remove rule accounts_password_minlen_login_defs from all profiles

Resolves: rhbz#2073040
2022-07-18 11:04:17 +02:00 · 2022-07-18 11:04:17 +02:00 · 38ee77d936
parent 11b3fb7bd6
commit 38ee77d936
2 changed files with 404 additions and 0 deletions
--- a/scap-security-guide-0.1.63-remove_rule_login_defs_min_size-PR_9113.patch
+++ b/scap-security-guide-0.1.63-remove_rule_login_defs_min_size-PR_9113.patch
@ -0,0 +1,402 @@
+From d0ea0f62dcf91041afb6de4d282aa2001cc2a449 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 4 Jul 2022 16:39:06 +0200
+Subject: [PATCH 1/7] remove rule and variable from RHEL9 profiles
+
+---
+ products/rhel9/profiles/ospp.profile | 2 --
+ products/rhel9/profiles/stig.profile | 4 ----
+ 2 files changed, 6 deletions(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index c9e944b32d2..0abd2e4f2ff 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -211,8 +211,6 @@ selections:
+ 
+     ## Configure Minimum Password Length to 12 Characters
+     ## IA-5 (1)(a) / FMT_MOF_EXT.1
+-    - var_accounts_password_minlen_login_defs=12
+-    - accounts_password_minlen_login_defs
+     - var_password_pam_minlen=12
+     - accounts_password_pam_minlen
+ 
+diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
+index 55520623e8c..a130580acc5 100644
+--- a/products/rhel9/profiles/stig.profile
+++ b/products/rhel9/profiles/stig.profile
+@@ -42,7 +42,6 @@ selections:
+     - var_password_pam_remember_control_flag=required
+     - var_selinux_state=enforcing
+     - var_selinux_policy_name=targeted
+-    - var_accounts_password_minlen_login_defs=15
+     - var_password_pam_unix_rounds=5000
+     - var_password_pam_minlen=15
+     - var_password_pam_ocredit=1
+@@ -578,9 +577,6 @@ selections:
+     # RHEL-08-020230
+     - accounts_password_pam_minlen
+ 
+-    # RHEL-08-020231
+-    - accounts_password_minlen_login_defs
+-
+     # RHEL-08-020240
+     - account_unique_id
+ 
+
+From ecbb5502adefc3ad5adffb277334bca2e332a86b Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 4 Jul 2022 16:39:22 +0200
+Subject: [PATCH 2/7] remove rule and variable from RHEL8 profiles
+
+---
+ products/rhel8/profiles/cjis.profile    | 1 -
+ products/rhel8/profiles/ospp.profile    | 2 --
+ products/rhel8/profiles/rht-ccp.profile | 2 --
+ products/rhel8/profiles/stig.profile    | 4 ----
+ 4 files changed, 9 deletions(-)
+
+diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
+index 96e0aaeee79..30843b692ef 100644
+--- a/products/rhel8/profiles/cjis.profile
+++ b/products/rhel8/profiles/cjis.profile
+@@ -63,7 +63,6 @@ selections:
+     - accounts_password_all_shadowed
+     - no_empty_passwords
+     - display_login_attempts
+-    - var_accounts_password_minlen_login_defs=12
+     - var_accounts_maximum_age_login_defs=90
+     - var_password_pam_unix_remember=10
+     - var_account_disable_post_pw_expiration=0
+diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
+index 235ab3dcfad..39ad1797c7a 100644
+--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
+@@ -264,8 +264,6 @@ selections:
+ 
+     ## Configure Minimum Password Length to 12 Characters
+     ## IA-5 (1)(a) / FMT_MOF_EXT.1
+-    - var_accounts_password_minlen_login_defs=12
+-    - accounts_password_minlen_login_defs
+     - var_password_pam_minlen=12
+     - accounts_password_pam_minlen
+ 
+diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
+index 3b747fdecc8..e8e7e3a72f2 100644
+--- a/products/rhel8/profiles/rht-ccp.profile
+++ b/products/rhel8/profiles/rht-ccp.profile
+@@ -14,7 +14,6 @@ selections:
+     - file_owner_logfiles_value=root
+     - file_groupowner_logfiles_value=root
+     - sshd_idle_timeout_value=5_minutes
+-    - var_accounts_password_minlen_login_defs=6
+     - var_accounts_minimum_age_login_defs=7
+     - var_accounts_passwords_pam_faillock_deny=5
+     - var_accounts_password_warn_age_login_defs=7
+@@ -43,7 +42,6 @@ selections:
+     - no_empty_passwords
+     - accounts_password_all_shadowed
+     - accounts_no_uid_except_zero
+-    - accounts_password_minlen_login_defs
+     - accounts_minimum_age_login_defs
