diff --git a/scap-security-guide-0.1.63-remove_rule_login_defs_min_size-PR_9113.patch b/scap-security-guide-0.1.63-remove_rule_login_defs_min_size-PR_9113.patch new file mode 100644 index 0000000..310fb32 --- /dev/null +++ b/scap-security-guide-0.1.63-remove_rule_login_defs_min_size-PR_9113.patch @@ -0,0 +1,402 @@ +From d0ea0f62dcf91041afb6de4d282aa2001cc2a449 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 4 Jul 2022 16:39:06 +0200 +Subject: [PATCH 1/7] remove rule and variable from RHEL9 profiles + +--- + products/rhel9/profiles/ospp.profile | 2 -- + products/rhel9/profiles/stig.profile | 4 ---- + 2 files changed, 6 deletions(-) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index c9e944b32d2..0abd2e4f2ff 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -211,8 +211,6 @@ selections: + + ## Configure Minimum Password Length to 12 Characters + ## IA-5 (1)(a) / FMT_MOF_EXT.1 +- - var_accounts_password_minlen_login_defs=12 +- - accounts_password_minlen_login_defs + - var_password_pam_minlen=12 + - accounts_password_pam_minlen + +diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile +index 55520623e8c..a130580acc5 100644 +--- a/products/rhel9/profiles/stig.profile ++++ b/products/rhel9/profiles/stig.profile +@@ -42,7 +42,6 @@ selections: + - var_password_pam_remember_control_flag=required + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted +- - var_accounts_password_minlen_login_defs=15 + - var_password_pam_unix_rounds=5000 + - var_password_pam_minlen=15 + - var_password_pam_ocredit=1 +@@ -578,9 +577,6 @@ selections: + # RHEL-08-020230 + - accounts_password_pam_minlen + +- # RHEL-08-020231 +- - accounts_password_minlen_login_defs +- + # RHEL-08-020240 + - account_unique_id + + +From ecbb5502adefc3ad5adffb277334bca2e332a86b Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 4 Jul 2022 16:39:22 +0200 +Subject: [PATCH 2/7] remove rule and variable from RHEL8 profiles + +--- + products/rhel8/profiles/cjis.profile | 1 - + products/rhel8/profiles/ospp.profile | 2 -- + products/rhel8/profiles/rht-ccp.profile | 2 -- + products/rhel8/profiles/stig.profile | 4 ---- + 4 files changed, 9 deletions(-) + +diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile +index 96e0aaeee79..30843b692ef 100644 +--- a/products/rhel8/profiles/cjis.profile ++++ b/products/rhel8/profiles/cjis.profile +@@ -63,7 +63,6 @@ selections: + - accounts_password_all_shadowed + - no_empty_passwords + - display_login_attempts +- - var_accounts_password_minlen_login_defs=12 + - var_accounts_maximum_age_login_defs=90 + - var_password_pam_unix_remember=10 + - var_account_disable_post_pw_expiration=0 +diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile +index 235ab3dcfad..39ad1797c7a 100644 +--- a/products/rhel8/profiles/ospp.profile ++++ b/products/rhel8/profiles/ospp.profile +@@ -264,8 +264,6 @@ selections: + + ## Configure Minimum Password Length to 12 Characters + ## IA-5 (1)(a) / FMT_MOF_EXT.1 +- - var_accounts_password_minlen_login_defs=12 +- - accounts_password_minlen_login_defs + - var_password_pam_minlen=12 + - accounts_password_pam_minlen + +diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile +index 3b747fdecc8..e8e7e3a72f2 100644 +--- a/products/rhel8/profiles/rht-ccp.profile ++++ b/products/rhel8/profiles/rht-ccp.profile +@@ -14,7 +14,6 @@ selections: + - file_owner_logfiles_value=root + - file_groupowner_logfiles_value=root + - sshd_idle_timeout_value=5_minutes +- - var_accounts_password_minlen_login_defs=6 + - var_accounts_minimum_age_login_defs=7 + - var_accounts_passwords_pam_faillock_deny=5 + - var_accounts_password_warn_age_login_defs=7 +@@ -43,7 +42,6 @@ selections: + - no_empty_passwords + - accounts_password_all_shadowed + - accounts_no_uid_except_zero +- - accounts_password_minlen_login_defs + - accounts_minimum_age_login_defs + - accounts_password_warn_age_login_defs + - accounts_password_pam_retry +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index