would become:
>
> accounts_password_pam_difok.xml
> accounts_password_pam_lcredit.xml
> etc.
>
> and in the /etc/pam.d/system-auth pattern operation pattern match
> section
> there would be just (pam_cracklib | pam_pwquality) options listed as to
> be allowed
> after the required / requisite password section,
>
> * or we can keep RHEL-6 pam_cracklib rules intact (as they are now), and
> create
> new pam_pwquality RHEL-7 specific ones.
>
> Leaving the wider mailing list opinion / thoughts to decide (make a
> decision)
> which way (yet some other from the two ones proposed above?) we want to
> pursue.
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Technologies Team
>
>> - Maura Dailey
>>
>> Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil>
>> ---
>> .../oval/accounts_password_pam_cracklib_difok.xml | 1 +
>> 1 files changed, 1 insertions(+), 0 deletions(-)
>>
>> diff --git a/shared/oval/accounts_password_pam_cracklib_difok.xml
>> b/shared/oval/accounts_password_pam_cracklib_difok.xml
>> index 80fd21e..62a535a 100644
>> --- a/shared/oval/accounts_password_pam_cracklib_difok.xml
>> +++ b/shared/oval/accounts_password_pam_cracklib_difok.xml
>> @@ -4,6 +4,7 @@
>> <title>Set Password difok Requirements</title>
>> <affected family="unix">
>> <platform>Red Hat Enterprise Linux 6</platform>
>> + <platform>Red Hat Enterprise Linux 7</platform>
>> </affected>
>> <description>The password difok should meet minimum
>> requirements using pam_cracklib</description>
>> --
>> 1.7.1
>>
>> _______________________________________________
>> scap-security-guide mailing list
>> scap-security-guide(a)lists.fedorahosted.org
>>
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
>>