A check and a fix for testing a password algorithm of minclass for cracklib in /etc/pam.d/system-auth pam_cracklib.so minclass=3
Brian Millett (1): A check and fix for minclass password checking option
.../accounts_password_minclass_login_defs.xml | 43 ++++++++++++++++++++++ .../fixes/bash/password_require_minimun_class.sh | 6 +++ 2 files changed, 49 insertions(+) create mode 100644 RHEL6/input/checks/accounts_password_minclass_login_defs.xml create mode 100644 RHEL6/input/fixes/bash/password_require_minimun_class.sh
Signed-off-by: Brian Millett bmillett@gmail.com --- .../accounts_password_minclass_login_defs.xml | 43 ++++++++++++++++++++++ .../fixes/bash/password_require_minimun_class.sh | 6 +++ 2 files changed, 49 insertions(+) create mode 100644 RHEL6/input/checks/accounts_password_minclass_login_defs.xml create mode 100644 RHEL6/input/fixes/bash/password_require_minimun_class.sh
diff --git a/RHEL6/input/checks/accounts_password_minclass_login_defs.xml b/RHEL6/input/checks/accounts_password_minclass_login_defs.xml new file mode 100644 index 0000000..539164b --- /dev/null +++ b/RHEL6/input/checks/accounts_password_minclass_login_defs.xml @@ -0,0 +1,43 @@ +<def-group> + <definition class="compliance" id="accounts_password_pam_cracklib_minclass" version="1"> + <metadata> + <title>Set Password minclass Requirements</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The password minclass should meet minimum + requirements using pam_cracklib</description> + </metadata> + <criteria> + <criterion comment="Conditions for minclass are satisfied" + test_ref="test_password_pam_cracklib_minclass" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" + comment="check the configuration of /etc/pam.d/system-auth" + id="test_password_pam_cracklib_minclass" version="1"> + <ind:object object_ref="obj_password_pam_cracklib_minclass" /> + <ind:state state_ref="state_password_pam_cracklib_minclass" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_state id="state_password_pam_cracklib_minclass" + version="1"> + <ind:instance datatype="int">1</ind:instance> + <ind:subexpression datatype="int" + operation="less than or equal" + var_ref="var_password_pam_cracklib_minclass" /> + </ind:textfilecontent54_state> + + <external_variable comment="External variable for pam_cracklib minclass" + datatype="int" id="var_password_pam_cracklib_minclass" + version="1" /> + + <ind:textfilecontent54_object id="obj_password_pam_cracklib_minclass" + version="1"> + ind:path/etc/pam.d</ind:path> + ind:filenamesystem-auth</ind:filename> + <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_.-=\s]+[\s]minclass=(-?\d+)(?:[\s]|$)</ind:pattern> + <ind:instance datatype="int" operation="less than or equal">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/RHEL6/input/fixes/bash/password_require_minimun_class.sh b/RHEL6/input/fixes/bash/password_require_minimun_class.sh new file mode 100644 index 0000000..127c004 --- /dev/null +++ b/RHEL6/input/fixes/bash/password_require_minimun_class.sh @@ -0,0 +1,6 @@ +grep -q minclass /etc/pam.d/system-auth +if [ $? = "0" ]; then + sed --follow-symlinks -i "/pam_cracklib.so/s/minclass=[0-4]/minclass=3/" /etc/pam.d/system-auth +else + sed --follow-symlinks -i "/pam_cracklib.so/s/pam_cracklib.so /pam_cracklib.so minclass=3 /" /etc/pam.d/system-auth +fi
scap-security-guide@lists.fedorahosted.org
-
Brian Millett