A check and a fix for testing a password algorithm of minclass for
cracklib in /etc/pam.d/system-auth
pam_cracklib.so minclass=3
Brian Millett (1):
A check and fix for minclass password checking option
.../accounts_password_minclass_login_defs.xml | 43 ++++++++++++++++++++++
.../fixes/bash/password_require_minimun_class.sh | 6 +++
2 files changed, 49 insertions(+)
create mode 100644 RHEL6/input/checks/accounts_password_minclass_login_defs.xml
create mode 100644 RHEL6/input/fixes/bash/password_require_minimun_class.sh
--
1.8.2.1
Show replies by date
Signed-off-by: Brian Millett <bmillett(a)gmail.com>
---
.../accounts_password_minclass_login_defs.xml | 43 ++++++++++++++++++++++
.../fixes/bash/password_require_minimun_class.sh | 6 +++
2 files changed, 49 insertions(+)
create mode 100644 RHEL6/input/checks/accounts_password_minclass_login_defs.xml
create mode 100644 RHEL6/input/fixes/bash/password_require_minimun_class.sh
diff --git a/RHEL6/input/checks/accounts_password_minclass_login_defs.xml
b/RHEL6/input/checks/accounts_password_minclass_login_defs.xml
new file mode 100644
index 0000000..539164b
--- /dev/null
+++ b/RHEL6/input/checks/accounts_password_minclass_login_defs.xml
@@ -0,0 +1,43 @@
+<def-group>
+ <definition class="compliance"
id="accounts_password_pam_cracklib_minclass" version="1">
+ <metadata>
+ <title>Set Password minclass Requirements</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <description>The password minclass should meet minimum
+ requirements using pam_cracklib</description>
+ </metadata>
+ <criteria>
+ <criterion comment="Conditions for minclass are satisfied"
+ test_ref="test_password_pam_cracklib_minclass" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all"
+ comment="check the configuration of
/etc/pam.d/system-auth"
+ id="test_password_pam_cracklib_minclass"
version="1">
+ <ind:object object_ref="obj_password_pam_cracklib_minclass" />
+ <ind:state state_ref="state_password_pam_cracklib_minclass" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_state id="state_password_pam_cracklib_minclass"
+ version="1">
+ <ind:instance datatype="int">1</ind:instance>
+ <ind:subexpression datatype="int"
+ operation="less than or equal"
+ var_ref="var_password_pam_cracklib_minclass" />
+ </ind:textfilecontent54_state>
+
+ <external_variable comment="External variable for pam_cracklib minclass"
+ datatype="int"
id="var_password_pam_cracklib_minclass"
+ version="1" />
+
+ <ind:textfilecontent54_object id="obj_password_pam_cracklib_minclass"
+ version="1">
+ <ind:path>/etc/pam.d</ind:path>
+ <ind:filename>system-auth</ind:filename>
+ <ind:pattern operation="pattern
match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]minclass=(-?\d+)(?:[\s]|$)</ind:pattern>
+ <ind:instance datatype="int" operation="less than or
equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/RHEL6/input/fixes/bash/password_require_minimun_class.sh
b/RHEL6/input/fixes/bash/password_require_minimun_class.sh
new file mode 100644
index 0000000..127c004
--- /dev/null
+++ b/RHEL6/input/fixes/bash/password_require_minimun_class.sh
@@ -0,0 +1,6 @@
+grep -q minclass /etc/pam.d/system-auth
+if [ $? = "0" ]; then
+ sed --follow-symlinks -i "/pam_cracklib.so/s/minclass=[0-4]/minclass=3/"
/etc/pam.d/system-auth
+else
+ sed --follow-symlinks -i "/pam_cracklib.so/s/pam_cracklib.so /pam_cracklib.so
minclass=3 /" /etc/pam.d/system-auth
+fi
--
1.8.2.1