>From d937f0b9d5d7487bace8221059acc952c6b4b2cc Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Sat, 20 Apr 2013 01:44:38 -0400 Subject: [PATCH 3/3] Created OVAL for set_password_hashing_algorithm_libuserconf - Created OVAL - Updated XCCDF - Removed accounts_password_hashing_algorithm.xml. The password checks used to be in a singular rule, now broken into individual components
Testing: [root@rhel6 checks]# grep crypt_style /etc/libuser.conf [root@rhel6 checks]# ./testcheck.py set_password_hashing_algorithm_libuserconf.xml Evaluating with OVAL tempfile : /tmp/accounts_password_hashing_algorithmD_WtnW.xml Definition oval:scap-security-guide.testing:def:311: false Evaluation done. [root@rhel6 checks]# vim /etc/libuser.conf [root@rhel6 checks]# grep crypt_style /etc/libuser.conf crypt_style = sha512 [root@rhel6 checks]# ./testcheck.py set_password_hashing_algorithm_libuserconf.xml Evaluating with OVAL tempfile : /tmp/accounts_password_hashing_algorithm8HlNEH.xml Definition oval:scap-security-guide.testing:def:311: true Evaluation done. --- .../checks/accounts_password_hashing_algorithm.xml | 46 -------------------- .../set_password_hashing_algorithm_libuserconf.xml | 27 +++++++++++ RHEL6/input/system/accounts/pam.xml | 1 + 3 files changed, 28 insertions(+), 46 deletions(-) delete mode 100644 RHEL6/input/checks/accounts_password_hashing_algorithm.xml create mode 100644 RHEL6/input/checks/set_password_hashing_algorithm_libuserconf.xml diff --git a/RHEL6/input/checks/accounts_password_hashing_algorithm.xml b/RHEL6/input/checks/accounts_password_hashing_algorithm.xml deleted file mode 100644 index 3e64c2c..0000000 --- a/RHEL6/input/checks/accounts_password_hashing_algorithm.xml +++ /dev/null @@ -1,46 +0,0 @@ -<def-group> - <definition class="compliance" id="accounts_password_hashing_algorithm" version="1"> - <metadata> - <title>Set SHA512 Password Hashing Algorithm</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The password hashing algorithm should be set correctly.</description> - </metadata> - <criteria operator="AND"> - <criterion test_ref="test_pam_unix_sha512" /> - <criterion test_ref="test_etc_logins_defs_md5_crypt_enab" /> - <criterion test_ref="test_etc_logins_defs_encrypt_method" /> - </criteria> - </definition> - - <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check /etc/pam.d/system-auth for correct settings" id="test_pam_unix_sha512" version="1"> - <ind:object object_ref="object_pam_unix_sha512" /> - </ind:textfilecontent54_test> - - <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check MD5_CRYPT_ENAB in /etc/login.defs" id="test_etc_logins_defs_md5_crypt_enab" version="1"> - <ind:object object_ref="object_etc_logins_defs_md5_crypt_enab" /> - </ind:textfilecontent54_test> - - <ind:textfilecontent54_test check="all" comment="check ENCRYPT_METHOD in /etc/login.defs" id="test_etc_logins_defs_encrypt_method" version="1"> - <ind:object object_ref="object_etc_logins_defs_encrypt_method" /> - </ind:textfilecontent54_test> - - <ind:textfilecontent54_object comment="check /etc/pam.d/system-auth for correct settings" id="object_pam_unix_sha512" version="1"> - <ind:filepath>/etc/pam.d/system-auth</ind:filepath> - <ind:pattern operation="pattern match">^\s*password\s+sufficient\s+pam_unix.so\s+sha512.*$</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> - - <ind:textfilecontent54_object comment="check MD5_CRYPT_ENAB in /etc/login.defs" id="object_etc_logins_defs_md5_crypt_enab" version="1"> - <ind:filepath>/etc/login.defs</ind:filepath> - <ind:pattern operation="pattern match">^MD5_CRYPT_ENAB\s+no$</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> - - <ind:textfilecontent54_object comment="check ENCRYPT_METHOD in /etc/login.defs" id="object_etc_logins_defs_encrypt_method" version="1"> - <ind:filepath>/etc/login.defs</ind:filepath> - <ind:pattern operation="pattern match">^\s*ENCRYPT_METHOD\s+SHA512\s*$</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/RHEL6/input/checks/set_password_hashing_algorithm_libuserconf.xml b/RHEL6/input/checks/set_password_hashing_algorithm_libuserconf.xml new file mode 100644 index 0000000..9d4af4c --- /dev/null +++ b/RHEL6/input/checks/set_password_hashing_algorithm_libuserconf.xml @@ -0,0 +1,27 @@ +<def-group> + <definition class="compliance" id="accounts_password_hashing_algorithm" version="1"> + <metadata> + <title>Set SHA512 Password Hashing Algorithm in /etc/libuser.conf</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The password hashing algorithm should be set correctly in /etc/libuser.conf.</description> + </metadata> + <criteria operator="AND"> + <criterion test_ref="test_etc_libuser_conf_cryptstyle" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" + comment="The password hashing algorithm should be set correctly in /etc/libuser.conf" + id="test_etc_libuser_conf_cryptstyle" version="1"> + <ind:object object_ref="object_etc_libuser_conf_cryptstyle" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object comment="The password hashing algorithm should be set correctly in /etc/libuser.conf" + id="object_etc_libuser_conf_cryptstyle" version="1"> + <ind:filepath>/etc/libuser.conf</ind:filepath> + <ind:pattern operation="pattern match">^\s*crypt_style\s=\ssha512\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml index cf99247..f6b31b3 100644 --- a/RHEL6/input/system/accounts/pam.xml +++ b/RHEL6/input/system/accounts/pam.xml @@ -587,6 +587,7 @@ Using a stronger hashing algorithm makes password cracking attacks more difficul <ident cce="27229-4" /> <ref nist="IA-5" disa="803"/> <tested by="DS" on="20121026"/> +<oval id="set_password_hashing_algorithm_libuserconf" /> </Rule> </Group> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
