Signed-off-by: Jeffrey Blank <[email protected]> --- rhel6/src/input/profiles/test.xml | 17 ++++++ .../accounts/restrictions/password_expiration.xml | 56 +++++++++++++------- 2 files changed, 54 insertions(+), 19 deletions(-)
diff --git a/rhel6/src/input/profiles/test.xml b/rhel6/src/input/profiles/test.xml index f341a33..87ad1c3 100644 --- a/rhel6/src/input/profiles/test.xml +++ b/rhel6/src/input/profiles/test.xml @@ -1,6 +1,11 @@ <Profile id="test" xmlns="http://checklists.nist.gov/xccdf/1.1"; > <title>test</title> <description>This profile is for testing.</description> + +<select idref="password_min_len" selected="true"/> +<select idref="password_min_age" selected="true"/> +<select idref="password_max_age" selected="true"/> +<select idref="password_warn_age" selected="true"/> <select idref="package_rsyslog_installed" selected="true"/> <select idref="service_rsyslog_enabled" selected="true"/> <select idref="disable_vsftpd" selected="true"/> @@ -21,4 +26,16 @@ <refine-value idref="var_selinux_state_name" selector="enforcing"/> <refine-value idref="var_password_pam_cracklib_dcredit" selector="1"/> <refine-value idref="inactivity_timeout_value" selector="10_minutes"/> + + +<refine-value idref="var_password_min_len" selector="12"/> +<!-- password minimum length --> +<refine-value idref="var_password_max_age" selector="90"/> +<!-- maximum password age --> +<refine-value idref="var_password_min_age" selector="7"/> +<!-- minimum password age --> +<refine-value idref="var_password_warn_age" selector="7"/> +<!-- password warn age --> + + </Profile> diff --git a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml index 81c0d54..43179a4 100644 --- a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml +++ b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml @@ -23,12 +23,13 @@ for an emergency password change in case a new password becomes compromised. The <tt>PASS_WARN_AGE</tt> (<tt>-W</tt>) setting gives users 7 days of warnings at login time that their passwords are about to expire. <br /><br /> -For each existing human user USER , modify the current -expiration settings to match these: +For example, for each existing human user <i>USER</i>, expiration parameters +could be adjusted to a 180 day maximum password age, 7 day minimum password +age, and 7 day warning period with the following command: <pre># chage -M 180 -m 7 -W 7 USER</pre> </description> -<Value id="var_password_min_len" type="string" operator="equals" interactive="0"> +<Value id="var_password_min_len" type="number" > <title>minimum password length</title> <description>Minimum number of characters in password</description> <warning category="general">This will only check new passwords</warning> @@ -37,11 +38,11 @@ expiration settings to match these: <!-- NIST 800-53 requires 1 in a million using brute force which translates to six numbers --> <value selector="8">8</value> <value selector="10">10</value> +<value selector="12">12</value> <value selector="14">14</value> </Value> -<Value id="password_max_age_login_defs_value" type="string" -operator="equals" interactive="0"> +<Value id="var_password_max_age" type="number" > <title>maximum password age</title> <description>Maximum age of password in days</description> <warning category="general">This will only apply to newly created accounts</warning> @@ -51,13 +52,25 @@ operator="equals" interactive="0"> <value selector="180">180</value> </Value> +<Value id="var_password_min_age" type="number" > +<title>minimum password age</title> +<description>Minimum age of password in days</description> +<warning category="general">This will only apply to newly created accounts</warning> +<value selector="">7</value> +<value selector="7">7</value> +<value selector="5">5</value> +<value selector="1">1</value> +<value selector="2">2</value> +<value selector="0">0</value> +</Value> -<Value id="password_warn_age_login_defs_value" type="string" -operator="equals" interactive="0"> + +<Value id="var_password_warn_age" type="number" > <title>warning days before password expires</title> <description>The number of days' warning given before a password expires.</description> <warning category="general">This will only apply to newly created accounts</warning> <value selector="">7</value> +<value selector="0">0</value> <value selector="7">7</value> <value selector="14">14</value> </Value> @@ -93,8 +106,10 @@ behavior that may result. <title>Set Password Minimum Age</title> <description>To specify password minimum age for new accounts, edit the file <tt>/etc/login.defs</tt> -and add or correct the following line: -<pre>PASS_MIN_DAYS=7</pre> +and add or correct the following line, replacing <i>DAYS</i> appropriately: +<pre>PASS_MIN_DAYS=<i>DAYS</i></pre> +A value of 7 days is considered for sufficient for many +environments. </description> <rationale> Setting the minimum password age protects against @@ -102,25 +117,26 @@ users cycling back to a favorite password after satisfying the password reuse requirement. </rationale> <ident cce="4180-6" /> -<oval id="accounts_minimum_age_login_defs" /> +<oval id="accounts_minimum_age_login_defs" value="var_password_min_age"/> <ref nist="CM-6, IA-5" disa="198"/> </Rule> - <Rule id="password_max_age"> <title>Set Password Maximum Age</title> <description>To specify password maximum age for new accounts, edit the file <tt>/etc/login.defs</tt> -and add or correct the following line: -<pre>PASS_MAX_DAYS=180<!-- <sub idref="password_max_age_login_defs_value" /> --></pre> +and add or correct the following line, replacing <i>DAYS</i> appropriately: +<pre>PASS_MAX_DAYS=<i>DAYS</i><!-- <sub idref="password_max_age_login_defs_value" /> --></pre> +A value of 180 days is considered for sufficient for many +environments. </description> <rationale> -Setting the password warning age enables users to -make the change at a practical time prior to expiration. -</rationale> +Setting the password maximum age ensures that users are required to +periodically change their passwords. This could possibly decrease +the utility of a stolen password.</rationale> <ident cce="4092-3" /> -<oval id="accounts_maximum_age_login_defs" /> +<oval id="accounts_maximum_age_login_defs" value="var_password_max_age"/> <ref nist="CM-6, CM-7, IA-5, AC-3" disa="199"/> </Rule> @@ -131,7 +147,9 @@ make the change at a practical time prior to expiration. expiration that a warning will be issued to users, edit the file <tt>/etc/login.defs</tt> and add or correct the following line: -<pre>PASS_WARN_AGE=7</pre> +<pre>PASS_WARN_AGE=<i>DAYS</i></pre> +A value of 7 days is considered for appropriate for many +environments. <!-- <sub idref="password_warn_age_login_defs_value" /> --> </description> <rationale> @@ -139,7 +157,7 @@ Setting the password warning age enables users to make the change at a practical time. </rationale> <ident cce="4097-2" /> -<oval id="accounts_password_warn_age_login_defs" /> +<oval id="accounts_password_warn_age_login_defs" value="var_password_warn_age" /> <ref nist="CM-6, CM-7, IA-5, AC-3" /> </Rule> </Group> -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://fedorahosted.org/mailman/listinfo/scap-security-guide
