Will, I'm seeing the same failures using SCC 3.1 (which is DISA's packaging of SSG). I suspect a profile problem (leading to improper external variables possibly being set). What happens when you run the test with profile stig-rhel6-server ?
Actually, checking /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml the "server" profile specifies <refine-value idref="var_password_min_age" selector="7"/> so that's the minimum acceptable with the profile you're using. But thanks for the email, now I have an idea what might be goobering up on SCC... Jeff On Thu, Oct 24, 2013 at 11:40 AM, wm-lists <[email protected]> wrote: > I'm using scap-security-guide-0.1-12.el6.noarch as my source from > > > http://people.redhat.com/swells/scap-security-guide/rpmbuild/src/redhat/RPMS/noarch/ > > Running oscap xccdf eval --profile server > /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml > Generates a failure for > Title Set Password Minimum Age > Rule password_min_age > Ident CCE-27013-2 > Result fail > > Title Set Password Maximum Age > Rule password_max_age > Ident CCE-26985-2 > Result fail > > Title Set Password Strength Minimum Uppercase Characters > Rule password_require_uppercases > Ident CCE-26601-5 > Result fail > > Title Set Password Strength Minimum Special Characters > Rule password_require_specials > Ident CCE-26409-3 > Result fail > > Title Set Password Strength Minimum Lowercase Characters > Rule password_require_lowercases > Ident CCE-26631-2 > Result fail > > Among others. > I have cracklib configured what I believe is correct (according to the CCE) > # grep cracklib /etc/pam.d/system-auth-ac > password requisite pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 > lcredit=-1 difok=4 try_first_pass retry=3 minlen=14 type= > # grep PASS /etc/login.defs > > PASS_MAX_DAYS 180 > PASS_MIN_DAYS 1 > PASS_MIN_LEN 14 > PASS_WARN_AGE 7 > > Any help on what I might be missing here? > > Thanks! > Will > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > >
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