+     - accounts_password_warn_age_login_defs
+     - accounts_password_pam_retry
+diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
+index e6923824c79..9fb371d701a 100644
+--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
+@@ -41,7 +41,6 @@ selections:
+     - var_password_pam_remember_control_flag=required
+     - var_selinux_state=enforcing
+     - var_selinux_policy_name=targeted
+-    - var_accounts_password_minlen_login_defs=15
+     - var_password_pam_unix_rounds=5000
+     - var_password_pam_minlen=15
+     - var_password_pam_ocredit=1
+@@ -607,9 +606,6 @@ selections:
+     # RHEL-08-020230
+     - accounts_password_pam_minlen
+ 
+-    # RHEL-08-020231
+-    - accounts_password_minlen_login_defs
+-
+     # RHEL-08-020240
+     - account_unique_id
+ 
+
+From 38897e5e5ff44cc442aa3b0a7e8046c42547fafd Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 4 Jul 2022 16:39:37 +0200
+Subject: [PATCH 3/7] remove rule and variable from RHEL7 profiles
+
+---
+ products/rhel7/profiles/cjis.profile       | 1 -
+ products/rhel7/profiles/ncp.profile        | 1 -
+ products/rhel7/profiles/ospp.profile       | 2 --
+ products/rhel7/profiles/rhelh-stig.profile | 2 --
+ products/rhel7/profiles/rht-ccp.profile    | 2 --
+ 5 files changed, 8 deletions(-)
+
+diff --git a/products/rhel7/profiles/cjis.profile b/products/rhel7/profiles/cjis.profile
+index 35bc9c27ee7..fceccdac77d 100644
+--- a/products/rhel7/profiles/cjis.profile
+++ b/products/rhel7/profiles/cjis.profile
+@@ -63,7 +63,6 @@ selections:
+     - accounts_password_all_shadowed
+     - no_empty_passwords
+     - display_login_attempts
+-    - var_accounts_password_minlen_login_defs=12
+     - var_accounts_maximum_age_login_defs=90
+     - var_password_pam_unix_remember=10
+     - var_account_disable_post_pw_expiration=0
+diff --git a/products/rhel7/profiles/ncp.profile b/products/rhel7/profiles/ncp.profile
+index db7fa8ff7b9..4761a6cebc2 100644
+--- a/products/rhel7/profiles/ncp.profile
+++ b/products/rhel7/profiles/ncp.profile
+@@ -285,7 +285,6 @@ selections:
+     - var_account_disable_post_pw_expiration=35
+     - var_accounts_maximum_age_login_defs=60
+     - var_accounts_minimum_age_login_defs=7
+-    - var_accounts_password_minlen_login_defs=6
+     - var_accounts_password_warn_age_login_defs=7
+     - var_accounts_tmout=10_min
+     - var_password_pam_difok=8
+diff --git a/products/rhel7/profiles/ospp.profile b/products/rhel7/profiles/ospp.profile
+index 0d84cec4fb0..2ab41bad0bc 100644
+--- a/products/rhel7/profiles/ospp.profile
+++ b/products/rhel7/profiles/ospp.profile
+@@ -180,8 +180,6 @@ selections:
+ 
+     ## Configure Minimum Password Length to 12 Characters
+     ## IA-5 (1)(a) / FMT_MOF_EXT.1
+-    - var_accounts_password_minlen_login_defs=12
+-    - accounts_password_minlen_login_defs
+     - var_password_pam_minlen=12
+     - accounts_password_pam_minlen
+ 
+diff --git a/products/rhel7/profiles/rhelh-stig.profile b/products/rhel7/profiles/rhelh-stig.profile
+index 98be35b146e..13c175d5b80 100644
+--- a/products/rhel7/profiles/rhelh-stig.profile
+++ b/products/rhel7/profiles/rhelh-stig.profile
+@@ -13,7 +13,6 @@ selections:
+     - inactivity_timeout_value=15_minutes
+     - var_password_pam_minlen=15
+     - accounts_password_pam_minlen
+-    - accounts_password_minlen_login_defs
+     - var_password_pam_ocredit=1
+     - accounts_password_pam_ocredit
+     - var_password_pam_dcredit=1
+@@ -330,7 +329,6 @@ selections:
+     - var_accounts_max_concurrent_login_sessions=10
+     - var_accounts_maximum_age_login_defs=60
+     - var_accounts_minimum_age_login_defs=7
+-    - var_accounts_password_minlen_login_defs=6
+     - var_accounts_password_warn_age_login_defs=7
+     - var_accounts_tmout=10_min
+     - var_password_pam_difok=8
+diff --git a/products/rhel7/profiles/rht-ccp.profile b/products/rhel7/profiles/rht-ccp.profile
+index 13f79781d6e..12a3a25013a 100644
+--- a/products/rhel7/profiles/rht-ccp.profile
+++ b/products/rhel7/profiles/rht-ccp.profile
+@@ -14,7 +14,6 @@ selections:
