>From 592282f66f8cd7b3d25f63997a947d8f2d6905a9 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Sun, 15 Sep 2013 20:09:48 -0400 Subject: [PATCH 20/22] OVAL signoff + remediation: no_empty_passwords - OVAL/XCCDF namings - OVAL signoff - filename -> filepath - Remediation
TESTING [root@SSG-RHEL6 checks]# ./testcheck.py no_empty_passwords.xml Evaluating with OVAL tempfile : /tmp/no_empty_passwordsya8tSy.xml Writing results to : /tmp/no_empty_passwordsya8tSy.xml-results Definition oval:scap-security-guide.testing:def:228: false Evaluation done. [root@SSG-RHEL6 checks]# bash ../fixes/bash/no_empty_passwords.sh [root@SSG-RHEL6 checks]# ./testcheck.py no_empty_passwords.xml Evaluating with OVAL tempfile : /tmp/no_empty_passwordsxID5Dt.xml Writing results to : /tmp/no_empty_passwordsxID5Dt.xml-results Definition oval:scap-security-guide.testing:def:228: true Evaluation done. --- RHEL6/input/checks/accounts_pam_no_nullok.xml | 23 -------------------- RHEL6/input/checks/no_empty_passwords.xml | 22 +++++++++++++++++++ RHEL6/input/fixes/bash/no_empty_passwords.sh | 1 + .../accounts/restrictions/password_storage.xml | 2 +- 4 files changed, 24 insertions(+), 24 deletions(-) delete mode 100644 RHEL6/input/checks/accounts_pam_no_nullok.xml create mode 100644 RHEL6/input/checks/no_empty_passwords.xml create mode 100644 RHEL6/input/fixes/bash/no_empty_passwords.sh diff --git a/RHEL6/input/checks/accounts_pam_no_nullok.xml b/RHEL6/input/checks/accounts_pam_no_nullok.xml deleted file mode 100644 index eed8a41..0000000 --- a/RHEL6/input/checks/accounts_pam_no_nullok.xml +++ /dev/null @@ -1,23 +0,0 @@ -<def-group> - <definition class="compliance" id="accounts_pam_no_nullok" version="1"> - <metadata> - <title>No nullok Option in /etc/pam.d/system-auth</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The file /etc/pam.d/system-auth should not contain the nullok option</description> - </metadata> - <criteria> - <criterion comment="make sure the nullok option is not used in /etc/pam.d/system-auth" test_ref="test_accounts_pam_no_nullok" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="make sure nullok is not used in /etc/pam.d/system-auth" id="test_accounts_pam_no_nullok" version="1"> - <ind:object object_ref="object_accounts_pam_no_nullok" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_accounts_pam_no_nullok" version="1"> - <ind:path>/etc/pam.d/</ind:path> - <ind:filename>system-auth</ind:filename> - <ind:pattern operation="pattern match">\s*nullok\s*</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/RHEL6/input/checks/no_empty_passwords.xml b/RHEL6/input/checks/no_empty_passwords.xml new file mode 100644 index 0000000..b2170b9 --- /dev/null +++ b/RHEL6/input/checks/no_empty_passwords.xml @@ -0,0 +1,22 @@ +<def-group> + <definition class="compliance" id="no_empty_passwords" version="1"> + <metadata> + <title>No nullok Option in /etc/pam.d/system-auth</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The file /etc/pam.d/system-auth should not contain the nullok option</description> + </metadata> + <criteria> + <criterion comment="make sure the nullok option is not used in /etc/pam.d/system-auth" test_ref="test_no_empty_passwords" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="make sure nullok is not used in /etc/pam.d/system-auth" id="test_no_empty_passwords" version="1"> + <ind:object object_ref="object_no_empty_passwords" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_no_empty_passwords" version="1"> + <ind:filepath>/etc/pam.d/system-auth</ind:filepath> + <ind:pattern operation="pattern match">\s*nullok\s*</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/RHEL6/input/fixes/bash/no_empty_passwords.sh b/RHEL6/input/fixes/bash/no_empty_passwords.sh new file mode 100644 index 0000000..fca40af --- /dev/null +++ b/RHEL6/input/fixes/bash/no_empty_passwords.sh @@ -0,0 +1 @@ +sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth diff --git a/RHEL6/input/system/accounts/restrictions/password_storage.xml b/RHEL6/input/system/accounts/restrictions/password_storage.xml index e71ef62..fb2efc0 100644 --- a/RHEL6/input/system/accounts/restrictions/password_storage.xml +++ b/RHEL6/input/system/accounts/restrictions/password_storage.xml @@ -37,7 +37,7 @@ empty passwords should never be used in operational environments. </rationale> <ident cce="27038-9" /> -<oval id="accounts_pam_no_nullok" /> +<oval id="no_empty_passwords" /> <ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" /> <tested by="DS" on="20121024"/> </Rule> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