e6923824c79..9fb371d701a 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -41,7 +41,6 @@ selections: + - var_password_pam_remember_control_flag=required + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted +- - var_accounts_password_minlen_login_defs=15 + - var_password_pam_unix_rounds=5000 + - var_password_pam_minlen=15 + - var_password_pam_ocredit=1 +@@ -607,9 +606,6 @@ selections: + # RHEL-08-020230 + - accounts_password_pam_minlen + +- # RHEL-08-020231 +- - accounts_password_minlen_login_defs +- + # RHEL-08-020240 + - account_unique_id + + +From 38897e5e5ff44cc442aa3b0a7e8046c42547fafd Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 4 Jul 2022 16:39:37 +0200 +Subject: [PATCH 3/7] remove rule and variable from RHEL7 profiles + +--- + products/rhel7/profiles/cjis.profile | 1 - + products/rhel7/profiles/ncp.profile | 1 - + products/rhel7/profiles/ospp.profile | 2 -- + products/rhel7/profiles/rhelh-stig.profile | 2 -- + products/rhel7/profiles/rht-ccp.profile | 2 -- + 5 files changed, 8 deletions(-) + +diff --git a/products/rhel7/profiles/cjis.profile b/products/rhel7/profiles/cjis.profile +index 35bc9c27ee7..fceccdac77d 100644 +--- a/products/rhel7/profiles/cjis.profile ++++ b/products/rhel7/profiles/cjis.profile +@@ -63,7 +63,6 @@ selections: + - accounts_password_all_shadowed + - no_empty_passwords + - display_login_attempts +- - var_accounts_password_minlen_login_defs=12 + - var_accounts_maximum_age_login_defs=90 + - var_password_pam_unix_remember=10 + - var_account_disable_post_pw_expiration=0 +diff --git a/products/rhel7/profiles/ncp.profile b/products/rhel7/profiles/ncp.profile +index db7fa8ff7b9..4761a6cebc2 100644 +--- a/products/rhel7/profiles/ncp.profile ++++ b/products/rhel7/profiles/ncp.profile +@@ -285,7 +285,6 @@ selections: + - var_account_disable_post_pw_expiration=35 + - var_accounts_maximum_age_login_defs=60 + - var_accounts_minimum_age_login_defs=7 +- - var_accounts_password_minlen_login_defs=6 + - var_accounts_password_warn_age_login_defs=7 + - var_accounts_tmout=10_min + - var_password_pam_difok=8 +diff --git a/products/rhel7/profiles/ospp.profile b/products/rhel7/profiles/ospp.profile +index 0d84cec4fb0..2ab41bad0bc 100644 +--- a/products/rhel7/profiles/ospp.profile ++++ b/products/rhel7/profiles/ospp.profile +@@ -180,8 +180,6 @@ selections: + + ## Configure Minimum Password Length to 12 Characters + ## IA-5 (1)(a) / FMT_MOF_EXT.1 +- - var_accounts_password_minlen_login_defs=12 +- - accounts_password_minlen_login_defs + - var_password_pam_minlen=12 + - accounts_password_pam_minlen + +diff --git a/products/rhel7/profiles/rhelh-stig.profile b/products/rhel7/profiles/rhelh-stig.profile +index 98be35b146e..13c175d5b80 100644 +--- a/products/rhel7/profiles/rhelh-stig.profile ++++ b/products/rhel7/profiles/rhelh-stig.profile +@@ -13,7 +13,6 @@ selections: + - inactivity_timeout_value=15_minutes + - var_password_pam_minlen=15 + - accounts_password_pam_minlen +- - accounts_password_minlen_login_defs + - var_password_pam_ocredit=1 + - accounts_password_pam_ocredit + - var_password_pam_dcredit=1 +@@ -330,7 +329,6 @@ selections: + - var_accounts_max_concurrent_login_sessions=10 + - var_accounts_maximum_age_login_defs=60 + - var_accounts_minimum_age_login_defs=7 +- - var_accounts_password_minlen_login_defs=6 + - var_accounts_password_warn_age_login_defs=7 + - var_accounts_tmout=10_min + - var_password_pam_difok=8 +diff --git a/products/rhel7/profiles/rht-ccp.profile b/products/rhel7/profiles/rht-ccp.profile +index 13f79781d6e..12a3a25013a 100644 +--- a/products/rhel7/profiles/rht-ccp.profile ++++ b/products/rhel7/profiles/rht-ccp.profile +@@ -14,7 +14,6 @@ selections: + - file_owner_logfiles_value=root + - file_groupowner_logfiles_value=root + - sshd_idle_timeout_value=5_minutes +- - var_accounts_password_minlen_login_defs=6 + - var_accounts_minimum_age_login_defs=7 + - var_accounts_passwords_pam_faillock_deny=5 + - var_accounts_password_warn_age_login_defs=7 +@@ -43,7 +42,6 @@ selections: + - no_empty_passwords + - accounts_password_all_shadowed + - accounts_no_uid_except_zero +- - accounts_password_minlen_login_defs + - accounts_minimum_age_login_defs + - accounts_password_warn_age_login_defs + - accounts_password_pam_retry + +From f513f5c2ce4d799a64c0535174aba21fbb5bd958 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 4 Jul 2022 16:39:51 +0200 +Subject: [PATCH 4/7] remove rule and variable from Fedora profiles + +--- + products/fedora/profiles/ospp.profile | 1 - + products/fedora/profiles/standard.profile | 2 -- + 2 files changed, 3 deletions(-) + +diff --git a/products/fedora/profiles/ospp.profile b/products/fedora/profiles/ospp.profile +index 49bb4bf8529..42a17b419a2 100644 +--- a/products/fedora/profiles/ospp.profile ++++ b/products/fedora/profiles/ospp.profile +@@ -29,7 +29,6 @@ selections: + - var_selinux_state=enforcing + - var_password_pam_minlen=12 + - accounts_password_pam_minlen +- - accounts_password_minlen_login_defs + - var_password_pam_ocredit=1 + - accounts_password_pam_ocredit + - var_password_pam_dcredit=1 +diff --git a/products/fedora/profiles/standard.profile b/products/fedora/profiles/standard.profile +index 37087083996..ffd385fb7ce 100644 +--- a/products/fedora/profiles/standard.profile ++++ b/products/fedora/profiles/standard.profile +@@ -26,8 +26,6 @@ selections: + - accounts_password_all_shadowed + - gid_passwd_group_same + - no_netrc_files +- - var_accounts_password_minlen_login_defs=12 +- - accounts_password_minlen_login_defs + - var_accounts_minimum_age_login_defs=7 + - accounts_minimum_age_login_defs + - var_accounts_maximum_age_login_defs=90 + +From 8dc814b2ae523c13fa6ed117e5b4e1e78b813f8c Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 4 Jul 2022 16:40:06 +0200 +Subject: [PATCH 5/7] remove rule and variable from control files + +--- + controls/anssi.yml | 3 --- + controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml | 2 -- + controls/stig_rhel8.yml | 4 +--- + 3 files changed, 1 insertion(+), 8 deletions(-) + +diff --git a/controls/anssi.yml b/controls/anssi.yml +index 549ae2994ca..ed840cc5292 100644 +--- a/controls/anssi.yml ++++ b/controls/anssi.yml +@@ -343,9 +343,6 @@ controls: + # Ensure passwords with minimum of 18 characters + - var_password_pam_minlen=18 + - accounts_password_pam_minlen +- # Enforce password lenght for new accounts +- - var_accounts_password_minlen_login_defs=18 +- - accounts_password_minlen_login_defs + # Require at Least 1 Special Character in Password + - var_password_pam_ocredit=1 + - accounts_password_pam_ocredit +diff --git a/controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml b/controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml +index 85ae75210ba..ed2aa7ed196 100644 +--- a/controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml ++++ b/controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml +@@ -6,7 +6,5 @@ controls: + rules: + - accounts_password_pam_enforce_root + - accounts_password_pam_minlen +- - accounts_password_minlen_login_defs + - var_password_pam_minlen=15 +- - var_accounts_password_minlen_login_defs=15 + status: automated +diff --git a/controls/stig_rhel8.yml b/controls/stig_rhel8.yml +index 4e2d27c3910..d866b194a0f 100644 +--- a/controls/stig_rhel8.yml ++++ b/controls/stig_rhel8.yml +@@ -1140,9 +1140,7 @@ controls: + levels: + - medium + title: RHEL 8 passwords for new users must have a minimum of 15 characters. +- rules: +- - accounts_password_minlen_login_defs +- status: automated ++ status: inherently met + - id: RHEL-08-020240 + levels: + - medium + +From 23b296d8428d6e8f9dd16cf7b0c37a469f904ce8 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 4 Jul 2022 16:41:15 +0200 +Subject: [PATCH 6/7] update profile stability tests + +--- + tests/data/profile_stability/rhel8/ospp.profile | 2 -- + tests/data/profile_stability/rhel8/stig.profile | 2 -- + tests/data/profile_stability/rhel8/stig_gui.profile | 2 -- + 3 files changed, 6 deletions(-) + +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index 5757acf030e..5d73a8c6fef 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -23,7 +23,6 @@ metadata: + reference: https://www.niap-ccevs.org/Profile/PP.cfm + selections: + - accounts_max_concurrent_login_sessions +-- accounts_password_minlen_login_defs + - accounts_password_pam_dcredit + - accounts_password_pam_difok + - accounts_password_pam_lcredit +@@ -248,7 +247,6 @@ selections: + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted + - var_system_crypto_policy=fips_ospp +-- var_accounts_password_minlen_login_defs=12 + - var_password_pam_minlen=12 + - var_password_pam_ocredit=1 + - var_password_pam_dcredit=1 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 5a304768288..9c9ceae6b2c 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -42,7 +42,6 @@ selections: + - accounts_minimum_age_login_defs + - accounts_no_uid_except_zero + - accounts_password_all_shadowed_sha512 +-- accounts_password_minlen_login_defs + - accounts_password_pam_dcredit + - accounts_password_pam_dictcheck + - accounts_password_pam_difok +@@ -429,7 +428,6 @@ selections: + - var_password_pam_remember_control_flag=required + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted +-- var_accounts_password_minlen_login_defs=15 + - var_password_pam_unix_rounds=5000 + - var_password_pam_minlen=15 + - var_password_pam_ocredit=1 +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index 98bfa495ad1..f6a66f6069b 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -53,7 +53,6 @@ selections: + - accounts_minimum_age_login_defs + - accounts_no_uid_except_zero + - accounts_password_all_shadowed_sha512 +-- accounts_password_minlen_login_defs + - accounts_password_pam_dcredit + - accounts_password_pam_dictcheck + - accounts_password_pam_difok +@@ -437,7 +436,6 @@ selections: + - var_password_pam_remember_control_flag=required + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted +-- var_accounts_password_minlen_login_defs=15 + - var_password_pam_unix_rounds=5000 + - var_password_pam_minlen=15 + - var_password_pam_ocredit=1 + +From 0763b1aa2a5e4ee043d0ff2e30ef71d122d58e0d Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 4 Jul 2022 16:41:33 +0200 +Subject: [PATCH 7/7] remove no longer applicable references from the rule + +--- + .../accounts_password_minlen_login_defs/rule.yml | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml +index 49a7816b8cc..fdd851043bc 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml +@@ -45,10 +45,8 @@ references: + iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + nist: IA-5(f),IA-5(1)(a),CM-6(a) + nist-csf: PR.AC-1,PR.AC-6,PR.AC-7 +- ospp: FMT_MOF_EXT.1 + srg: SRG-OS-000078-GPOS-00046 + stigid@ol8: OL08-00-020231 +- stigid@rhel8: RHEL-08-020231 + + ocil_clause: 'it is not set to the required value' + diff --git a/scap-security-guide.spec b/scap-security-guide.spec index fc03bbd..0904bfc 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -32,6 +32,7 @@ Patch4: scap-security-guide-0.1.63-remove_network_sysctl_rules-PR Patch5: scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch Patch6: scap-security-guide-0.1.63-update_grub2_macro-PR_8616.patch Patch7: scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch +Patch8: scap-security-guide-0.1.63-remove_rule_login_defs_min_size-PR_9113.patch %description The scap-security-guide project provides a guide for configuration of the @@ -115,6 +116,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md - Remove some sysctl rules related to network from RHEL9 OSPP (RHBZ#2081708) - Add rule to check if Grub2 recovery is disabled to RHEL9 OSPP (RHBZ#2092809) - Add rule grub2_systemd_debug-shell_argument_absent (RHBZ#2092840) +- Remove rule accounts_password_minlen_login_defs from all profiles (RHBZ#2073040) * Wed Jun 01 2022 Matej Tyc - 0.1.62-1 - Rebase to a new upstream release (RHBZ#2070563)