+     - file_owner_logfiles_value=root
+     - file_groupowner_logfiles_value=root
+     - sshd_idle_timeout_value=5_minutes
+-    - var_accounts_password_minlen_login_defs=6
+     - var_accounts_minimum_age_login_defs=7
+     - var_accounts_passwords_pam_faillock_deny=5
+     - var_accounts_password_warn_age_login_defs=7
+@@ -43,7 +42,6 @@ selections:
+     - no_empty_passwords
+     - accounts_password_all_shadowed
+     - accounts_no_uid_except_zero
+-    - accounts_password_minlen_login_defs
+     - accounts_minimum_age_login_defs
+     - accounts_password_warn_age_login_defs
+     - accounts_password_pam_retry
+
+From f513f5c2ce4d799a64c0535174aba21fbb5bd958 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 4 Jul 2022 16:39:51 +0200
+Subject: [PATCH 4/7] remove rule and variable from Fedora profiles
+
+---
+ products/fedora/profiles/ospp.profile     | 1 -
+ products/fedora/profiles/standard.profile | 2 --
+ 2 files changed, 3 deletions(-)
+
+diff --git a/products/fedora/profiles/ospp.profile b/products/fedora/profiles/ospp.profile
+index 49bb4bf8529..42a17b419a2 100644
+--- a/products/fedora/profiles/ospp.profile
+++ b/products/fedora/profiles/ospp.profile
+@@ -29,7 +29,6 @@ selections:
+     - var_selinux_state=enforcing
+     - var_password_pam_minlen=12
+     - accounts_password_pam_minlen
+-    - accounts_password_minlen_login_defs
+     - var_password_pam_ocredit=1
+     - accounts_password_pam_ocredit
+     - var_password_pam_dcredit=1
+diff --git a/products/fedora/profiles/standard.profile b/products/fedora/profiles/standard.profile
+index 37087083996..ffd385fb7ce 100644
+--- a/products/fedora/profiles/standard.profile
+++ b/products/fedora/profiles/standard.profile
+@@ -26,8 +26,6 @@ selections:
+     - accounts_password_all_shadowed
+     - gid_passwd_group_same
+     - no_netrc_files
+-    - var_accounts_password_minlen_login_defs=12
+-    - accounts_password_minlen_login_defs
+     - var_accounts_minimum_age_login_defs=7
+     - accounts_minimum_age_login_defs
+     - var_accounts_maximum_age_login_defs=90
+
+From 8dc814b2ae523c13fa6ed117e5b4e1e78b813f8c Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 4 Jul 2022 16:40:06 +0200
+Subject: [PATCH 5/7] remove rule and variable from control files
+
+---
+ controls/anssi.yml                             | 3 ---
+ controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml | 2 --
+ controls/stig_rhel8.yml                        | 4 +---
+ 3 files changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/controls/anssi.yml b/controls/anssi.yml
+index 549ae2994ca..ed840cc5292 100644
+--- a/controls/anssi.yml
+++ b/controls/anssi.yml
+@@ -343,9 +343,6 @@ controls:
+     # Ensure passwords with minimum of 18 characters
+     - var_password_pam_minlen=18
+     - accounts_password_pam_minlen
+-    # Enforce password lenght for new accounts
+-    - var_accounts_password_minlen_login_defs=18
+-    - accounts_password_minlen_login_defs
+     # Require at Least 1 Special Character in Password
+     - var_password_pam_ocredit=1
+     - accounts_password_pam_ocredit
+diff --git a/controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml b/controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml
+index 85ae75210ba..ed2aa7ed196 100644
+--- a/controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml
+++ b/controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml
+@@ -6,7 +6,5 @@ controls:
+         rules:
+             - accounts_password_pam_enforce_root
+             - accounts_password_pam_minlen
+-            - accounts_password_minlen_login_defs
+             - var_password_pam_minlen=15
+-            - var_accounts_password_minlen_login_defs=15
+         status: automated
+diff --git a/controls/stig_rhel8.yml b/controls/stig_rhel8.yml
+index 4e2d27c3910..d866b194a0f 100644
+--- a/controls/stig_rhel8.yml
+++ b/controls/stig_rhel8.yml
+@@ -1140,9 +1140,7 @@ controls:
+         levels:
+             - medium
+         title: RHEL 8 passwords for new users must have a minimum of 15 characters.
