>From ef74ae076e41562535c0f72b05fde13020e61e45 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Sat, 20 Apr 2013 01:23:50 -0400 Subject: [PATCH 1/3] Created OVAL for set_password_hashing_algorithm_systemauth - Created OVAL - Updated XCCDF
Testing: [root@rhel6 checks]# ./testcheck.py set_password_hashing_algorithm_systemauth.xml Evaluating with OVAL tempfile : /tmp/accounts_password_hashing_algorithmlwxgoD.xml Definition oval:scap-security-guide.testing:def:311: false Evaluation done. [root@rhel6 checks]# vim /etc/pam.d/system-auth [root@rhel6 checks]# grep sha512 /etc/pam.d/system-auth password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok [root@rhel6 checks]# ./testcheck.py set_password_hashing_algorithm_systemauth.xml Evaluating with OVAL tempfile : /tmp/accounts_password_hashing_algorithmZ5oI7R.xml Definition oval:scap-security-guide.testing:def:311: true --- .../set_password_hashing_algorithm_systemauth.xml | 25 ++++++++++++++++++++ RHEL6/input/system/accounts/pam.xml | 1 + 2 files changed, 26 insertions(+), 0 deletions(-) create mode 100644 RHEL6/input/checks/set_password_hashing_algorithm_systemauth.xml diff --git a/RHEL6/input/checks/set_password_hashing_algorithm_systemauth.xml b/RHEL6/input/checks/set_password_hashing_algorithm_systemauth.xml new file mode 100644 index 0000000..7cdf08c --- /dev/null +++ b/RHEL6/input/checks/set_password_hashing_algorithm_systemauth.xml @@ -0,0 +1,25 @@ +<def-group> + <definition class="compliance" id="accounts_password_hashing_algorithm" version="1"> + <metadata> + <title>Set Password Hashing Algorithm in /etc/pam.d/system-auth</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.</description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="test_pam_unix_sha512" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check /etc/pam.d/system-auth for correct settings" id="test_pam_unix_sha512" version="1"> + <ind:object object_ref="object_pam_unix_sha512" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object comment="check /etc/pam.d/system-auth for correct settings" id="object_pam_unix_sha512" version="1"> + <ind:filepath>/etc/pam.d/system-auth</ind:filepath> + <ind:pattern operation="pattern match">^\s*password\s+sufficient\s+pam_unix.so\s+sha512.*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml index d523a4c..5f87568 100644 --- a/RHEL6/input/system/accounts/pam.xml +++ b/RHEL6/input/system/accounts/pam.xml @@ -543,6 +543,7 @@ Using a stronger hashing algorithm makes password cracking attacks more difficul <!-- <oval id="accounts_password_hashing_algorithm" /> --> <ref nist="IA-5" disa="803"/> <tested by="DS" on="20121024"/> +<oval id="set_password_hashing_algorithm_systemauth" /> </Rule> <Rule id="set_password_hashing_algorithm_logindefs" severity="medium"> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