+-        rules:
+-            - accounts_password_minlen_login_defs
+-        status: automated
+        status: inherently met
+     -   id: RHEL-08-020240
+         levels:
+             - medium
+
+From 23b296d8428d6e8f9dd16cf7b0c37a469f904ce8 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 4 Jul 2022 16:41:15 +0200
+Subject: [PATCH 6/7] update profile stability tests
+
+---
+ tests/data/profile_stability/rhel8/ospp.profile     | 2 --
+ tests/data/profile_stability/rhel8/stig.profile     | 2 --
+ tests/data/profile_stability/rhel8/stig_gui.profile | 2 --
+ 3 files changed, 6 deletions(-)
+
+diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
+index 5757acf030e..5d73a8c6fef 100644
+--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
+@@ -23,7 +23,6 @@ metadata:
+ reference: https://www.niap-ccevs.org/Profile/PP.cfm
+ selections:
+ - accounts_max_concurrent_login_sessions
+-- accounts_password_minlen_login_defs
+ - accounts_password_pam_dcredit
+ - accounts_password_pam_difok
+ - accounts_password_pam_lcredit
+@@ -248,7 +247,6 @@ selections:
+ - var_selinux_state=enforcing
+ - var_selinux_policy_name=targeted
+ - var_system_crypto_policy=fips_ospp
+-- var_accounts_password_minlen_login_defs=12
+ - var_password_pam_minlen=12
+ - var_password_pam_ocredit=1
+ - var_password_pam_dcredit=1
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index 5a304768288..9c9ceae6b2c 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -42,7 +42,6 @@ selections:
+ - accounts_minimum_age_login_defs
+ - accounts_no_uid_except_zero
+ - accounts_password_all_shadowed_sha512
+-- accounts_password_minlen_login_defs
+ - accounts_password_pam_dcredit
+ - accounts_password_pam_dictcheck
+ - accounts_password_pam_difok
+@@ -429,7 +428,6 @@ selections:
+ - var_password_pam_remember_control_flag=required
+ - var_selinux_state=enforcing
+ - var_selinux_policy_name=targeted
+-- var_accounts_password_minlen_login_defs=15
+ - var_password_pam_unix_rounds=5000
+ - var_password_pam_minlen=15
+ - var_password_pam_ocredit=1
+diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
+index 98bfa495ad1..f6a66f6069b 100644
+--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
+@@ -53,7 +53,6 @@ selections:
+ - accounts_minimum_age_login_defs
+ - accounts_no_uid_except_zero
+ - accounts_password_all_shadowed_sha512
+-- accounts_password_minlen_login_defs
+ - accounts_password_pam_dcredit
+ - accounts_password_pam_dictcheck
+ - accounts_password_pam_difok
+@@ -437,7 +436,6 @@ selections:
+ - var_password_pam_remember_control_flag=required
+ - var_selinux_state=enforcing
+ - var_selinux_policy_name=targeted
+-- var_accounts_password_minlen_login_defs=15
+ - var_password_pam_unix_rounds=5000
+ - var_password_pam_minlen=15
+ - var_password_pam_ocredit=1
+
+From 0763b1aa2a5e4ee043d0ff2e30ef71d122d58e0d Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 4 Jul 2022 16:41:33 +0200
+Subject: [PATCH 7/7] remove no longer applicable references from the rule
+
+---
+ .../accounts_password_minlen_login_defs/rule.yml                | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
+index 49a7816b8cc..fdd851043bc 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
+@@ -45,10 +45,8 @@ references:
+     iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
+     nist: IA-5(f),IA-5(1)(a),CM-6(a)
+     nist-csf: PR.AC-1,PR.AC-6,PR.AC-7
+-    ospp: FMT_MOF_EXT.1
+     srg: SRG-OS-000078-GPOS-00046
+     stigid@ol8: OL08-00-020231
+-    stigid@rhel8: RHEL-08-020231
+ 
+ ocil_clause: 'it is not set to the required value'
+ 
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@ -32,6 +32,7 @@ Patch4:                scap-security-guide-0.1.63-remove_network_sysctl_rules-PR
 Patch5:                scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch
 Patch6:                scap-security-guide-0.1.63-update_grub2_macro-PR_8616.patch
 Patch7:                scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch
+Patch8:                scap-security-guide-0.1.63-remove_rule_login_defs_min_size-PR_9113.patch

 %description
 The scap-security-guide project provides a guide for configuration of the
@ -115,6 +116,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 - Remove some sysctl rules  related to network from RHEL9 OSPP (RHBZ#2081708)
 - Add rule to check if Grub2 recovery is disabled to RHEL9 OSPP (RHBZ#2092809)
 - Add rule grub2_systemd_debug-shell_argument_absent (RHBZ#2092840)
+- Remove rule accounts_password_minlen_login_defs from all profiles (RHBZ#2073040)

 * Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
 - Rebase to a new upstream release (RHBZ#2070563)